---------------------------
Title: Privacy policies of major platforms
URL: https://usercentrics.com/guides/privacy-policies-of-major-platforms/
---------------------------

# Privacy policies of major platforms

Staying compliant starts with understanding the privacy rules of the platforms you rely on. This guide breaks down the key policies of major players — from Facebook and other social platforms to Zoom and ChatGPT. It provides clear information to help you align with platform-specific privacy requirements.

## Facebook privacy policy: A complete guide for businesses

### At a Glance

- The Facebook privacy policy, formally Meta's Privacy Policy, governs how Meta collects, uses, and shares personal data across Facebook, Instagram, Messenger, and its advertising network.
- The Facebook data policy documents Meta's use of personal data for ad targeting, product improvement, safety, and sharing with third-party partners and advertisers.
- Key data collection points under the Facebook privacy policy include profile information, activity data, device identifiers, location data, and off-platform browsing behavior via the Meta Pixel.
- GDPR enforcement actions against Meta, including a EUR 1.2 billion fine in 2023, have reshaped how major platforms approach data transfers, consent, and legitimate interest claims.
- Businesses using Meta advertising tools must understand how the Facebook data policy intersects with their own GDPR and CCPA obligations, particularly regarding the Meta Pixel and Conversions API.
- Privacy policies of major platforms are updated frequently: marketers and compliance teams should monitor changes that affect data sharing, consent requirements, and ad measurement capabilities.

Using Facebook for business often means sharing your audience’s personal data with the Meta-owned platform. This is especially true if you use tools that connect your websites, apps, and marketing activities to Facebook.

Facebook’s privacy policy governs what happens to the personal data you share: how the platform uses it and how it shares the data with Meta’s other products and platforms, as well as with advertisers and partners.

Meta’s privacy practices directly impact your obligations under global data protection laws, so it’s imperative that you understand its privacy policy.

This guide breaks down the [Facebook privacy policy](https://www.facebook.com/privacy/policy) so you can make informed decisions and understand:

- What data Facebook collects
- How Meta uses it
- What steps you need to take to meet your legal obligations and be transparent with your customers

## Why Facebook’s privacy policy matters for your business

If your business decides how and why personal data is collected or used, then under many global privacy laws you are accountable starting from the moment you collect it, and even after it’s shared with third parties like Meta.

Understanding what data Facebook collects and how Meta uses that data matters for several other reasons, detailed below.

### Regulatory compliance

Meta must use the data you share in a way that meets regulatory requirements. Data privacy laws generally protect data belonging to individuals located in the law’s region of jurisdiction — like many countries under the European Union, a single country like Canada, or a US state.

You may be required to comply with several laws, depending on where your audience or customers are located, and what industry your business is in. Some of the most common global privacy laws are:

- The European Union’s [General Data Protection Regulation (GDPR)](https://usercentrics.com/gdpr/)
- Multiple [US state-level data privacy laws](https://usercentrics.com/us/knowledge-hub/us-data-privacy-laws-by-state/), including, the [California Consumer Privacy Act (CCPA)](https://usercentrics.com/ccpa/) and the [California Privacy Rights Act (CPRA)](https://usercentrics.com/us/knowledge-hub/california-privacy-rights-act-cpra-enforcement-begins/)
- Brazil’s [Lei Geral de Proteção de Dados Pessoais (LGPD) ](https://usercentrics.com/lgpd/)
- South Africa’s [Protection of Personal Information Act (POPIA)](https://usercentrics.com/popia/)
- Canada’s [Personal Information Protection and Electronic Documents Act (PIPEDA)](https://usercentrics.com/knowledge-hub/canada-personal-information-protection-and-electronic-documents-act-pipeda/)

### Customer expectations

According to data from Salesforce, [71 percent of customers](https://www.salesforce.com/en-us/wp-content/uploads/sites/4/documents/research/State-of-the-Connected-Customer.pdf) are increasingly protective of their personal information. That growing caution makes it more important than ever for businesses to be clear about who has access to users’ personal data and how it’s used.

If your practices aren’t transparent — or if users feel misled — it can erode trust and harm your reputation.

### Business impact

Facebook’s data policies influence how effective your ads and analytics will be. Understanding what data Facebook uses and how it processes that data helps you make better decisions about targeting, measurement, and spend.

### Evolving regulations

Newer laws like the EU’s [Digital Markets Act (DMA)](https://usercentrics.com/digital-markets-act-dma/) restrict how Meta can combine and use EU users’ data collected from one product — like Facebook — across its ecosystem. Meta has multiple platforms and billions of users, so this is a notable restriction on the data and revenue potential in their operations.

These changes affect how your business can use Meta tools for audience insights, cross-platform tracking, and personalized advertising in the EU. That means ongoing awareness is necessary for continued compliance.

## Understanding Facebook’s data privacy policies and practices

Facebook processes large volumes of personal data that’s collected from both users and businesses that use [Meta Business Tools](https://www.facebook.com/business/help/331509497253087) on their websites and apps.

In some regions, Facebook may also use data collected from other Meta platforms — such as Instagram, Messenger, and WhatsApp — depending on local privacy laws and user consent.

Here’s a look at what data Facebook collects and how it’s used.

### What data does Facebook collect?

The Facebook privacy policy lists the information Facebook collects from users, which includes:

- **User-provided information:** Includes details that users enter when creating an account or making a purchase, such as their email address, phone number, age, profile photo, and payment or delivery information if they use Meta Pay or checkout features.
- **User activity:** Facebook tracks what users click, post, like, and share, as well as who they message and otherwise interact with. Engagement with both ads and organic content is tracked.
- **App, browser, and device information:** Facebook collects data from users' phones, computers, or tablets, including:
    - Device type
    - Operating system
    - Battery level
    - Signal strength
    - IP address
    - App version
    - Network
    - GPS location
    - Photos and camera access

In addition to this user data, Facebook receives personal data from the businesses that use its tools.

If your business integrates Meta Business Tools — such as the Facebook Pixel, SDK, or Conversions API — that means you're actively sending data about your website or app visitors to Meta. This may include pages viewed, purchases completed, or in-app events triggered by users.

This shared data enables Meta to offer features like retargeting, conversion tracking, custom audience creation, and ad performance analytics. In this case, your business acts as a data source, so you’re responsible for collecting that data lawfully and clearly explaining its use in your privacy policy.

### How do Facebook and Meta use this information?

Once Facebook collects personal data from users or businesses, it uses that information in a variety of ways across its services. Uses listed in Facebook’s privacy policy include:

#### Personalization (including ads)

Meta uses personal data to tailor user experiences across its platforms, including displaying personalized content, suggestions, and targeted advertisements. It uses data to connect businesses to new customers who might be interested in their products and services.

#### Product improvement

Meta applies user activity information to enhance existing products and develop new features. It also uses device information, such as what’s happening in the background when a Meta app crashes.

#### Safety and security

Meta uses this information to detect and prevent suspicious activity, harmful behavior, spam, and fraud, aiming to keep the platform safe for users and businesses.

#### Measurement and analytics

Meta provides businesses with analytics and reports on ad performance and user engagement. It often uses data shared by businesses through Business Tools.

### Role of cookies and tracking technologies

Meta uses [cookies](https://usercentrics.com/knowledge-hub/tracking-cookies-and-the-gdpr/), pixels, and other tracking technologies to collect personal data for a range of uses, including analytics and ad targeting.

Facebook uses these tools to gather information from people who have Facebook accounts, use other Meta products and platforms, or visit third-party websites and apps that integrate Meta Products, such as the “like” or “share” buttons.

Importantly, these tracking technologies can collect data from a person even if they aren’t logged into a Facebook account or don’t have a Facebook account at all ([except for users in the European Region](https://developers.facebook.com/docs/plugins)).

When your business adds Meta Business Tools to your website, app, or online store, Meta can set and read cookies. Meta can then collect information about any visitor, not just Facebook users.

That means Meta builds advertising and analytics profiles using data from both its users and individuals who don’t use its platforms.

Meta maintains a separate [cookies policy](https://www.facebook.com/privacy/policies/cookies) that outlines its use of these tracking technologies. If your business receives traffic from visitors in regions with explicit consent requirements — which is an ever-increasing percentage of the world — it’s particularly important to review Meta’s cookies policy carefully.

You’ll need to implement consent mechanisms that meet legal standards and update your own privacy notices to reflect Meta’s tracking activities on your site.

> Unsure about what type of consent you need? Learn the [differences between opt-in and opt-out consent](https://usercentrics.com/knowledge-hub/opt-out-vs-opt-in/) and which type you need under different global privacy laws.

### Who does Meta share personal data with?

Meta[ shares personal data](https://www.facebook.com/privacy/policy?section_id=4-HowDoWeShare) with some third parties for a variety of purposes.

While the company states it doesn't sell personal information, this kind of sharing can legally qualify as a “sale” of personal information [under laws like the CCPA/CPRA](https://usercentrics.com/us/knowledge-hub/california-consumer-privacy-act/), even when no money is exchanged.

The third parties Meta shares data with include the following:

- **Advertisers:** Businesses that advertise on Meta’s platforms
- **Commerce and service partners:** Businesses that offer goods or services on Facebook or other [Meta products](https://www.facebook.com/help/1561485474074139) and platforms, as well as any providers acting on their behalf (for example, a payment processor)
- **Vendors and service providers:** Third-party services that Meta uses to promote its own products, conduct research and surveys, deliver customer service, facilitate payments, analyze product usage, and investigate suspicious activity, among other things
- **Academic and public interest researchers:** External researchers who focus on topics like safety, technology, or social impact

Both the data shared and who it’s shared with may vary based on how your business uses Meta Business Tools and what privacy choices users make.

