This provision limits the use of Gemini outputs as a basis for consequential decisions in regulated domains, which directly affects how the service may be deployed in enterprise or consumer-facing applications in these sectors.
Zoom
· Zoom Privacy Statement
The clause creates a conditional framework where HIPAA-covered entities operate under a separate contractual regime for health data handling. This ensures that entities subject to HIPAA compliance obligations have explicit contractual alignment with Zoom regarding PHI safeguards and use restrictions required by the Health Insurance Portability and Accountability Act.
Box
· Box Terms of Service
The clause creates a conditional compliance framework: HIPAA-regulated data processing is permitted only through an executed BAA. Without this requirement, Box could not legally handle PHI under HIPAA regulations, and the BAA mechanism establishes the contractual basis for lawful processing of health information.
This provision creates a feature-level compliance boundary within a single service offering. Organizations subject to HIPAA must verify feature eligibility before using Bedrock to handle PHI, as non-eligible features lack BAA protections and therefore cannot lawfully process PHI under HIPAA requirements.
OpenAI
· OpenAI Enterprise Privacy
A BAA is a legal requirement under HIPAA before a covered entity or business associate can share protected health information with a service provider. The document states this is available for qualifying customers but does not specify which services are HIPAA-eligible, requiring separate confirmation.
OpenAI
· OpenAI Data Processing Addendum
This provision places the compliance burden on the operator to identify when HIPAA applies to their use case and to execute a BAA before submitting any protected health information. Using the API with PHI without a BAA in place would constitute a potential HIPAA violation by the operator.
OpenAI
· OpenAI Enterprise Privacy
This provision establishes that API-based deployments handling protected health information may be eligible for BAA coverage, which is a prerequisite for using a third-party vendor under HIPAA. The provision specifies API deployments; compliance teams should confirm whether ChatGPT Enterprise or other product tiers are also within scope of the BAA.
This designation brings Headspace's handling of health information within the regulatory framework established by HIPAA, which imposes specific requirements on business associates regarding the use, disclosure, and safeguarding of protected health information on behalf of covered entities. The provision clarifies the regulatory relationship between Headspace and its Care Provider partners.
This classification subjects Headspace to HIPAA's security, privacy, and breach notification requirements as a business associate, establishing a specific regulatory framework for how protected health information is handled. The provision creates institutional obligations for data protection standards and audit/compliance procedures that differ from standard commercial privacy frameworks.
This provision explicitly excludes healthcare-related data use cases from the scope of the Services and disclaims all liability for prohibited data or high-risk activity use, which may affect healthcare-adjacent organizations that consider using the platform for clinical, administrative, or research purposes.
This provision clarifies the regulatory scope of the standard service offering by excluding HIPAA-covered use cases from the default agreement structure. It establishes that HIPAA compliance requires a separate contractual arrangement and explicitly prohibits HIPAA-regulated data flows under the standard terms, creating a binary framework: either use the service without PHI, or negotiate specialized BAA terms.
This provision clarifies the operational scope of Luma's compliance obligations by explicitly excluding HIPAA-regulated data from the scope of the service. It establishes liability boundaries by stating that Luma will not accept responsibility for protected health information or high-risk use cases, thereby defining the service's applicable regulatory framework.
This clause establishes the operational framework for information flow necessary to execute home lending services across multiple vendors and stages of the loan lifecycle. The provision defines the scope of permissible data sharing and the purposes for which third parties may access and use client information.
Video footage and sensor data from inside a subscriber's home represent some of the most sensitive categories of personal information, and the policy's scope for using and sharing this data deserves careful consumer attention.
Zoom
· Zoom Privacy Statement
The clause establishes administrative access controls that permit account-level oversight of meeting activity and archived content, which is operationally significant for organizations managing multiple users and meetings under a single account structure.
Airbnb
· Airbnb Terms of Service
This provision establishes that Airbnb does not assume responsibility for Hosts' regulatory compliance, placing full compliance obligation on the Host operator. The operational significance is that Hosts must independently identify and satisfy jurisdiction-specific requirements before and during listing operations, including licensing, permitting, lease authorization, and local occupancy restrictions.
Meta
· Meta Special Ad Category Requirements
This provision operationally defines the scope of the Housing Special Ad Category, establishing which product and service types trigger the mandatory designation and associated targeting restrictions. Real estate, mortgage, insurance, and home services advertisers must evaluate whether their campaigns fall within this definition to maintain compliance with both Meta's policy and applicable fair housing law.
ADP
· ADP Privacy Statement
This provision identifies the specific categories of personal data processed by ADP as a processor, which include payroll, tax, benefits, and HR records, categories that carry heightened sensitivity in some jurisdictions and that trigger specific regulatory obligations regarding accuracy, retention, and security.
This provision articulates an accountability framework positioning human responsibility as central to the deployment of AI systems. The operational significance depends on how this principle is implemented through specific service terms, policies, or technical controls elsewhere in the documentation.
Human oversight requirements create governance checkpoints within AI system operations, establishing institutional accountability structures and requiring documented review processes before certain AI outputs or decisions proceed to deployment or user-facing implementation.
The provision establishes a human review process as an operational mechanism for quality assurance and model improvement, which means certain conversation data flows to human reviewers as part of Google's service delivery and product development practices.
OpenAI
· OpenAI Privacy Policy
The clause establishes a data processing practice where conversation content is accessed for model training purposes, subject to specified privacy protections. This defines the scope of internal access to user-generated content and the technical safeguards applied during that access.
The notice explicitly authorizes human access to conversation content, and the policy advises users not to submit anything they would not want reviewed, signaling that conversation content is not treated as fully private.
DeepL
· DeepL Privacy Policy
This provision establishes a data processing practice that distinguishes free-tier users from paid subscribers, creating operational conditions under which free-tier input data is designated for internal review and model training activities rather than deleted after translation.
Uber
· Uber Privacy Notice
This provision establishes the operational framework for identity authentication and regulatory compliance in Uber's driver onboarding and management processes. The use of automated verification technology creates an ongoing verification mechanism rather than a one-time authentication event.
Government-issued identity documents and tax information are among the most sensitive categories of personal data, and making their submission mandatory means you cannot use those features of the service without providing them, with all associated sharing and retention risks described elsewhere in the policy.
The provision explains the operational basis for identity document collection in the secondary ticket sales process, clarifying that such collection is required by the payment processor's regulatory obligations rather than by Ticketmaster's discretionary choice.
Square
· Square Privacy Notice
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states and under GDPR that go beyond standard privacy protections.
This clause establishes the scope of biometric and identity data collection practices DocuSign implements to support identity verification services. The provision specifies the categories of sensitive personal information the entity is authorized to process in connection with verification transactions.
Identity verification is a core operational requirement for regulated financial services platforms. The provision establishes the scope of personal data collection necessary for compliance with anti-money laundering and know-your-customer regulatory obligations, and specifies that biometric processing may be delegated to external service providers.