The policy acknowledges and provides a contact mechanism for exercising rights under GDPR, CCPA, CPRA, and related frameworks, which is directly actionable for users who wish to access or delete their data.
The policy acknowledges jurisdiction-specific data rights for EU, UK, and California users, and provides a contact mechanism (privacy@stability.ai) for exercising these rights, which is an important practical pathway for users who wish to control their data.
The provision establishes the operational mechanisms and submission channels through which users may exercise their statutory data rights. It specifies that Google will process requests for data access and deletion through designated platforms rather than through other means, creating a defined procedure for rights exercise.
The provision operationalizes data subject rights obligations under privacy regulations by specifying the rights available based on user location and establishing the procedural mechanisms through which OpenAI will process such requests. This creates an institutional framework for managing rights exercise rather than requiring litigation or regulatory intervention.
Bumble
· Bumble Privacy Policy
These rights give you meaningful control over your personal data on the platform, including the ability to request deletion of your entire profile and data history, which is particularly important given the sensitive nature of dating app data.
Ledger
· Ledger Privacy Policy
Given the sensitivity of data held by Ledger (home address linked to crypto wallet purchase), the right to request deletion is particularly relevant for customers concerned about their data remaining accessible following the 2020 breach.
Microsoft
· Microsoft Privacy Statement (Legacy)
The statement identifies residents of multiple U.S. states as having enforceable privacy rights under applicable state law, including the right to opt out of data sales and sharing for targeted advertising, which is a materially significant right for consumers in those states.
Multiple U.S. states now have enforceable privacy rights that go beyond federal law; knowing your state-specific rights and how to exercise them with Microsoft can meaningfully limit how your data is used for advertising and profiling.
Microsoft
· Microsoft Privacy Statement (Legacy)
This provision establishes Microsoft's acknowledgment of state-level privacy obligations and frames the privacy statement as operating within the parameters of existing state privacy legislation. The clause defines the scope of user rights as determined by state law rather than by the privacy statement alone, creating a jurisdictional framework for privacy requests and consumer protections.
Pika
· Pika Privacy Policy
US residents in states with privacy laws have legally enforceable rights to know what data Pika holds about them, request its deletion, and opt out of certain uses, but these rights only apply if you proactively exercise them.
The provision conditions the availability of data rights on user jurisdiction, establishing that OpenAI recognizes regulatory frameworks that vary by location and commits to honoring applicable statutory rights where they exist under state or regional law.
This provision establishes the scope of US state privacy rights Amplitude recognizes and the jurisdictions in which those rights apply, creating a multi-state compliance framework. The specific rights available and associated procedural requirements vary by state, and the policy's single disclosure framework may not capture all state-specific procedural distinctions.
California and other US state residents have legally enforceable rights to control how Disney uses their data, including the right to opt out of data sales and targeted advertising, but exercising these rights requires taking action through a separate notice and process.
State privacy laws in California and other states grant residents specific rights such as the right to know, delete, correct, and opt out of data sales; the supplement is the primary document where those rights are described for WBD users.
State privacy laws impose different requirements regarding data subject rights, disclosure obligations, and operational procedures. By providing jurisdiction-specific supplements, Max establishes a mechanism to apply differentiated privacy terms based on user location, ensuring compliance with applicable state statutes.
Roblox
· Roblox Privacy and Cookie Policy
This provision establishes that payment and transaction data is collected and retained, and that virtual currency purchases are non-refundable by default, which has financial implications for users who make in-platform purchases.
Microsoft
· Microsoft Privacy Statement (Legacy)
Voice data is a sensitive biometric-adjacent category of personal data; the statement authorizes its collection and use for service improvement, and consumers in states with biometric privacy laws such as Illinois should be aware of this practice.
Voice data is particularly sensitive because it can be used for voice recognition and biometric identification, and the collection of audio through smart speakers or streaming devices may occur in shared home environments.
Voice and audio data is a biometric-adjacent category of information that carries heightened sensitivity, and the notice's framing of implied consent through the act of calling may not satisfy explicit consent requirements in all jurisdictions.
Collection of voice and audio data may implicate state wiretapping statutes, biometric privacy laws, and GDPR requirements for processing audio recordings; this provision is relevant for compliance teams assessing Google product deployments in jurisdictions with heightened audio data protections.
Voice recordings collected in your home or on your device may be processed by Samsung or third-party service providers, creating a record of your spoken interactions that goes beyond typical text or click-based data.
This provision discloses that message content and audio data are transmitted to Google LLC and Microsoft Corporation for user-requested features. The policy asserts contractual restrictions on secondary use by those companies, though users depend on Telegram's enforcement of those contractual terms.
Recording of voice communications may interact with state wiretapping and electronic communications consent laws, particularly in two-party consent states such as California, where all parties to a call must consent to recording.
This provision establishes that audio recordings of voice chat sessions are stored on all participants' devices when voice reporting is active, and may be transmitted to Epic upon any participant's violation report. This mechanism may require evaluation under state electronic communications and all-party consent statutes, including those in California, Illinois, and Washington, depending on whether all participants are aware that recording is occurring and may be transmitted.
Voice recordings are sensitive personal data, and storing them on other participants' devices without the user's direct control raises questions about who has access to those recordings and how long they persist before a report is made.
The policy states that voice audio is discarded after processing, but the text transcriptions derived from voice input are retained as Log and Usage Information, which is subject to AI training and other described data uses.
Voice communications are a sensitive category of personal data; their collection during gameplay is not always expected by users and the policy reserves the right to use them for compliance and safety purposes beyond just enabling the chat feature.
Audio recordings of the voice may constitute biometric data under some state laws, and voice data collection is subject to heightened consent and retention requirements in Illinois and other states with biometric privacy statutes.
Netflix
· Netflix Privacy Statement
The policy explicitly states collection of voice recordings and transcripts, which may implicate state wiretapping statutes and biometric privacy laws depending on jurisdiction and implementation.
Cursor
· Cursor Security Practices
The document states that critical incidents will be communicated to affected users by email, which is the mechanism users should expect to receive breach or incident notifications; users should ensure their email address on file is current.