### International data transfers

Meta transfers personal data across borders as part of its global operations. This includes sending data to countries where:

- It has infrastructure, such as the United States, Ireland, Denmark, and Sweden, among others
- Meta products are available
- Its partners, vendors, service providers, and other third parties are located

To carry out these international data transfers in compliance with applicable privacy laws, Meta relies on legal mechanisms such as Standard Contractual Clauses (SCCs) and adequacy decisions.

For data transfers from the EU to the US, Meta states that, [as of September 7, 2023](https://en-gb.facebook.com/business/help/1001186684640957), it relies on the [EU-US Data Privacy Framework](https://en-gb.facebook.com/legal/EU_data_transfer_addendum/update).

### Sensitive information restrictions

Meta prohibits businesses and partners from sharing [certain types of sensitive information](https://en-gb.facebook.com/business/help/361948878201809?id=188852726110565) through its platform and tools.

This information includes, but is not limited to:

- Health or medical data
- Detailed financial data
- Government ID numbers
- GPS location data
- Social Security numbers or local equivalents
- Passwords
- Any information that the sharer knows — or reasonably should know — is from or about a child under the age of 13

If Meta determines that a business may be violating these terms, it reserves the right to take action against that business.

## How to align your business with privacy laws and Facebook privacy requirements

While understanding Meta’s data practices is important, you must also be aware of your business’s direct responsibilities when handling user data in connection with Facebook, Meta Business Tools, and Meta products.

Below are the primary obligations you need to follow.

### Meet EU consent standards under the GDPR and the DMA

Facebook’s privacy policy states that “partners must have the right to collect, use and share” data before providing it to the platform. Under laws like the GDPR, this typically means obtaining explicit user consent, especially when the data will be used for advertising or tracking purposes.

If your business operates in the EU or targets users there, the Digital Markets Act (DMA) also requires Meta to obtain explicit user consent before combining personal data collected on your website with account information from Facebook or other Meta platforms for analytics or targeting.

To stay compliant, your consent banner or [consent management platform (CMP)](https://usercentrics.com/knowledge-hub/consent-management-platforms/) must clearly inform users of this data use and enable them to opt in.

Monitor Facebook’s updates in the EU to make sure your consent collection practices align with both Facebook’s expectations and DMA requirements.

### Follow data minimization principles

When collecting personal data, practice data minimization by gathering only what you need. This helps you to comply with the GDPR and avoid sharing data that may be prohibited or unnecessary for your stated purpose.

### Understand US opt-out requirements

US states that have implemented data privacy laws to date use an opt-out consent model. In most cases, prior consent for data collection and processing is not required, including for profiling or advertising. It is only necessary to enable users to opt out.

Meta provides a [Limited Data Use (LDU)](https://developers.facebook.com/docs/marketing-api/overview/data-processing-options/) parameter to help businesses comply. When enabled, Meta will limit how it processes the user’s data in line with the applicable state law, if that user had opted out.

The CCPA/CPRA includes an additional obligation that provides California residents the right to opt out of the sale or sharing of their personal data for profiling or targeted advertising. Businesses must honor this right by prominently displaying a “Do Not Sell Or Share My Personal Information” button or link.

Many businesses choose to add this to their cookie banner, website footer, or app menu. You must also immediately stop sharing users’ data with Meta or other third parties when they exercise their right to opt out.

### Follow purpose limitation principles

If your business *receives* data from Meta through integrations or for targeted advertising, only use it for the purposes disclosed to users in your privacy policy, and only if users have given proper consent.

> Learn how to create a [privacy policy for Facebook lead ads](https://usercentrics.com/guides/social-media-email-marketing-compliance/privacy-policy-for-facebook-ads/).

### Protect the data you handle

Your business is responsible for protecting any personal data it collects, processes, or shares, even after it has been shared with Meta. Data privacy laws like the GDPR and the CCPA/CPRA require businesses to implement reasonable technical and organizational measures to safeguard personal information.

These security obligations apply across the full data lifecycle — from collection to sharing. Any [data processing agreement (DPA)](https://usercentrics.com/knowledge-hub/what-is-dpa-data-processing-agreement/) you enter into with Meta should require Meta to apply the same security standards you use as a data controller.

If your business receives personal data from Meta, you’re responsible for protecting it just as you would any data you collect directly from users.

### Be transparent with your users

Your privacy policy must clearly explain how your business interacts with Facebook and other Meta platforms, uses Meta’s tools, and what that means for your users’ personal data.

Below is a non-exhaustive checklist of information the policy must include regarding your relationship with Meta.

- Clarify what categories of personal data and what personal data you share with Meta, and note that Meta may use the data according to its own privacy policy.
- Explain that you use Meta Business Tools, such as Facebook Pixel or Conversions API.
- State your reasons for collecting and sharing data with Meta. For example, it may be used for ad targeting, analytics, or campaign measurement.
- Disclose your use of Meta-related cookies and how users can manage or reject them through your site.
- Inform users that data shared with Meta may be further shared by Meta, including with its partners or vendors.
- Include links to Meta’s privacy and cookies policies.
- Explain users’ rights under relevant laws and how they can exercise them, such as the right to object (under the GDPR) and the right to opt out (under the CCPA/CPRA).
- If you use Meta ads for behavioral targeting, provide California users the option to opt out through a “Do Not Sell Or Share My Personal Information” link.
- If you rely on Facebook Page Insights, EU regulators treat you and Meta as joint data controllers. You should include a link to Facebook’s [Page Controller Addendum](https://www.facebook.com/legal/terms/page_controller_addendum) and document this arrangement in your records of processing activities.

Meta also requires that when you collect information from people who interact with your page, group, or event, you must first provide them with clear notice. Users must explicitly consent to your use of their data, and you must clearly explain that you, not Meta, are collecting and processing this information.

If you’re an integrated partner, Meta specifies that you’re responsible for handling user information according to your own terms and policies. Your privacy policy must be easily accessible, typically in a website footer or app menu.

> Read more about [global privacy policies](https://usercentrics.com/knowledge-hub/global-privacy-policy/).

### Take additional precautions when handling minors’ data

Meta limits ad targeting for users under 18 to age and location only. Your business cannot circumvent these restrictions. For example, you must not use custom audiences based on lists known to include minors.

If your website or app is likely to attract minors, or if you collect data that could reasonably belong to users under 18, your business may be subject to heightened legal obligations. These requirements vary based on where your users are located and the nature of the data collected.

They include:

- Obtaining verifiable parental consent under laws like the [Children’s Online Privacy Protection Act (COPPA)](https://www.cookiebot.com/en/coppa-compliance-requirements-checklist/) in the US, which must be separately obtained for collecting data and for sharing data
- Obtaining explicit consent from a parent or legal guardian for minors under the age of 16, per GDPR requirements. EU member states can lower this to age 13
- Providing transparency in your privacy policy about how data from minors is collected and used
- Using age verification mechanisms when age plays a role in data collection or eligibility for your services

Your business must be prepared to meet these requirements if your data collection practices could involve users under the age of 18.

*Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.*

## Instagram privacy policy: Requirements for businesses

Instagram has [over 2 billion monthly active users](https://www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/) worldwide, with users spending [more than 33 minutes a day](https://www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/) on the platform. This large active user base provides substantial opportunities for businesses to reach potential customers and has made Instagram a cornerstone of the [creator economy](https://learn.aspireiq.com/rs/982-DON-266/images/The_State_of_Influencer_Marketing_2024.pdf), with 86 percent of creators and 90 percent of brands planning to focus their marketing efforts on the platform.

When your business uses Instagram, you often share your audience’s personal data with the platform — or receive data through integrated tools — and you are responsible for informing users about how their data is collected, processed, and shared.

Instagram operates under parent company Meta’s umbrella and does not have a standalone privacy policy. Its data practices are governed by [Meta’s privacy policy](https://privacycenter.instagram.com/policy), which also applies to Facebook and other Meta-owned services.

We’ve gone into detail about Meta’s data processing practices in our article on Facebook’s privacy policy, many of which overlap with Instagram’s terms.

> Read more about [Facebook’s privacy policy](https://usercentrics.com/guides/platforms-ppg/).

This article explores the specific requirements for including Instagram usage in your [privacy policy](https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/) and how to meet both Meta’s platform requirements and applicable data protection regulations.

## What data does Instagram collect?

Instagram collects similar types of data as Facebook, including personal details, engagement activity, and technical information from connected devices.

- **User-provided information:** Email address, phone number, date of birth, profile photo, and payment or delivery details when users make purchases through Meta Pay or checkout features
- **User activity:** Posts, likes, comments, shares, messages, and interactions with ads or other content
- **App, browser, and device information:** Device type, operating system, battery and signal status, IP address, app version, network, GPS location, and access to photos or camera

Instagram also receives personal data from businesses that use [Meta Business Tools](https://www.facebook.com/business/help/331509497253087), including pages visited, purchases made, or in-app actions that users take.

## How does Instagram use this data?

Instagram uses personal data collected from users and businesses for a range of purposes described in Meta’s privacy policy.

- **Personalization (including ads):** To deliver tailored content, show targeted ads, and help businesses reach people likely to be interested in their products or services
- **Product improvement:** To fix bugs, improve app performance, and develop new features based on user behavior and technical data
- **Safety and security:** To detect and prevent spam, harmful behavior, fraud, or suspicious activity
- **Measurement and analytics:** To provide reports and insights on engagement and ad performance

Instagram may also [share personal data](https://privacycenter.instagram.com/policy/?section_id=4-HowDoWeShare) with third parties, such as advertisers, commerce and service partners, vendors and service providers, and academic and public interest researchers.

Meta states that it does not sell personal information, but this type of sharing may still qualify as a “sale” under laws like the [California Consumer Privacy Act (CCPA)](https://usercentrics.com/ccpa/)/[California Privacy Rights Act (CPRA)](https://usercentrics.com/us/knowledge-hub/california-privacy-rights-act-cpra-enforcement-begins/) even without monetary exchange.

