April 19, 2026
Expanded privacy policy with detailed disclosure of personal data collection, use, sharing, and consumer rights including region-specific information.
Why it matters: Poshmark's expanded privacy policy provides significantly more granular transparency about what personal data the company collects from you, how it uses that data, and what rights you have to control that data, particularly if you live in California or another state with privacy protections. The detailed disclosure of data categories (payment information, photos, videos, social media accounts, interaction history) allows you to understand Poshmark's data footprint and identify which privacy rights and opt-out options are available to you.
Poshmark added 249 sentences to Terms of Service and modified 3 existing sentences, expanding document to 6,703 total sentences.
Why it matters: The magnitude of this change (249 added sentences, 3 modified) indicates substantive revision to Poshmark's terms, but the specific operational significance cannot be determined without reviewing the actual updated language. Users and organizations relying on these terms should obtain and review the complete document to understand any new policies, obligations, restrictions, or disclosures.
Removes detailed disclosure of phone contact collection and social network integration features from privacy policy.
Why it matters: The removal of explicit disclosures about phone contact collection and social network integration reduces the transparency of Waze's privacy notice regarding sensitive data practices. Regulators and privacy frameworks require clear, specific disclosure of data collection practices. The absence of these disclosures without clarification of whether the practices have ended creates potential compliance risk and leaves users with less information about how their contact data and social information are handled.
Adds mandatory arbitration clause and class action waiver; establishes binding dispute resolution procedure
Why it matters: The addition of mandatory arbitration and class action waiver clauses fundamentally changes how consumers can resolve disputes with Paramount+, shifting from potential court proceedings to private arbitration and eliminating the possibility of joining group lawsuits. These are material changes to consumer legal rights and protections.
Removed service exclusions and reduced privacy policy scope from 224 to 36 sentences, eliminating explicit carve-outs for Ledger Recover and Multisig services.
Why it matters: The removal of explicit service exclusions and cross-references to separate privacy policies creates regulatory compliance risk and user confusion about what data practices apply to each Ledger service. Under GDPR and CCPA, privacy policies must clearly disclose the scope of services covered; the absence of this disclosure may not satisfy those requirements.
You're seeing a fraction of what's changing.
ConductAtlas monitors 343+ platforms and captures every policy update.
Start tracking — Free
Replaced marketing homepage with binding website privacy notice requiring express consent to data collection and retention.
Why it matters: The change converts zelle.com from a marketing destination into a legally binding privacy notice that requires your consent to data collection merely by visiting. This means Zelle is now asserting broad authority to collect and use your personal information on the basis of your presence on the site, and the notice warns that you should not visit if you disagree.
GitHub substantially revised Terms of Service with 54 modified sentences, 40 removed, and 4 added; review specific changes to understand revised service terms.
Why it matters: The revision scale indicates material changes to GitHub's service terms. The removal of 40 sentences and modification of 54 others suggests changes to core provisions governing acceptable use, intellectual property handling, liability, dispute resolution, or data processing. Users and organizations with GitHub in their vendor stack should identify the specific provisions that changed to assess operational and contractual implications.
Added Mexico and Brazil entities to Terms of Service; removed guarantee against material service functionality reduction; clarified online order placement options.
Why it matters: The addition of Mexico and Brazil service entities creates distinct legal contracting relationships with regional companies, potentially affecting dispute venue, applicable law, and regulatory compliance for customers in those jurisdictions. The removal of the functionality protection clause broadens Twilio's contractual authority to modify service features without the prior constraint that changes be non-material to overall functionality, shifting risk to customers who may have relied on that commitment for service stability planning.
Expands privacy notice with 516 added sentences covering data collection, AI decision-making, cookie usage, and traveler rights
Why it matters: The expanded privacy notice provides substantially more detail about what data Booking.com collects from travelers, how it uses that data (including for AI-driven decisions), who it shares data with, and what rights travelers have. For travelers considering booking through Booking.com, the additional transparency allows more informed decisions about data privacy before committing to a reservation.
Added mandatory arbitration clause and class action waiver, effective immediately; users can opt out within 30 days.
