OpenAI
· OpenAI Enterprise Privacy
The 30-day retention limit with automatic deletion is a specific, time-bounded data handling commitment that is material for organizations with data minimization obligations under GDPR or other regulations.
Cursor
· Cursor Data Use & Privacy Overview
This provision clarifies that users who supply their own API keys cannot avoid Cursor's data pipeline, meaning the same data handling terms apply regardless of whether a personal or organizational API key is used.
Watch history and search terms are used to recommend content and serve contextual ads, meaning the app builds a behavioral profile of your child's viewing habits even without collecting their name.
The clause establishes Apple's data usage practices for advertising and marketing purposes while providing users with the procedural means to disable personalized ad targeting and marketing communications. This defines the operational scope of Apple's advertising platform and the available preference controls.
Apple
· Apple App Store Review Guidelines
This provision establishes a disclosure mechanism that consumers can use to assess an app's data practices before downloading, covering identifiers, location data, usage data, contact information, and other categories as disclosed by the developer.
The provision establishes a transparency mechanism that standardizes privacy disclosure across the App Store ecosystem, enabling comparative assessment of data practices and creating uniform reporting obligations for developers across app categories.
Apple
· Apple App Store Review Guidelines
This provision establishes a consent gate that users must pass through before cross-app and cross-website behavioral tracking for advertising can occur, and prohibits retaliatory restriction of app functionality for users who decline.
The phrase 'or for any reason set forth in this Privacy Policy' is notably broad and links audio recording to FanDuel's full suite of data use purposes, including marketing and analytics, beyond the narrower use cases consumers typically expect when contacting customer support.
Audit rights are required under GDPR Article 28(3)(h) and are operationally significant for customers conducting vendor due diligence; the practical scope of the audit right, including whether it covers on-site inspection or documentation review only, determines its utility for compliance verification.
SoFi
· SoFi Privacy Notice
The clause establishes a technical architecture where access to privacy option controls is contingent upon session authentication state, which affects how the service delivers privacy management functionality to different user categories.
SoFi
· SoFi Privacy Notice
This routing mechanism creates two distinct technical pathways for privacy preference management, which compliance teams should verify produce equivalent opt-out outcomes and that both pathways propagate consent signals to the same set of data sharing partners.
Unlike Chat data training, opting out of Autocomplete data training does not result in loss of service access, providing users a meaningful choice. The agreement also explicitly commits to not using Autocomplete data to train generative models.
Bumble
· Bumble Privacy Policy
Automated profiling in a dating app context can significantly affect who you are able to connect with, and under GDPR users have specific rights related to automated decision-making that produces significant effects on them.
Automated fraud decisions can result in transactions being declined or accounts being flagged without any human judgment involved, and individuals may not always know when they have been subject to such a decision or how to challenge it.
This provision operationally constrains Salesforce's ability to render determinative decisions about users through automated systems alone. The restriction applies specifically to decisions with legal consequences, requiring human review or alternative decision pathways for such determinations.
This provision discloses that human reviewers have access to user content and AI-generated outputs, which is relevant to user privacy expectations and may engage data protection obligations depending on what data is reviewed and retained.
This provision authorizes collection of detailed behavioral data tied to a persistent user identifier, which may allow reconstruction of individual usage patterns over time even if the identifier is not directly linked to a name.
Twitch
· Twitch Privacy Notice
This automatic data collection happens passively without any active input from you, and it is used to build a behavioral profile that informs advertising targeting, which is a core revenue mechanism for Twitch.
RunPod
· RunPod Privacy Policy
This provision authorizes passive collection of IP addresses, browsing activity within the platform, and device identifiers, which are categories of personal data subject to GDPR and CCPA protections and may require disclosure in cookie consent frameworks.
This provision authorizes collection of a broad set of behavioral and device-level identifiers through automatic technologies, including data categories such as location data and browser history that may constitute personal data or sensitive data under applicable privacy frameworks.
Square
· Square Privacy Notice
Automatic collection of behavioral data across third-party websites enables cross-site tracking and profiling, which is the foundation for targeted advertising and may engage stricter consent requirements in some jurisdictions.
This type of automatic data collection is used to build a profile of your behavior and device, which feeds into advertising and analytics operations. The policy states this data may be used to identify you as the same person across different Anyscale services.
The policy states that advertising identifiers, probabilistic identifiers, and IP-derived location data are collected automatically, which are categories of data with direct relevance to targeted advertising and behavioral profiling capabilities, though the policy states Anthropic does not sell personal data.
This broad automatic collection covers a wide range of behavioral and technical data linked to your identity or device, and underpins Epic's ability to run analytics, personalize experiences, and serve advertising across all its services.
This provision discloses automatic collection of IP addresses and session location data, which under GDPR and other frameworks qualify as personal data; this collection occurs passively for all users regardless of account status.
Automatic collection of IP addresses, device identifiers, and browsing behavior creates a detailed profile of your usage even beyond the content of your conversations.
Your IP address and browsing behavior are collected passively across a vast range of internet destinations that use Cloudflare's infrastructure, which represents a significant breadth of data collection relative to a single service provider.
Pika
· Pika Privacy Policy
Automatic data collection means Pika may build a profile of your usage patterns, device characteristics, and behavior on the platform even beyond what you actively submit, which can affect how your data is used for service improvement, analytics, or advertising.
This automatic collection occurs whether or not you actively provide information, and the data gathered may be shared with advertising and analytics vendors, some of whom may use it for cross-site tracking purposes.
Uber
· Uber Privacy Notice
The collection and use of background check data for platform eligibility decisions implicates the Fair Credit Reporting Act (FCRA) requirements for adverse action notices and permissible purpose, and the periodic update mechanism means drivers may be subject to ongoing screening throughout their engagement with the platform.