## Instagram features that impact privacy requirements

While most of Instagram’s data practices mirror Facebook’s, several platform-specific features create distinct privacy disclosure requirements that businesses must address.

These platform differences mean your privacy policy must account for Instagram-specific data sharing, visibility settings, and third-party integrations that affect user privacy.

### Public nature of Instagram business accounts

While businesses can technically use a personal Instagram account for promotion, most choose a business or creator account to access platform features like analytics, branded content tools, and ad options. These account types offer more marketing functionality — but they cannot be set to private.

This differs from Facebook, where public Pages are the norm, but private groups and events are also available for businesses.

On Instagram, all content and engagement — including posts, Reels, Stories, likes, comments, and views — are publicly visible by default if you have a business or creator account. You can choose to enable optional granular controls, such as hiding stories from specific users, restricting comments, or hiding like counts, but these settings require your active selection as the account owner.

If you use Instagram for business and rely on these public-facing tools, your privacy policy must not suggest that your account content is limited to a specific audience or protected by privacy settings.

This public visibility means any Instagram user, except those you’ve specifically blocked, can view basic information about other users:

- Who interact with your content, including their likes and comments
- Whose content you reshare or accounts you tag

Your privacy policy must not suggest that your account content or user interaction is limited to a specific audience or protected by privacy settings.

Business and creator accounts also have access to a wider range of third-party tools used for functions like scheduling or analytics, and you may also be sharing personal data with these third-party tools.

### Use of third-party “link in bio” tools

Instagram doesn’t support clickable links in post captions, so many businesses turn to third-party “link in bio” tools to direct users to websites, product pages, or other content.

These services typically consolidate multiple links into a single landing page, accessible through your Instagram profile bio.

When users tap these links, they’re opening them in Instagram’s in-app mobile browser, and Instagram may save that visit to a link history for up to 30 days. Users can manage this history from their account settings, including the ability to remove individual links, clear all link history, or turn link history off entirely.

However, when link history is on, [Instagram states](https://help.instagram.com/426880382237026/?helpref=uf_share) it may use that data to improve ad targeting across Meta technologies.

If you use a third-party link in bio service — or direct users to your own website through your Instagram bio — your privacy policy must disclose any data collection, tracking technologies, or [cookies](https://usercentrics.com/knowledge-hub/tracking-cookies-and-the-gdpr/) set by these tools or your website, and Meta. This includes any analytics or advertising pixels that may be triggered when users visit the linked page through these tools.

### Instagram collaborative posts

Instagram's collaborative post feature enables multiple accounts to co-author posts, giving all collaborators access to two types of data:

- Public engagement data, such as the usernames of who liked and commented
- Aggregate analytics, such as views, reach, saves, demographic insights

When your followers engage with these collaborative posts, their public interactions become visible to all collaborating accounts, even though these users typically only interact with your individual content.

The aggregate metrics are [anonymized](https://usercentrics.com/knowledge-hub/data-anonymization/) and don’t include [personally identifiable information (PII)](https://usercentrics.com/knowledge-hub/personally-identifiable-information-vs-personal-data/). Including this in your privacy policy isn’t legally required, but it supports transparency about how your followers’ engagement becomes visible to other accounts through collaborative posts.

## Data processing and transparency in your Instagram privacy policy

Transparency is a core requirement under most data privacy laws, including the European Union’s [General Data Protection Regulation (GDPR)](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/) and the CCPA/CPRA.

These regulations require businesses to clearly explain what personal data they collect, how they use it, and who they share it with. The California privacy law, in fact, specifically mandates that businesses maintain a privacy policy explaining their data processing activities.

[Meta’s platform terms](https://developers.facebook.com/terms) reinforce this. If you use Instagram’s API to connect your website or app to the platform, or if you receive data from or share data with Meta in any way, you must maintain a privacy policy.

The combination of regulatory requirements and Instagram’s platform rules creates specific disclosure obligations that your privacy policy must address. Understanding these requirements helps you build comprehensive privacy documentation that satisfies both legal compliance and platform terms.

### Instagram’s privacy policy requirements

Meta’s terms of use establish specific requirements for businesses using Instagram’s platform.

- You must provide a clear and current privacy policy. It must be available at a publicly accessible, non-geoblocked URL that Meta can crawl.
- Your privacy policy URL must be listed in your app dashboard settings.
- Your privacy policy must explain what data you collect, how you process it, why you process it, and how users can request deletion of their data.
- You may only process data shared with or obtained from the platform in ways that match your privacy policy, comply with Meta’s terms and policies, and in accordance with all applicable laws.
- Your privacy policy must not conflict with or override Meta’s own platform terms.

You must delete data that is no longer needed or when you receive a deletion request from Meta or the user to whom the data belongs.

Your privacy policy must explain how users can request data deletion or modification. This is also a regulatory requirement in most global data privacy laws.

Certain types of data use are explicitly prohibited under Meta’s terms. Your business may not:

- Process data to discriminate against individuals based on protected attributes, such as race, religion, gender, age, or disability
- Use data to determine eligibility for housing, employment, insurance, education, credit, or government benefits.
- Use Instagram data for surveillance purposes
- Sell, license, or purchase platform data
- Build or enrich user profiles without valid consent
- Attempt to reverse engineer, decode, de-anonymize, or otherwise reidentify anonymized data
- Change your app’s core function or expand how you use Instagram data without Meta’s prior approval
- Use the data in ways not permitted under Meta’s Developer Docs, or share it without a legal basis or proper user consent

While Meta's Platform Terms don’t explicitly require you to list prohibited practices in your privacy policy, you should be aware of these prohibitions as they directly impact what you are — and aren’t — allowed to do with users’ personal data, which in turn affects your privacy policy.

### Privacy policy regulatory requirements and best practices

You don’t need a separate document to cover your use of Instagram, but your existing privacy policy must include Instagram-related data practices. This includes how you collect data through the platform, use Meta Business Tools, and share information with Meta or other third parties.

In addition to meeting Instagram’s specific requirements listed above, your privacy policy must also comply with applicable data privacy laws based on your users’ locations. These may include:

- The EU’s GDPR, which also covers users in the European Economic Area (EEA)
- Multiple [US state-level data privacy laws](https://usercentrics.com/us/knowledge-hub/us-data-privacy-laws-by-state/), including the CCPA/CPRA
- Canada’s [Personal Information Protection and Electronic Documents Act (PIPEDA)](https://usercentrics.com/knowledge-hub/canada-personal-information-protection-and-electronic-documents-act-pipeda/)
- Brazil’s [Lei Geral de Proteção de Dados Pessoais (LGPD) ](https://usercentrics.com/lgpd/)
- South Africa’s [Protection of Personal Information Act (POPIA)](https://usercentrics.com/popia/)
- Other regional or national laws where applicable

Below is a non-exhaustive checklist of the information your privacy policy should include.

- What categories of personal data and personal data you collect and share with Meta. Inform users that Meta may process the data according to its own policy.
- Include links to [Meta’s Privacy Policy](https://privacycenter.instagram.com/policy/), [Cookies Policy](https://www.facebook.com/privacy/policies/cookies/?entry_point=cookie_policy_redirect&entry=0), and [Instagram Platform Terms](https://help.instagram.com/termsofuse).
- State what rights users have under relevant laws, and how to exercise these rights, such as:
    - Right to access personal data you hold about them
    - Right to request deletion of their data
    - Right to correct inaccurate or incomplete data
    - Right to object to the processing of their personal data
    - For US state-level privacy laws, the right to opt out of the sale or sharing of data, targeted advertising, or profiling — depending on which relevant law(s) — and the right to limit the use of sensitive personal data
- If you use Meta ads for behavioral targeting, provide California users the option to opt out through a “Do Not Sell Or Share My Personal Information” link.
- Explain how you collect and use data from minors in line with global regulations. Most privacy laws consider children’s personal data to be sensitive and thus require prior consent (typically from a parent or guardian), as well as more restrictions and requirements for handling and security.
- Share your contact details for users to reach out with any questions or concerns they may have about your data policies or their rights, including information about your [Data Protection Officer (DPO)](https://usercentrics.com/knowledge-hub/what-is-dpo-data-protection-officer/) if you have one, or other qualified corporate privacy contact.
- Explain what cookies you use, and how users can accept or reject them. Explain to users that they have the right to change their cookie preferences at any time, and how they can do so.
- State that you use Meta Business Tools, such as the Meta Pixel or Instagram Graph API, if applicable.

Your privacy policy must be written in clear, non-legal language for anyone to understand. It should be easily accessible on your website or app. Most businesses share their privacy policies from the footer of their website and/or their app’s menu.

You’re also responsible for keeping it up to date with changes in data protection laws, Meta’s terms, or your own data handling practices.

-

*Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.*

## TikTok privacy policy: Data sharing terms requirements for businesses

TikTok’s reach is wide. As of February 2025, the platform has nearly [1.6 billion users](https://www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/) worldwide, with that number expected to grow to around [1.9 billion](https://www.statista.com/forecasts/1142687/tiktok-users-worldwide) by 2029. Advertisers are following the crowd: projections put TikTok’s advertising revenue near [USD 33 billion](https://www.statista.com/statistics/1305708/tiktok-ad-revenue/) by the end of 2025.

Every interaction businesses have with TikTok’s business tools — from the TikTok Pixel to lead generation forms — means sharing user data with the platform. Once shared, that data falls under both the company’s own data sharing terms and several global data privacy laws.

TikTok maintains three separate privacy policies for data it collects directly from users, depending on where users are located:

- United States (US)
- European Union (EU), European Economic Area (EEA), United Kingdom (UK), and Switzerland
- Rest of the world

If your business uses TikTok Business Products, a different set of terms apply. Data that flows to TikTok from businesses through pixels, SDKs, or other integrations is instead governed by the [TikTok Business Products (Data) Terms](https://ads.tiktok.com/i18n/official/policy/business-products-terms).