Why it matters: This change materially restricts how users can pursue disputes with Booking.com. By making arbitration mandatory and requiring class action and jury trial waivers as default conditions, the updated terms eliminate the option to use courts and prevent collective legal action unless users take affirmative steps to opt out within 30 days of April 19, 2026.
Removes UK from stated server locations; now lists only US and EU servers
Why it matters: Transparency about server locations is a key privacy disclosure that affects where your data is stored and what data protection laws apply. Removing UK from the list changes what the policy tells you about data handling and may indicate a shift in infrastructure that affects your rights under UK and EU data protection law.
Adds explicit disclaimers that Noom is not medical care, requires age 18+, clarifies features may be inaccurate, and reserves unilateral account suspension rights
Why it matters: The updated terms make explicit that Noom is not a substitute for medical care and that its coaching and food features may be inaccurate, which is critical for users who might rely on it for health decisions. The new language also reserves Noom's right to terminate your account at any time without stated cause or process, expanding the company's unilateral control over your access.
Shifts child privacy certification to CARU, clarifies persistent ID collection for children, and expands parental visibility of authorized third-party app access.
Why it matters: Nintendo now explicitly discloses that it collects and permits service providers to collect persistent identifiers from child users for specific operational purposes, and parents can see exactly which apps are authorized to access their child's account, providing clearer visibility into data practices affecting children. The shift from ESRB to CARU oversight represents a change in the third-party body conducting independent audits and enforcement of the company's child privacy compliance.
Adds AI-powered phone marketing disclosures and reorganizes data retention criteria; removes specific retention examples.
Why it matters: Microsoft disclosed a new marketing contact method (AI-generated voice calls) that consumers may not expect, requiring them to verify their consent preferences. Simultaneously, the company made its data retention commitments less specific and more operationally broad, which reduces consumer clarity about how long their data is kept and may complicate vendor compliance verification.
Removed one-month response commitment for privacy requests and explicit disclosure of child safety consortia data sharing
Why it matters: The removal of response timelines for privacy rights requests eliminates a compliance commitment that operationalized GDPR and UK DPA obligations, creating ambiguity about what timeline now applies when users exercise data subject rights. The removal of explicit child safety consortium disclosure eliminates transparency about a data processing practice, which may affect users' ability to understand what data is shared and for what purpose, and may create compliance questions under transparency-focused regulations like GDPR Article 14.
Updated ad disclosure for Status and Channels; replaced Thai privacy section with US regional privacy notice.
Why it matters: The updated policy establishes that WhatsApp no longer commits to restraint on ad expansion in Status and Channels, instead explicitly disclosing the possibility of new ad types. This represents a shift from aspirational commitment language to affirmative permission, and may affect how users understand the trajectory of advertising on WhatsApp's social features. The addition of US-focused regional privacy guidance reflects WhatsApp's increased emphasis on US regulatory compliance frameworks.
Reframes Plaid Account role from third-party app accelerator to direct consumer service provider; adds Plaid Web-App monitoring platform.
Why it matters: The updated terms establish that Plaid is now a direct service provider with its own account and monitoring platform, not just an intermediary for third-party apps. This means Plaid's use of your financial and identity data has expanded beyond facilitating third-party connections to include providing its own alerts and monitoring services, and organizations using Plaid need to verify their data processing agreements and customer disclosures reflect this expanded role.
Restructured account terms to clarify Plaid's direct service role and introduced new account monitoring service with expanded payment data sharing scope.
Why it matters: The restructured terms expand Plaid's explicitly authorized scope to share your financial data for payment purposes and introduce a new direct service offering. This shift from Plaid as a connection intermediary to Plaid as a direct service provider with its own monitoring system means Plaid's role and data-handling authority is now broader and more direct than previously stated in the account terms.
Restricts Terms of Service to US users only and adds mandatory individual arbitration provision blocking class actions.
Why it matters: The updated terms establish mandatory individual arbitration for all disputes and subordinate service-specific terms to the primary Terms of Service, which narrows consumer access to class action remedies and changes the contractual hierarchy governing multi-service relationships. The restriction to US-only applicability creates operational ambiguity about which terms now govern non-US users who continue to access the service.
