The policy establishes an opt-in requirement for sale of minors' personal information consistent with CCPA requirements, distinguishing between the 13 to 16 age group and children under 13, for whom parental consent is required.
Zillow
· Zillow Privacy Notice
This provision establishes Zillow's compliance with CCPA/CPRA opt-out obligations and operationalizes the consumer right to halt advertising-related data transfers classified as sales or sharing under California law.
This provision requires Whatnot to maintain a functional opt-out mechanism for California residents and to accurately disclose which categories of personal information are sold or shared with advertising and analytics partners, as required under CCPA and CPRA.
23andMe
· 23andMe Privacy Statement
The policy provides a meaningful choice over biological sample retention, which is operationally significant because a stored sample could be used for future genetic analyses if you later consent, while a discarded sample cannot be recovered for any future purpose.
Students accessing Khan Academy through a school may have stronger data protections than general users, depending on what the School Agreement says, but those terms are not publicly disclosed in this document.
Student data in school-deployed accounts is accessible to institutional administrators beyond just the assigned teacher, which expands the audience for sensitive academic performance data without additional student or parental consent.
OpenAI
· OpenAI API Data Usage Policies
The distinction between enterprise and consumer data handling terms is operationally significant: organizations that use both consumer and enterprise OpenAI products may be subject to different data handling practices depending on which product their employees or users access.
The breadth of collection across all service interactions means Afterpay can gather identity, financial, behavioral, and device data from the moment you visit its site, not just when you make a purchase or open an account.
OpenAI
· OpenAI API Data Usage Policies
Security certifications and commitments in the enterprise context affect whether business customers can rely on OpenAI's infrastructure for processing sensitive organizational or personal data, and whether those commitments satisfy contractual and regulatory security obligations.
This provision limits Replicate's liability exposure in the event of a data breach by framing security as 'reasonable' rather than absolute, which is standard industry language but does not define what measures are in place.
OpenAI
· OpenAI Data Processing Addendum
The clause creates a procedural framework for incident disclosure that establishes OpenAI's notification timeline and the scope of information that must be communicated to customers. This framework enables customers to understand the scope and nature of security incidents affecting their personal data and to assess potential downstream notification obligations.
Pinecone
· Pinecone Data Processing Addendum
The DPA defines Security Incidents broadly to include accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to Customer Personal Data. Timely notification enables business customers to comply with their own GDPR Article 33 and Article 34 obligations, which have strict 72-hour supervisory authority notification deadlines.
The adequacy of security measures directly affects whether personal data processed through Perplexity AI's services is protected against breaches. The DPA's language on security typically defines both the standard of care and the notification obligations if a breach occurs.
OpenAI
· OpenAI Data Processing Addendum
The breach notification commitment triggers the operator's own regulatory notification obligations under GDPR (72-hour notification to supervisory authority), UK GDPR, and state breach notification laws. The timeliness and scope of OpenAI's notification to the operator directly affects whether the operator can meet its own deadlines.
This clause establishes Perplexity's security obligations under GDPR Article 32 and its breach notification obligation under GDPR Article 33; the 'without undue delay' standard for processor-to-controller notification is intended to enable the controller to meet its own 72-hour supervisory authority reporting obligation.
Given that OpenSea holds sensitive financial data including wallet addresses and NFT transaction histories, the security disclaimer means users bear residual risk from potential data breaches.
This clause establishes Google's contractual security obligation for advertiser personal data processed through Google Ads services. The obligation mirrors the GDPR Article 32 requirement for appropriate technical and organizational measures, and the specific measures implemented may be documented in a security annex or exhibit to the agreement.
Pinecone
· Pinecone Data Processing Addendum
This clause permits Pinecone to alter its technical and organizational security measures unilaterally, subject only to a non-material-diminishment constraint. Business customers relying on specific security configurations for their own compliance frameworks may not receive advance notice of changes to individual security controls.
This provision establishes the categories and maximum retention period for security-related metadata. The retention of IP addresses for up to 12 months is the data category disclosed as subject to potential law enforcement disclosure under section 8.3.
Venmo
· Venmo Privacy Policy
The policy's standard security disclaimer limits Venmo's stated security assurance to 'reasonable measures' while disclaiming liability for breaches that may occur despite those measures.
Twilio
· Twilio Privacy Notice
This provision establishes Segment as an active data processor on twilio.com with a 90-day cookie window and domain-wide scope. The 'alwaysLoadSegment: true' parameter in the consent wrapper configuration warrants review to determine whether Segment's core library loads prior to or independent of visitor consent, which has direct implications for GDPR and ePrivacy compliance.
This provision establishes that Segment is used to track page views, user interactions, and potentially identified user data on twilio.com, with cookies persisting for up to 90 days, and that the scope of tracking is conditioned on TrustArc consent state.
Stash
· Stash Privacy Policy
Selfie photographs used for identity verification may involve facial recognition or biometric processing, which in states like Illinois is subject to specific legal requirements including consent and data handling obligations under the Biometric Information Privacy Act.
Yelp
· Yelp Privacy Policy
Sensitive personal data categories such as health information, sexual orientation, and religious affiliation receive heightened legal protections under GDPR, CCPA/CPRA, and several US state privacy laws; their collection through incidental platform activity (such as searching for a medical clinic) may not be obvious to users.
The collection of Social Security numbers, bank account numbers, and full financial transaction histories creates significant risk exposure if the data is ever breached, misused, or shared beyond what users expect.
Health and disability information is among the most sensitive categories of personal data under GDPR and similar laws; its collection, storage, and potential sharing with event venues creates heightened privacy risk and legal obligations for Ticketmaster that differ from standard ticketing data.
Noom
· Noom Privacy Policy
Health data is among the most sensitive categories of personal information; its collection and potential sharing creates meaningful privacy exposure for users.
If you include sensitive information in your resume, it may be shared with employers and stored in ZipRecruiter's systems even though the company advises against it, as ZipRecruiter does not filter or block such data from submissions.
Health-related and belief-related inferences drawn from food ordering data represent a sensitive category of personal information that carries heightened privacy risk, particularly if shared or used beyond the immediate service context.
TikTok
· TikTok Privacy Policy
Sensitive personal information categories under CCPA and analogous state laws carry heightened processing restrictions and consumer rights; the policy places responsibility on users for whether they include such information in user content, while disclosing that TikTok may process it.