TikTok also has additional terms that may apply depending on how your business uses its tools. These additional terms vary in scope, such as those that apply to data collected from users in different regions, data collected from lead gen forms on the platform, and custom audiences for targeted advertising.

This article explains how TikTok handles the data it receives from businesses, the obligations the platform places on businesses, and how your privacy policy must reflect those obligations under TikTok’s terms and relevant data privacy laws.

## What data does TikTok collect from businesses?

TikTok, which is owned by China-based parent company ByteDance, offers a range of tools designed for business use, from ad targeting features to developer integrations. These tools channel user information back to the platform.

The Business Products (Data) Terms covers three key categories of data:

- Contact Details
- Developer Data
- Event Data

### Contact Details

TikTok defines Contact Details as information that “enables an individual to be directly identified,” such as a user’s name, email address, or phone number. Your business may collect and transmit this data to TikTok when using certain advertising features.

You share Contact Details with TikTok when you:

- **Upload customer lists** that include email addresses or phone numbers to create custom audiences for ad targeting
- **Run lead generation campaigns** where users submit their contact information directly through a TikTok form
- **Use platform integrations** (like Shopify) to send Contact Details to TikTok for ad targeting

### Event Data

Event Data refers to information about how people interact with your website or app.

[TikTok defines events](https://ads.tiktok.com/help/article/standard-events-parameters?lang=en) as “actions taken on your website, like adding an item to a cart or making a purchase, that can result from a paid TikTok ad or organically (unpaid).”

Event Data may include:

- **Technical details** about a user’s device or browser, such as their language settings, IP address, country, and browser type
- **User actions** on your site or app, such as visiting pages, installing apps, signing up for trials, downloading files, or adding items to a wishlist or cart

You share Event Data with TikTok when you use tools like the TikTok Pixel and the Events Application Programming Interface (API).

### Developer Data

Developer Data is information TikTok collects when users interact with features on your website, app, or marketing platform that are powered by TikTok’s developer tools.

These tools include APIs and software development kits (SDKs) that enable you to integrate TikTok functionality into your digital products. For example, letting users log in with TikTok, share content, or publish videos directly from your platform.

Like Event Data, Developer Data typically includes technical information about users’ devices and browsers, including IP addresses, geographic location, language settings, and browser or app type.

You [share this data with TikTok](https://developers.tiktok.com/) through tools such as:

- **Login Kit**, which enables users to sign in to your app or website using their TikTok credentials
- **Share Kit**, which enables users to share videos, captions, hashtags, and other content from your mobile app directly to their TikTok profiles via your app’s share button
- **Content Posting API**, which enables users to post videos or upload drafts to TikTok from within your platform (commonly used by social media scheduling tools)
- Other integrations, including options to embed TikTok videos and creator profiles on your site, use webhooks to automate processes, or send images and videos from your app to TikTok as green screen backgrounds

## How does TikTok use data?

Once TikTok receives personal information from businesses, it uses that data in several ways across its services. The platform’s terms outline several specific applications.

### Measure performance and generate insights

TikTok uses Event Data to help your business evaluate how campaigns are performing and to provide context on how those results compare to other campaigns across the platform.

This data analysis serves two primary functions:

- **Campaign performance reports** track the direct impact and reach of your advertisements and content across TikTok’s platform.
- **Industry benchmark reports**, which are created by combining your anonymized Event Data with information from other businesses to provide market insights. These reports reveal trends across industries and regions but do not identify individual users or businesses.

### Create and target custom audiences

On TikTok, you’re able to build audience segments based on how users interact with your website or app, such as visits, clicks, or conversions.

These segments, known as custom audiences, are created using data you provide and are for your exclusive use. TikTok prohibits selling or transferring these audiences to other businesses. The terms also state that the platform will not use these audiences for other advertisers unless you give explicit instructions to do so.

### Optimize TikTok personalized ads and content

TikTok correlates your Event Data with its internal user data to personalize ads and improve how your campaigns are delivered.

The platform may also aggregate your Event Data with information from other advertisers to enhance its own advertising system. However, TikTok states that no other business can target ads based solely on your Event Data.

### Match your customer contacts

You can reach your existing customers on TikTok by uploading their Contact Details, like email addresses or phone numbers. TikTok then matches this information against its user database to generate a list of Matched IDs. These matched records are then combined with Event Data to refine audience targeting and improve the accuracy of campaign performance metrics.

### Improve platform safety and integrity

TikTok uses Event Data and Developer Data to maintain safety and security across its products and services, including in its efforts to detect and prevent fraud. The platform also applies this data to research and development, to help enhance its features and deliver a better experience for both users and advertisers.

### Power developer tools

When your business uses TikTok’s developer tools — such as APIs or SDKs — TikTok uses Developer Data to support the specific functions those tools were designed to perform. That includes actions like logging users in, sharing content, or posting videos through your app.

## Role of cookies and tracking technologies

The TikTok Pixel uses both first- and [third-party cookies](https://usercentrics.com/knowledge-hub/tracking-cookies-and-the-gdpr/). These cookies connect user actions on your website to their activity on TikTok. They also support accurate performance measurement and help optimize how your ad campaigns are delivered.

Depending on your configuration settings and visitor preferences, these cookies can also support audience creation for retargeting and engagement purposes.

Some content management systems and tag or data management platforms have [officially supported integrations](https://ads.tiktok.com/help/article/using-cookies-with-tiktok-pixel?lang=en) with the TikTok Pixel. These include major platforms like Shopify, WooCommerce, Wordpress, BigCommerce, Google Tag Manager, and Tealium.

If you’re using a platform that isn’t directly supported, you can still implement TikTok cookies by manually adding the Pixel base code to your website.

TikTok cookies remain active for 13 months, beginning when they are first placed on a user’s browser or from the cookies’ most recent use, whichever is later.

## What does TikTok say about sensitive personal data?

TikTok prohibits businesses from sharing or providing access to any Business Products Data that they know — or should reasonably know — belongs or relates to minors, or that contains sensitive personal data.

“Sensitive” is a category of data under many privacy laws, and this information has greater security requirements and restrictions on collection and use.

This restriction applies regardless of whether the data has been collected intentionally or unintentionally, and includes data shared through tools like the Pixel, Events API, or uploaded contact lists.

TikTok defines children as:

- Anyone under the age of 13
- Anyone under the legal age of majority in their country or region who cannot legally consent to the processing of their Business Products Data under local law, where consent is required

Parental consent requirements may apply when collecting data from minors under relevant data privacy laws.

TikTok also prohibits businesses from sharing health, financial, or other sensitive categories of data. That includes anything defined as “sensitive” or “special category data” under applicable regional or federal privacy laws or industry standards.

Under the [Lead Generation Terms](https://ads.tiktok.com/i18n/official/policy/lead-gen-terms), your business must not:

- Collect Lead Generation Data from or about anyone under the age of 18 or the local age of legal majority, if higher
- Target lead forms to anyone under the age of 18 or the local age of legal majority, if higher
- Use Lead Generation Products to collect information that qualifies as sensitive or special category data under applicable regulations

> Read more about [sensitive data](https://usercentrics.com/knowledge-hub/sensitive-data-exposure/) under global data protection regulations.

## TikTok privacy policy requirements for businesses

TikTok’s Business Products (Data) Terms require any account that shares Business Products Data with the platform, or enables its access, to provide all transparency notices required by applicable laws.

This obligation applies whether you share Business Products Data:

- Directly, such as if your business uses tools that access or store information on users’ devices through tracking technologies. These could include the TikTok Pixel, cookies, APIs, or SDKs, collectively known as Device Data Collection Tools (DDCTs).

or

- Indirectly, such as by authorizing TikTok to integrate with your data provider, measurement partner, or data management platform.

TikTok also establishes specific privacy policy requirements when it comes to data shared through DDCTs.

If your business uses DDCTs, you must provide clear, accessible, and prominent notices to users regarding these tools about how data is collected and used. This notice must include:

- A statement that your website or app uses DDCTs operated by third parties, including TikTok, to collect information about how users interact with your site or app
- An explanation that the data collected is used to provide measurement services and/or for ad targeting
- Information on how users can opt out of this data collection and its use for ad targeting
- A description of where users can find the mechanism to exercise these choices
- Any additional information laid out in the Jurisdiction Specific Terms

For websites, TikTok requires that this privacy notice appears prominently on every page where DDCTs are active. For apps, the notice must be easy to find within your app settings and any on store or website where your app is distributed.

## Other data terms for businesses

In addition to the Business Products (Data) Terms, TikTok has additional terms that address specific data collection and usage scenarios. They apply in specific situations and may introduce additional responsibilities depending on how your business uses TikTok’s tools.

Here is a look at some of the terms that may apply.

### Jurisdiction Specific Terms

TikTok’s [Jurisdiction Specific Terms](https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms) apply when your use of TikTok Business Products involves data collected from users in certain regions.

These supplemental terms reflect local data privacy laws and may require your business to take additional steps, such as establishing a legal basis for processing, obtaining explicit consent, and enabling data subject rights.

The terms cover the following regions:

- **United States**, which includes a number of [state-level data privacy laws](https://usercentrics.com/us/knowledge-hub/us-data-privacy-laws-by-state/).
- **The European Union (EU)/European Economic Area (EEA), United Kingdom, and Switzerland**, which are governed by the following regional laws:
    - [EU General Data Protection Regulation (EU GDPR)](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/)
    - [UK General Data Protection Regulation (UK-GDPR)](https://www.cookiebot.com/en/uk-gdpr/)
    - [Swiss Federal Act on Data Protection (FADP)](https://usercentrics.com/knowledge-hub/switzerland-federal-data-protection-act-fadp/)
- **Brazil**, which has the [Lei Geral de Proteção de Dados (LGPD)](https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/)

The terms also include [**Japan**](https://usercentrics.com/knowledge-hub/japan-act-on-protection-of-personal-privacy-appi/). But unlike the other regions, where the applicable laws are specifically mentioned, the jurisdiction specific terms here apply when “using our TikTok Business Products in Japan.”