Added Data Privacy Framework compliance disclosure and certification statement for EU, UK, Swiss resident data transfers
Why it matters: The updated policy formalizes the legal framework governing how Upwork transfers and processes EU, UK, and Swiss resident data. By establishing explicit DPF compliance and stating that DPF principles take precedence over conflicting policy terms, Upwork creates a clear legal hierarchy for data protection standards and provides regulatory clarity on the transfer mechanism used. This is operationally significant for organizations that depend on Upwork's compliance posture to satisfy their own GDPR and UK GDPR obligations.
Added 32 sentences to privacy policy describing data collection, use, and sharing practices
Why it matters: The updated privacy policy introduces expanded disclosures about how Snapchat collects and uses data. Organizations relying on Snapchat for user engagement or data services may need to review the new language to ensure their own privacy documentation and vendor agreements remain accurate and compliant with regulatory requirements.
Updated privacy notice now authorizes data sharing for joint marketing with financial companies and permits nonaffiliate marketing.
Why it matters: The updated notice establishes new authority for Chime to share customer data for joint marketing with other financial companies, which expands the scope of permitted data sharing beyond the prior disclosed categories. This change materially affects who has access to customer financial information and for what purposes, which is operationally significant under GLBA disclosure requirements and affects consumers' ability to exercise data-sharing objections.
Updated children's policy to permit parental authorization of accounts for users under 13, replacing prior blanket prohibition.
Why it matters: The updated terms establish that children under 13 may now use Cash App with parental authorization, replacing a prior blanket prohibition. This change expands Cash App's addressable market to include minors while creating specific COPPA compliance obligations around parental consent, data use restrictions, and security that organizations relying on Cash App services should understand and incorporate into their own compliance frameworks.
Restructured Terms of Use with 1,400+ sentences added covering accounts, payments, IP, safety, disputes, arbitration, and class action waivers; effective April 30, 2026.
Why it matters: The restructured Terms of Use reorganizes how user rights, obligations, and dispute procedures are presented and governed. The introduction of formal titled sections on arbitration agreements and class action waivers establishes or clarifies the procedures users must follow if they dispute charges, disputes with other users, or seek legal recourse against the platform. The new 'Online Safety' section formalizes what safety monitoring and enforcement practices apply, and the 'Intellectual Property and UGC' section structures how content creators' rights are governed. For developers and content creators, these changes affect how intellectual property is licensed and what third-party integrations are permitted.
Adds explicit fraud-prevention data disclosure to law enforcement and third parties; clarifies email/identifier use for cross-platform targeted advertising; introduces privacy rights webform.
Why it matters: The updated policy establishes explicit authority to disclose user information to law enforcement and financial crime investigators, which operationalizes compliance with anti-money laundering and financial crime statutes but creates new transparency obligations under state privacy laws. The clarification regarding email-based cross-platform advertising expands Binance.US's stated use of identifiers beyond its own platforms, which may affect how users understand data use and which audiences are subject to targeted advertising.
Adds Connecticut-specific virtual currency risk disclosures including warnings about irreversibility, lack of government insurance, and fraud schemes.
Why it matters: The updated language establishes explicit risk disclosures that Connecticut regulations and similar state regimes likely require. These disclosures address irreversibility of transactions, absence of government protection, fraud risk, and market volatility, ensuring users understand fundamental characteristics of cryptocurrency before transacting. This change affects how Coinbase communicates the nature of its service and the risks users assume.
Expanded data collection disclosures to include voice inputs and ad preference inferences; added US state privacy notice section.
Why it matters: The updated statement brings Netflix's privacy disclosures into formal alignment with US state privacy law frameworks by adding explicit notice of voice recording collection and advertising preference inferences, and by establishing a modular disclosure structure for state-specific privacy rights. This change operationalizes Netflix's compliance infrastructure for emerging privacy statutes and clarifies data practices that were previously referenced in general terms.
Updated daily. New changes added as detected.