The policy extends privacy rights disclosures beyond California to residents of six additional states, reflecting the expansion of state comprehensive privacy laws, though the specific rights and mechanisms available vary by state.
Depending on which state you live in, you may have additional rights to access, correct, delete, or limit the use and sharing of your personal information that go beyond what the general notice describes.
The number of states with active privacy rights covered by this policy is significant and growing; consumers in these states have concrete legal rights to control their data that go beyond what the general policy describes.
The clause operationalizes state-specific privacy obligations by explicitly recognizing privacy rights regimes beyond California and establishing a centralized mechanism for rights exercise. This reflects Equifax's adoption of a uniform privacy rights framework across multiple state jurisdictions rather than applying differentiated policies based on residency.
DeepL
· DeepL Privacy Policy
This provision authorizes the transfer of user personal data to multiple categories of third-party processors and asserts that GDPR-compliant data processing agreements govern these transfers. Compliance teams should verify the adequacy of these agreements and the completeness of the sub-processor list, particularly for organizations with strict data residency or sub-processor approval requirements.
This clause governs the sub-processor oversight mechanism required by GDPR Article 28(2); the practical enforceability of the objection right depends on the notice period length and whether the termination remedy is commercially available to the customer without penalty.
OpenAI
· OpenAI API Data Usage Policies
GDPR Article 28 requires processors to obtain prior authorization from the data controller before engaging subprocessors, and the controller must be informed of any intended changes; the subprocessor list is the mechanism for this disclosure.
Windsurf
· Windsurf Security & Data Handling
The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.
This clause establishes the mechanism by which advertisers are notified of sub-processor changes and granted an objection right. Advertisers must actively monitor Google's sub-processor notifications to exercise any objection rights within the designated window.
This provision establishes that personal data previously collected under Superpeer's privacy terms is now subject to Skillshare's policy, which may involve different data practices, sharing arrangements, and user rights than those under which Superpeer users originally consented; this may require evaluation under GDPR's lawful basis and notice requirements and CCPA's updated notice obligations.
This provision authorizes collection of personal and financial information from creators and developers in connection with monetization programs, which is operationally significant for participants who submit tax identification, banking, or payment information as part of the payout process. Applicable tax reporting obligations, payment information security requirements, and data retention schedules for financial data are not specified in this excerpt.
This provision establishes that Support Chatbot interactions are retained and processed for purposes beyond immediate support, including product development, and that users consent to this processing through use of the chatbot. The provision also advises against submitting confidential or personal information through the chatbot, indicating awareness of data sensitivity risks in this interaction channel.
OpenAI
· GPT-4o System Card (PDF)
The document discloses that synthetic voice generation is a core capability of GPT-4o and that consent-based controls were applied for the voice presets used in ChatGPT, which is directly relevant to consumers and public figures whose voices could otherwise be replicated.
The provision establishes the operational basis for cross-context behavioral advertising as a standard data practice. It defines the scope of information use and specifies the control mechanisms available to users within the service infrastructure.
Tailored advertising is described as using information about your service use and activity on other websites and apps to serve interest-based ads; this is characterized as 'sharing' under cross-context behavioral advertising definitions, which triggers opt-out rights under CCPA/CPRA and similar state laws.
Target
· Target Privacy Policy
Loyalty program participation generates detailed transaction-level data about your purchasing behavior, which Target uses for advertising in addition to the stated benefits of personalized offers and rewards.
The provision establishes a procedural mechanism for users to decline personalized advertising while defining the technical implementation and duration of the opt-out preference. The cookie-based approach ties the preference to specific browsers rather than accounts, which affects persistence across devices and browser updates.
Groq
· Groq Privacy Policy
This automatic data collection feeds into advertising and analytics systems operated by third parties, meaning your behavior on Groq's websites may be used to target you with ads across the web.
This provision establishes Amplitude's participation in targeted advertising data sharing ecosystems and creates an opt-out obligation under CCPA/CPRA for California residents. Under CPRA, sharing personal information for cross-context behavioral advertising constitutes a regulated activity even where no monetary consideration is exchanged.
The provision establishes user control mechanisms over direct marketing communications and personal data management. These controls establish procedural pathways for users to manage their engagement with Nintendo's marketing activities and maintain accuracy of their account information.
Chase
· Chase Privacy Notice
The clause establishes Chase's baseline practice of targeted advertising across third-party platforms while providing a standardized industry opt-out mechanism, creating a dual-track system where the advertising practice operates as written unless the user initiates the opt-out process.
Strava
· Strava Privacy Policy
Personal information shared with advertising partners for interest-based advertising can include behavioral and demographic data, and once shared with third parties the data is subject to those partners' own privacy practices.
Your Disney+ streaming activity and device information may be used to build an advertising profile that follows you across the internet, not just within Disney's own properties.
The requirement to provide and update your Social Security number creates ongoing sensitive data exposure, and consenting to electronic tax form delivery means you may miss important documents if your email is outdated or inaccessible.
Students may not expect that individual third-party teachers, who are independent creators rather than Skillshare employees, receive personally identifiable information including email addresses and behavioral data about how long they watch specific content.
This provision establishes that parental access to teen activity data is gated by the teen user's affirmative action rather than by a parent-initiated or platform-initiated consent mechanism. This design places control over parental oversight with the minor user, which may be relevant to regulatory assessments of whether the platform provides adequate parental oversight mechanisms for minor users.
The document's reference to a teen safety commitment without disclosing specific protective measures, age-based content restrictions, or account controls on this page means the Safety Center functions as a navigational index for teen safety information rather than a substantive policy disclosure. The operational significance of this commitment depends on the content of the linked teen safety page, which was not included in the submitted document.
23andMe
· 23andMe Privacy Statement
The clause creates a bifurcated privacy framework where medical information accessed or created through telehealth services operates under distinct privacy terms separate from the primary Privacy Statement, establishing which document controls privacy practices for each data category.
23andMe
· 23andMe Privacy Statement
The existence of a separate Medical Record Privacy Notice for telehealth means that users accessing clinical services through 23andMe are subject to a different and supplementary privacy framework, and should review both documents to understand how their health and genetic data is handled across all 23andMe services.
Uber
· Uber Privacy Notice
This provision establishes that automated data collection about driving behavior is used to make determinations that affect drivers' platform standing and earnings eligibility, which may engage automated decision-making provisions under GDPR Article 22 and transparency requirements under CCPA/CPRA for profiling that produces significant effects.