For the European region, the terms require you to establish a [legal basis for processing personal data](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/#legal-bases-and-legitimate-interest-in-the-general-data-protection-regulation-5) using DDCTs and to obtain all necessary and verifiable consents in accordance with the relevant laws.

> Read more about the [GDPR’s 7 conditions for valid consent](https://usercentrics.com/knowledge-hub/7-criteria-for-a-gdpr-compliant-consent/).

The Jurisdiction Specific Terms require you to publish a privacy notice describing your processing activities, including any joint processing.

These terms also contain specific information that must be included in your privacy notice — in addition to the requirements in the Business Products (Data) Terms and any other clauses you include — in accordance with the relevant regional laws.

### Lead Generation Terms

TikTok’s Lead Generation Terms apply when your business uses the platform’s lead generation products or services via TikTok for Business or TikTok Ads Manager. These products and services enable users to voluntarily submit their information to your business through customizable forms.

Under these terms, your business assumes full responsibility for processing all Lead Generation Data that users submit. You must provide required transparency notices and confirm that you have all necessary rights, permissions, and lawful bases — including consent where applicable — under relevant laws.

Each lead generation form must include:

- A link to your legally compliant privacy policy and a clear statement that your privacy policy governs lead generation data collection and processing
- All required consent or choice mechanisms, such as opt-outs, unsubscribe options, or consent withdrawal
- All necessary disclosures about offers, including qualification criteria, expiration dates, and redemption limits

TikTok places additional obligations on your business if you share Lead Generation Data with a vendor, such as a customer relationship management (CRM) provider:

- You acknowledge that the vendor is receiving data on your behalf
- You must ensure that data sharing complies with applicable laws and establish proper contracts where required
- Vendors may use the data only for the purposes you’ve authorized, and they must follow both TikTok’s requirements and your instructions
- In the US, vendors must be designated as your service provider or processor under applicable privacy laws

TikTok may process Lead Generation Data in accordance with the TikTok Privacy Policy for purposes such as autofilling future forms for users.

### Custom Audiences (Customer File) Terms

TikTok’s [Custom Audiences (Customer File) Terms](https://ads.tiktok.com/i18n/official/policy/custom-audience-terms) apply if your business uploads Contact Details to TikTok, such as email addresses or phone numbers. Custom audiences can be used for ad targeting, excluding users from ads, or creating lookalike audiences of TikTok ad users, among other things.

To upload and use the Contact Details for custom audience creation under these terms, you must have:

- All necessary rights, permissions, and lawful bases required by applicable laws
- Provided all legally required notices to the individuals whose data you are uploading

If you use TikTok’s Custom Audiences product for ad targeting, you must also:

- Provide the ability to opt out of ad targeting to individuals included in your Contact Details
- Remove any Contact Details belonging to users who have opted out, either before or after the data is uploaded
- Refrain from using any individual’s contact details for ad targeting if they opt out after their data has been uploaded to the Custom Audiences product

## How to align your business with privacy laws and TikTok privacy requirements

Businesses using TikTok’s advertising and marketing tools must develop comprehensive data handling practices that meet both requirements of relevant global privacy regulations and TikTok’s specific requirements.

> Read more about [social media compliance](https://usercentrics.com/guides/social-media-email-marketing-compliance/) for businesses.

### Update your privacy policy to meet TikTok’s disclosure requirements

Your privacy policy must clearly explain how your business uses TikTok’s tools and what that use means for your users’ personal data. Here is a non-exhaustive checklist of the required privacy policy disclosures for your TikTok business relationship:

- Describe how your business collects, uses, and shares personal data in connection with TikTok Business Products
- If you use tools that access or store data on user devices — such as the TikTok Pixel or SDKs — include:
    - A disclosure that your website or app uses third-party tracking technologies, including TikTok
    - A description of the types of data collected and how they are used, such as for measurement or ad targeting
    - Opt-out mechanisms where required by law
    - Clear, accessible links that enable users to exercise those choices
- Link to your privacy policy prominently on every webpage where you use tracking tools, and make it easily accessible within your app through settings or the app store listing
- Include direct links to [TikTok’s privacy policy](https://www.tiktok.com/legal/page/us/privacy-policy/en) and [cookie policy](https://www.tiktok.com/legal/page/global/tiktok-website-cookies-policy/en)
- Explain user rights under relevant data privacy laws, such as the right to object under the GDPR and the right to opt out under the CCPA/CPRA
- If you use TikTok ads for behavioral targeting, provide a “[Do Not Sell Or Share My Personal Information](https://usercentrics.com/guides/website-disclaimers/do-not-sell-my-personal-information/)” link for California users, as required by state law
- Explain how you obtain and use minors’ personal data and the requirements for valid parental or guardian’s consent, where required
- If you are a joint controller with TikTok under the GDPR, describe your responsibilities regarding users’ personal data
- Any additional information required by the Jurisdiction Specific Terms

### Meet consent and choice requirements under regional privacy laws

Before implementing tracking tools like the TikTok Pixel, your business must obtain all necessary and verifiable prior consents from users, particularly where required by laws like the GDPR and LGPD or other platform standards (such as Apple or Google platform terms).

Your [consent banner](https://usercentrics.com/knowledge-hub/cookie-banner/) via your [consent management platform (CMP)](https://usercentrics.com/knowledge-hub/consent-management-platforms/) must clearly explain how data will be used and give users the option to opt in or out, depending on jurisdiction.

You must also provide a clear way for users to opt out of data collection for ad targeting. If someone opts out, you must honor their choice, and avoid using their data for that purpose.

Where laws like the GDPR apply, your business is responsible for identifying a legal basis for every instance of personal data processing and sharing involving TikTok tools.

### Clarify your role as a data controller

Your legal relationship with TikTok depends on which tools you use and how you use them.

In some cases, your business may act as an independent controller of personal data. In others, you may be considered a joint controller with TikTok, such as when using the TikTok Business Products for measurement and insight reporting in the EU/EEA or UK.

You are responsible for determining which role applies to each data processing activity, and your privacy policy must accurately reflect this relationship. If you act as a joint controller with TikTok, the GDPR requires you to inform users of this arrangement and explain each party’s responsibilities for protecting personal data.

### Respect data prohibitions for minors and sensitive information

TikTok prohibits businesses from sharing or providing access to any Business Products Data that is either:

- Known to be from or about children under 13 (or the local age of majority)

or

- Considered sensitive personal data

Further, you may not use lead generation products to collect data from or target individuals under 18 or the local age of majority.

If your business operates a website or app that could attract minors, or collects data that could reasonably relate to individuals under 18, you may face additional legal requirements. These will depend on the data collected and user location and may include:

- Obtaining verifiable parental/guardian consent under laws like the [Children’s Online Privacy Protection Act (COPPA)](https://www.cookiebot.com/en/coppa-compliance-requirements-checklist/) in the US, which must be separately obtained for collecting and sharing data
- Obtaining explicit consent from a parent or legal guardian for users under 16 in the EU/EEA. EU member states can lower this to age 13
- Clearly describing in your privacy policy how data from minors is collected and used
- Using age verification methods when age affects eligibility or the type of data collected

When collecting personal data, practice [data minimization](https://usercentrics.com/knowledge-hub/data-minimization/) by collecting only the data necessary for your intended purpose. Doing so reduces the risk of handling prohibited or unnecessary data and helps support compliance with global privacy laws.

### Require vendors to meet TikTok’s requirements

If you share TikTok Lead Generation Data with vendors, such as customer relationship management (CRM) providers, you are responsible for setting clear obligations around how that data is handled. TikTok’s terms require that you:

- Confirm the vendor is acting on your behalf and using the data only for the purpose(s) you’ve authorized.
- In the US, designate vendors as your service providers or processors under applicable state privacy laws. This clarifies their role in your data processing activities and helps establish the legal framework for data sharing.
- Put appropriate contracts in place where required, such as a [Data Processing Agreement (DPA)](https://usercentrics.com/knowledge-hub/what-is-dpa-data-processing-agreement/).
- Hold vendors to the same compliance obligations that apply to your own business under TikTok’s terms. (Many data privacy laws require privacy compliance and data processing requirements to be contractually agreed upon.)

### Implement appropriate data security measures

TikTok requires your business to protect Lead Generation Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. You must implement appropriate technical and organizational safeguards to secure any data you collect and share through lead generation forms.

Beyond TikTok’s requirements, most major data privacy laws make your business responsible for protecting any personal data it collects, processes, or shares, even after you’ve shared it with third parties like TikTok. These laws require reasonable security measures to be applied throughout the data lifecycle.

Any DPA you enter into with TikTok should require TikTok to apply the same security standards you use as a data controller.

### Respect purpose limitations

TikTok requires that your business use lead generation data only for the purposes specified at the time of collection. That use must also align with your privacy policy, the user’s consent, and any terms that applied when the data was collected. If you want to use the data for new purposes, you must obtain additional consent as per TikTok’s Lead Generation Terms.

-

*Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.*

## Stripe privacy policy: Requirements for businesses

It’s easier than ever to make a purchase online. With a few clicks, you can add purchases to your cart, check out — even faster if you’ve saved your credit card details — and transaction complete.

Online payment processors power that experience for everything from shoe shopping to SaaS subscriptions. Stripe ranks second globally in market share, holding around [20.6 percent](https://www.statista.com/statistics/895236/australia-market-share-online-payment-platforms/) of the market as of April 2025.

For businesses, Stripe does more than process payments. The company also supports terminal transactions, invoicing, identity verification, card programs, and other services for businesses across industries.

If you’re a Stripe Business User — meaning you use Stripe’s services for your business — you’re sharing data with Stripe about your customers. In some cases, Stripe will also share data with you.

[Stripe’s privacy policy](https://stripe.com/privacy) governs what happens to the personal data you share, including how the platform uses it and shares it with third parties.

We look at what data Stripe collects, how it uses this data, and what steps you need to take to meet your legal obligations and be transparent with your customers.

## What data does Stripe collect?

When your business uses Stripe, the platform collects customer data to process payments, prevent fraud, and meet regulatory requirements.

### Transaction data

Stripe collects payment data from your customers during online or in-person transactions. This may include:

- Name and contact details, such as email addresses, phone numbers, and billing/shipping addresses
- Payment method details, such as credit/debit card numbers, bank account info, or card images
- Purchase amounts and transaction dates
- In some cases, information about what was purchased

Importantly, Stripe can begin collecting data before the customer clicks “Pay.” Stripe may collect information that customers type into your business’s checkout form even if the customer leaves the page without completing the purchase.

### Identity and verification information

Beyond standard payments, Stripe offers identity and fraud prevention services. If you use these services to verify a customer's identity, Stripe collects some information directly from your customer. This may include:

• Government-issued ID

• Selfie for biometric verification

• Personal data visible on physical payment methods, such as a credit card image

This level of data collection is not standard for every Stripe transaction and only applies if you use identity verification services. This may constitute collection of [sensitive personal data](https://usercentrics.com/knowledge-hub/sensitive-information-guide/), which brings added legal obligations under laws like the GDPR.

Stripe may also cross-check this data with other sources, such as public records, identity verification services, financial institutions, and previously collected data from other Stripe Business Users.

### Online activity

Stripe collects technical details about a customer's device, browser, and online actions when that customer uses Stripe on your website or app.

These details may include:

- **Device and browser details** including IP address, language settings, plug ins
- **Browsing behavior** like pages visited, time spent, referring URLs, link clicks
- **Activity signals** such as mouse movements or other engagement cues
- **Payment methods** used

This data collection happens through the Stripe scripts (like Stripe.js) and mobile software development kits (SDKs) that you install on your website or integrate into your app.

While this collection is standard on your checkout page, you might also use these scripts on other website pages or app screens for purposes like advanced fraud detection.

## How does Stripe use personal data?

Stripe uses personal data in the following ways to deliver its services to Business Users and, where permitted, for its own operational, security, legal, and marketing purposes.

### Payment processing and accounting

Stripe uses transaction data to process online payments, calculate taxes, handle invoices and disputes, and to support Business Users with revenue tracking and accounting tasks.

### Financial services

For Business Users offering financial products through Stripe, such as branded payment cards, Stripe collects and uses personal data to provide and manage those products. This includes to prevent misuse or fraud.

### Identity verification

Stripe uses identity-related personal data to verify users, prevent fraud, and improve security. Verification may involve:

- Comparing selfies with ID documents using biometric tools
- Verifying phone numbers via carrier data

### Fraud detection and prevention

Stripe collects and analyzes personal data to identify potentially fraudulent or harmful activity across its services. It also seeks to secure both personal data and funds against unauthorized access, use, alteration, or misappropriation.

Efforts include:

- Reviewing attempted transactions
- Using data obtained from you, your customers, public sources, and credit bureaus
- Receiving identifying information like IP addresses from third parties to assess risk

### Compliance with legal obligations

Stripe uses personal data to fulfil its contractual and legal obligations regarding anti-money laundering, Know Your Customer (KYC) laws, anti-terrorism activities, export control, and trade restriction requirements. They may monitor transactions and “other online signals“ to detect and identify potential money laundering or other illegal activity.

### Analyzing, improving, and developing services

Stripe uses personal data across its platform to improve and develop services and user experience. This use includes:

- Tracking usage and diagnosing issues through analytics and cookies
- Generating aggregate and statistical information to evaluate how people use their services
- Training AI models to prevent fraud and power its services
- Analyzing transaction data to reduce disputes and improve approval rates

### Communications

Stripe uses contact information to:

- Send service-related communications, such as authentication codes via SMS
- Provide updates about services and invite users to events, surveys, or user research
- Follow up after service inquiries or event participation
- Record calls, where legally permitted, for quality assurance, research, or compliance

### Social media and promotions

If users participate in promotions or offers, Stripe may use the personal data they provide — as well as any publicly available information — to manage those promotions or offers and for marketing purposes.

## Who does Stripe share personal data with?

Stripe shares personal data with a range of recipients to deliver services and fulfill legal, operational, and business requirements.

Third parties that Stripe shares data with include:

- **Business Users and their authorized partners:** You, the Business User, and any third-party services you explicitly authorize to access customer data
- **Financial partners:** Financial institutions that receive data to support services offered through Stripe, such as financing or payment products
- **App Marketplace developers:** Third-party developers who receive business data through Stripe when you install a Marketplace app and authorize sharing
- **Stripe affiliates:** Other entities within the Stripe group that receive data for purposes outlined in Stripe’s privacy policy
- **Service providers:** External vendors Stripe relies on for cloud infrastructure, analytics, security, identity verification, customer support, and auditing
- **Referral partners (with consent):** Third-party service providers that Stripe refers users to with prior consent
- **Corporate transaction participants:** Third parties involved in mergers, acquisitions, or other business restructuring transactions
- **Legal and regulatory authorities:** Courts, law enforcement, and government agencies that request data under applicable laws

### Does Stripe sell personal data?

Under many US privacy laws, the terms “sell” or “share” have a broad legal definition. They don't just mean exchanging data for money. They can also apply to providing data to partners, like advertising networks, in exchange for valuable services. Both terms often apply even when no money changes hands.

Stripe’s privacy policy states that it does not transfer personal data to third parties in exchange for payment. It also confirms that it does not sell or share sensitive personal information — such as government IDs or biometrics — for behavioral advertising.

However, the Stripe privacy policy also acknowledges that the company provides certain types of personal data to third party partners — including advertising partners, analytics providers, and social networks — to assist in advertising Stripe’s own products and services.

Since data is being exchanged for a service, this may be considered either “selling” or “sharing” data as those terms are defined under the [California Consumer Privacy Act (CCPA)](https://usercentrics.com/us/knowledge-hub/california-consumer-privacy-act/) / [California Privacy Rights Act (CPRA)](https://usercentrics.com/us/knowledge-hub/california-privacy-rights-act-cpra-enforcement-begins/) and other applicable US privacy laws.

In its [Privacy Center](https://stripe.com/legal/privacy-center), Stripe clarifies that it has “sold” or “shared” the following categories of personal information (as defined under the CCPA/CPRA) to third parties, including advertising partners, in the past 12 months:

- **Device and activity data** including device identifiers, browser and usage information across Stripe-enabled business websites
- **Geolocation data** such as general location inferred from IP addresses

## International data transfers

If your business uses Stripe, your customers’ personal data may be transferred to other countries, including the US. This can happen if your customers use an international payment method or financial partner service, or when Stripe or its service providers process data in other jurisdictions.

To carry out these data transfers in compliance with privacy laws, Stripe relies on mechanisms such as:

- The [EU-U.S. Data Privacy Framework](https://usercentrics.com/knowledge-hub/eu-us-data-privacy-framework/) for transfers between the EEA/EU and the US
- The [UK Extension to the EU-U.S. Data Privacy Framework](https://www.dataprivacyframework.gov/program-articles/FAQs%E2%80%93UK-Extension-to-the-EU%E2%80%93U.S.-Data-Privacy-Framework-(UK-Extension-to-the-EU%E2%80%93U.S.-DPF)) and the UK International Data Transfer Addendum for transfers between the UK and the US
- The [Swiss-US Data Privacy Framework](https://www.dataprivacyframework.gov/program-articles/FAQs%20%E2%80%93%20Swiss%E2%80%93U.S.-Data-Privacy-Framework-%28Swiss%E2%80%93U.S.-DPF%29-%281%E2%80%934%29) for transfers between Switzerland and the US
- Standard Contractual Clauses (SCCs) approved by the European Commission

Stripe may also rely on other alternative data transfer mechanisms approved by relevant privacy authorities to transfer personal data to a third country.

This means you are relying on Stripe's legal frameworks to lawfully transfer data. Your own [privacy policy](https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/) should inform your customers that their data may be processed in other countries, including the US.

## Jurisdiction-specific provisions in the Stripe privacy policy

Since Stripe operates globally, it must handle personal data in compliance with data privacy laws in different regions based on the location of the individuals whose data it processes. The Stripe privacy policy includes jurisdiction-specific provisions that reflect several data protection regulations, including:

- The EU’s [General Data Protection Regulation (GDPR)](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/)
- Brazil’s [Lei Geral de Proteção de Dados Pessoais (LGPD)](https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/)
- Several Canadian privacy laws, including the federal [Personal Information Protection and Electronic Documents Act (PIPEDA)](https://usercentrics.com/knowledge-hub/canada-personal-information-protection-and-electronic-documents-act-pipeda/) and some provincial laws
- Switzerland’s [Federal Act on Data Protection (FADP)](https://usercentrics.com/knowledge-hub/switzerland-federal-data-protection-act-fadp/)

For end users in the US, Stripe applies both federal and [state-level privacy laws](https://usercentrics.com/us/knowledge-hub/us-data-privacy-laws-by-state/). The Stripe privacy policy states that US-based individuals have the right to opt out of the sale or sharing of their personal information and to limit how their sensitive personal information is used or shared.

If you send Stripe your customers’ personal data, you’re required to give customers a way to exercise those opt-out rights.

> Read more about [global privacy policies](https://usercentrics.com/knowledge-hub/global-privacy-policy/).

## Does Stripe require you to have a privacy policy?

Stripe's privacy policy states that you are directly responsible for making disclosures to your customers about your own data collection and use.

This means you must be transparent with your customers about how you use their personal data, which includes disclosing that you share it with Stripe. Typically, this is done through a privacy policy.

Stripe’s [data processing agreement (DPA)](https://usercentrics.com/knowledge-hub/what-is-dpa-data-processing-agreement/) also requires transparency. [Stripe’s DPA](https://stripe.com/legal/dpa) covers both your obligations and Stripe’s regarding personal data processing. It explicitly obligates you to provide “all necessary information (including by means of offering a transparent and easily accessible public privacy notice).” In other words, a privacy policy.

## How to align your business with privacy laws and Stripe’s privacy requirements

As a business using Stripe, your data handling practices must meet the requirements of relevant global privacy regulations. Stripe includes many of these legal obligations as a formal part of your contract through its own specific terms.

### Meet consent requirements under global data privacy laws

Your DPA with Stripe requires you to have a valid legal basis for processing personal data. Where required by law, you must obtain all necessary consents from customers for both your own and Stripe’s data processing activities.

> Unsure about what type of consent you need? Learn the [differences between opt-in and opt-out consent](https://usercentrics.com/knowledge-hub/opt-out-vs-opt-in/) and which you need under different global privacy laws.

Under laws like the GDPR, you typically need to obtain explicit user consent before you collect individuals’ personal information.

While many US states use an opt-out consent model, generally prior consent is required if the data to be processed is categorized as sensitive or belongs to children. This is especially relevant if you use Stripe's identity verification services, as these can require processing sensitive personal data like biometric information.

You must provide a clear way for customers to opt out of the sale or sharing of their personal information even if it’s not considered sensitive. You must also provide a way to limit how their sensitive data is used where required by state law.

### Follow purpose limitation principles

If you receive data from Stripe, you can only use it for the specific purposes that you have disclosed to users in your privacy policy, and only if you have obtained the proper consent where required by law.

### Follow data minimization principles

Practice [data minimization](https://usercentrics.com/knowledge-hub/data-minimization/) by collecting only the personal data that is strictly necessary for your stated purpose. Doing so will help you comply with laws like the GDPR and avoid the risk of collecting or sharing data that is prohibited or unnecessary.

This principle is especially important for transaction data. Certain types of financial information are considered sensitive personal information under many US state privacy laws and are therefore subject to stricter rules.

### Be transparent with your users

Your privacy policy must clearly explain how your business uses Stripe’s business services and what that use means for your customers’ personal data. Below is a non-exhaustive checklist of what to include in your privacy policy.

- Describe how your business collects, uses, and shares personal data with Stripe and for what purposes. Note that Stripe may use the data according to its own privacy policy.
- Inform users that data shared with Stripe may be further shared by Stripe, including with its service providers or affiliates.
- Include links to Stripe’s privacy policy.
- If you use Stripe’s identity verification services, be explicit that customers may be required to share sensitive personal information with Stripe.
- Explain users’ rights under relevant laws and how they can exercise them, such as the right to object (under the GDPR) and the right to opt out (under the CCPA/CPRA).
- If you use tools that access or store data on user devices — such as the Stripe.js or SDKs — include:
    - A disclosure that your website or app uses third-party tracking technologies, including Stripe
    - A description of the types of data collected and how they are used
    - Opt-out mechanisms where required by law
    - Clear, accessible links that enable users to exercise those choices
- Share your contact details for users to reach out with any questions or concerns they may have about your data policies or their rights. Include information about your [Data Protection Officer (DPO)](https://usercentrics.com/knowledge-hub/what-is-dpo-data-protection-officer/) if you have one, or any other qualified corporate privacy contact.

Your privacy policy must be written in clear, non-legal language for anyone to understand. It should also be easily accessible on your website or app. Most businesses share their privacy policies on the footer of their website, on their app’s menu, or both if applicable.

You are also responsible for keeping the policy up to date with changes to data protection laws, Stripe’s terms, or your own data handling practices.

*Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.*

## OpenAI ChatGPT privacy policy: requirements for business services

ChatGPT has quickly become a household name, with the platform’s weekly active users surging past [400 million](https://www.reuters.com/technology/artificial-intelligence/openais-weekly-active-users-surpass-400-million-2025-02-20/) in February 2025.

While individuals use the large language model (LLM) for everything from drafting emails to planning dinner menus, businesses are also integrating the technology into their workflows.

Many companies use ChatGPT Team or ChatGPT Enterprise plans, which connect them to business data to help teams work more efficiently. Others use the OpenAI API (application programming interface) to build AI-powered features like search or chatbots directly into their own products.

In August 2025, OpenAI, the company behind ChatGPT, announced it had [more than 5 million paying business users](https://x.com/bradlightcap/status/1951389149149405618).

If your business uses these services, you could be sharing employees’ or customers’ personal data with the platform. In those cases, ChatGPT’s [privacy policy](https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/) would not apply; that document applies only to personal data collected by ChatGPT from individual users.

Instead, any personal data shared by a business is covered by the [OpenAI Services Agreement](https://openai.com/policies/services-agreement/) and its [Data Processing Addendum (DPA)](https://openai.com/en-GB/policies/data-processing-addendum/).

In this guide, we look at what personal data OpenAI may collect from your business, how this data may be used, and your potential obligations under various data protection regulations.

## What personal data does OpenAI collect?

OpenAI’s services agreement and DPA don’t provide a definitive list of what personal data is collected. Exhibit A of the DPA — which is used to describe categories of data that may be transferred internationally — gives the clearest indication of what OpenAI might collect.

> Read more about [Data Processing Agreements (DPA)](https://usercentrics.com/knowledge-hub/what-is-dpa-data-processing-agreement/).

These categories include:

- Name
- Contact information
- Demographic information
- Any other information a user provides in unstructured form

There are two types of data that may contain this information:

- **Customer data** refers to personal data that your business provides to OpenAI, and that OpenAI processes on your behalf to deliver services.
- **Business data** includes the inputs and outputs from ChatGPT Team, ChatGPT Enterprise, and the API Platform (as well as ChatGPT Edu).

This data is collected from several sources.

### Account setup for Team and Enterprise users

If your business uses ChatGPT Team or Enterprise, OpenAI may collect employee information necessary to register and manage their accounts under your organization’s workspace. For example, when your company purchases Enterprise licenses, each employee is provided with their own account. OpenAI collects data such as employees’ names and email addresses.

### Chats and integrations

Employees using ChatGPT Team or Enterprise might share personal data with OpenAI. This data can come directly from messages they write or from third-party software integrations.

For example, if you connect your account to customer relationship management (CRM) software and it sends customer data into a chat, OpenAI will receive and temporarily collect that information.

### API calls

Whether OpenAI collects personal data through the API depends entirely on what your product sends and receives. If users’ API inputs or the resulting outputs include personal data, OpenAI will receive and temporarily process that information. If neither the API inputs nor outputs contain personal data, OpenAI will not receive any.

## How does OpenAI use personal data?

OpenAI acts as a data processor under its DPA, which means it processes customer data under your instructions and on your behalf. The DPA outlines that this processing must be handled:

- Only for the purpose of delivering and supporting its services, including analytics, reporting, trust and safety monitoring, and abuse detection
- In compliance with your documented instructions
- In a manner that provides at least the level of privacy protection required by applicable data protection laws
- If legally required beyond these purposes, after OpenAI notifies you of this requirement, unless prohibited by law

Importantly, [OpenAI states](https://openai.com/enterprise-privacy/) that it does not use business data for model training or improvement unless you explicitly opt in.

OpenAI may process de-identified or aggregated data to improve service functionality, provided that this data cannot be linked back to individuals or used to reidentify customers. Businesses may permit or instruct OpenAI to process customer data in de-identified, anonymized, or aggregated form, subject to [US privacy laws](https://usercentrics.com/us/knowledge-hub/us-data-privacy-laws-by-state/).

Organizational data, company name, industry type, or internal policies are not by themselves ordinarily considered personal data under many global data protection regulations.

However, business data, which is defined as inputs and outputs, may include employees’ or customers’ personal data, in which case it is protected.

OpenAI may run business data through automated content classifiers and safety tools. These tools generate metadata about the content but do not contain the original business data itself.

Business data is subject to human review only under certain conditions. Access to business data is limited and depends on the service being used:

- For ChatGPT Enterprise, authorized OpenAI employees may access conversations only to resolve incidents, help recover user conversations with your explicit permission, or where required by law
- For ChatGPT Team and OpenAI API, access is restricted to specific scenarios:
    - OpenAI employees may access stored data for engineering support, to investigate potential abuse, or for legal compliance
    - In some cases, third-party contractors — who are subject to confidentiality and security obligations — may review conversations to identify misuse or abuse

## Does ChatGPT save user data?

Yes, OpenAI saves user data, but for how long and under what conditions depends on the specific service being used and whether it is customer data or business data.

### OpenAI API

Business data is retained for a maximum of 30 days for abuse monitoring before being deleted, unless legal obligations require more time. Businesses with a qualifying use case can also request [zero data retention (ZDR)](https://platform.openai.com/docs/guides/your-data) for eligible API endpoints.

Customer data is retained for the duration of your service agreement.

### ChatGPT Enterprise

Your workspace administrators control how long business data or conversation history is retained. Any business data in deleted conversations will be removed from OpenAI’s systems within 30 days, unless retention is legally required.

Customer data is retained for the duration of your service agreement.

The DPA states that OpenAI may continue to process de‑identified, anonymized, or aggregated versions of customer data after it's no longer considered personal data under applicable laws and if it cannot identify individuals.

### ChatGPT Team

Individual end users control how long conversation history is retained by choosing whether or not to save their chats. Any business data in conversations that are deleted or unsaved will be removed from OpenAI’s systems within 30 days, unless retention is legally required.

Customer data is retained for the duration of your service agreement.

As with Enterprise, the DPA states that OpenAI may continue to process de‑identified, anonymized, or aggregated versions of customer data after it's no longer considered personal data under applicable laws and cannot identify individuals.

## Who does OpenAI share personal data with?

OpenAI may share personal data with [third-party sub-processors](https://openai.com/policies/sub-processor-list/) to support the delivery and operation of its business services. According to the DPA, these sub-processors may carry out specific processing activities on OpenAI’s behalf or to help the company fulfill its contractual obligations to customers.

These sub-processors support several functions, including:

- **Cloud infrastructure:** Providers that supply the servers, storage, and computing resources OpenAI uses to host and operate its services
- **Data warehousing:** Services that store and manage large volumes of structured or unstructured data to support processing, retrieval, and analytics
- **Customer support:** Companies that help respond to user questions, resolve technical issues, and assist with account or service-related inquiries.
- **Content moderation:** Vendors that review and filter content to meet safety, legal, or policy standards
- **User authentication:** Services that verify user identities to manage secure access and protect accounts

According to the [OpenAI Law Enforcement User Data Request Policy](https://cdn.openai.com/trust-and-transparency/openai-law-enforcement-policy-v2024.07.pdf), OpenAI may also be required to disclose personal data to law enforcement authorities in response to a legally binding request. In those cases, OpenAI must notify the business unless it is legally prohibited from doing so. OpenAI states that it does not initiate such disclosures and shares data only when required in order to comply with legal obligations.

Additionally, certain OpenAI group entities may access customer data while providing technical or operational support. These affiliate companies are based in the United States, Ireland, the United Kingdom, and Japan.

## Are you required to have a privacy policy when using ChatGPT Team, Enterprise, or OpenAI API?

While OpenAI’s terms do not directly state that you must have a privacy policy, you do need one to fulfill contractual requirements and legal obligations.

The OpenAI Service Agreement requires your business to obtain and maintain all necessary consents from your end users to allow OpenAI to provide services. Fulfilling this requirement means you are responsible for making the disclosures needed to obtain consent. That includes informing users how their personal data will be handled, both by your organization and by OpenAI.

> Read more about the [GDPR’s 7 conditions for valid consent](https://usercentrics.com/knowledge-hub/7-criteria-for-a-gdpr-compliant-consent/).

Further, the DPA requires you to comply with applicable data protection laws, many of which mandate that businesses publish a privacy policy. Most also include an obligation of transparency, which requires you to inform users about your data practices in a way that is easy to understand. You can do this through a clear, accessible privacy policy that’s prominently linked, e.g. from your website footer or app menu.

## How to align your privacy policy with data protection laws and OpenAI’s privacy practices

If your business uses ChatGPT Team, Enterprise, or the OpenAI API, your privacy policy must explain how those uses affect your employees’ or customers’ personal data.

Below is a non-exhaustive checklist of what to include in a privacy policy.

- Describe what personal data your business collects and uses, how it shares that data with OpenAI, and for what purposes. Note that OpenAI may use the data according to the DPA.
- Disclose that personal data sent to OpenAI may be shared with third parties, such as its sub-processors and affiliate companies.
- Summarize the rights users have under applicable data privacy laws and how they can exercise those rights.
- Explain OpenAI’s policies on data retention, including how long personal data is stored and the conditions under which it is deleted.
- Provide contact details for users who have questions or concerns about your data practices. If you have a [Data Protection Officer (DPO)](https://usercentrics.com/knowledge-hub/what-is-dpo-data-protection-officer/) or another designated privacy contact, include their information.

Your privacy policy must be written in simple, clear language that is easy to understand. It should be easily accessible, such as through a link in your website’s footer or within your application’s menu.

Finally, keep your privacy policy up to date. You are responsible for keeping it current and reflective of any changes to your data practices, OpenAI’s terms, or applicable privacy laws.

*Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.*

## Zoom privacy policy: A guide for businesses, educational institutions, and healthcare providers

Zoom has become deeply embedded in modern business communication. Companies use it for daily meetings, client presentations, webinars, training sessions, and industry conferences. Educational institutions use it for remote learning, and healthcare providers use it to deliver telehealth services.

Each of these uses involves sharing personal data with the platform. This data may belong to employees, clients, webinar attendees, students, patients — anyone that joins a Zoom call. And your business could be responsible for protecting it.

Zoom’s privacy policy applies only to personal data it collects from individual users. Any personal data shared by a business is covered by Zoom’s [Data Processing Addendum (DPA)](https://media.zoom.com/download/assets/zoom-global-dpa.pdf/dd327ebea27e11efb613d6ba63ed4cee) and [US State Law Privacy Addendum](https://explore.zoom.us/en/us-privacy-addendum/).

In this guide, we look at what personal data Zoom collects from business use, how this data may be used, and what obligations organizations may face under global data protection laws.

### What personal data does Zoom collect?

- **Zoom's role in business data:** Zoom serves as a data processor for organizations, handling personal data from employees, clients, students, and patients during meetings, webinars, and telehealth services.
- **Data Processing Addendum (DPA):** For business use, Zoom’s data handling is primarily governed by its Data Processing Addendum (DPA) and US State Law Privacy Addendum, which outline contractual obligations.
- **Categories of data collected:** Zoom collects various personal data, including account data, meeting participant details, device information, support data, and address book or calendar data.
- **Zoom as data controller:** Zoom acts as a data controller for its own business purposes, such as billing, legal obligations, abuse detection, and service improvement, without using customer data for third-party advertising.
- **Third-party data sharing:** Zoom shares data with third-party subprocessors for cloud services, AI features, content delivery, security, and other operational functions, which are all bound by DPA obligations.
- **International data transfers:** Personal data may be transferred internationally, with Zoom relying on adequacy agreements or other legal mechanisms like Standard Contractual Clauses (SCCs).
- **Industry-specific considerations and protections:** Educational institutions require a Children’s Educational Privacy Statement, and healthcare providers handling PHI need a Business Associate Agreement (BAA) with a "Zoom for Healthcare" plan to meet HIPAA requirements.
- **Organizational obligations:** Businesses must ensure compliance by obtaining consent where required, developing acceptable use policies, complying with BAA terms for HIPAA, and maintaining transparent privacy policies.

When your organization uses Zoom, the platform collects several categories of personal data related to your account and the activities conducted on it. This data is gathered from account holders, meeting participants, and the devices used to access Zoom’s services.

- **Account data:** Including names, email addresses, user IDs, profile pictures, and any other information a user adds to their profile
- **Meeting and webinar participant data:** Names, contact details, registration data, participant roles, tracking fields (such as “department”), and details about meeting times and topics
- **Device and diagnostic data:** Information about the devices used to connect to Zoom, such as IP addresses, device types, operating systems, network information, and the specifications of connected hardware like microphones and cameras
- **Support data:** Descriptions of technical problems, user contact information, feedback, and uploaded attachments
- **Address book and calendar data:** Contact lists and calendar entries from integrations with tools like Outlook or Google Calendar

Beyond these categories, Zoom also processes the content generated during meetings and webinars. This includes video, audio, chat messages, whiteboards, captions, transcriptions, presentations, polls, surveys, and Q&A sessions.

Depending on the nature of the discussion and the information shared by participants, this content could contain personal data.

## How Zoom uses personal data

Zoom handles personal data in two ways. In most situations, it acts as a data processor, managing data on behalf of your organization. In some cases, it acts as a data controller, using certain information for its own purposes.

> Read more about [Data Processing Agreements (DPA)](https://usercentrics.com/knowledge-hub/what-is-dpa-data-processing-agreement/).

### Zoom’s personal data use when acting as processor

Under its DPA, Zoom primarily acts as a data processor, while your organization acts as data controller. This means Zoom is contractually obligated to handle personal data in line with your instructions in order to:

- Provide and update services
- Secure and monitor services
- Resolve technical issues
- Provide customer support

Zoom’s DPA does not specifically address its AI Companion features or the third-party AI models that power the feature. However, Zoom’s [documentation](https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0057861) clarifies that customer content, such as audio, video, chat, screen sharing, attachments, poll results, whiteboards, and reactions, is not used to train Zoom’s own or third-party AI models.

According to the documentation, data generated through AI Companion interactions may still be accessed and processed. Zoom claims it uses this data to maintain service functionality, troubleshoot errors, and support users.

### Zoom’s personal data use when acting as controller

Zoom may act as a data controller when using personal data for its own legitimate business purposes. These purposes include:

- Billing and account management
- Meeting legal obligations
- Detecting abuse
- Applying pseudonymized data for analytics, reporting, and improving services

This means Zoom can determine how certain data is processed when it relates to running and maintaining its business operations.

The DPA explicitly states that Zoom does not process customer personal data for third-party advertising, direct marketing, profiling, research, or analytics purposes. Exceptions do include instances when processing:

- is required by customer instructions
- falls under the listed legitimate business purposes
- occurs within free, early access, or beta programs

## Who does Zoom share personal data with?

The DPA permits Zoom to use third-party [subprocessors](https://www.zoom.com/en/trust/subprocessors/) to process customer personal data on its behalf.

These subprocessors must follow the same obligations as Zoom under the DPA. That includes processing data only under your instructions as the controller, restricting access to trained and contractually bound personnel, reporting security breaches right away, and cooperating with Zoom in responding to requests from customers, data subjects, or regulators.

Zoom engages these subprocessors for a variety of operational functions, such as:

- **Cloud services:** Hosting and storing data in external environments, including call recordings and transcripts
- **AI features:** Supporting functions that process data to provide artificial intelligence tools within Zoom
- **Content delivery networks (CDNs):** Distributing meeting or webinar content across global servers, which may involve routing personal data through multiple locations
- **Security services:** Monitoring and protecting against threats to privacy or safety
- **Cookie and preference management:** Collecting user consent signals and preference data
- **Feedback, reviews, and surveys:** Gathering responses that often contain personal identifiers or opinions belonging to users
- **Notification services:** Delivering emails, reminders, or system alerts that require access to participant contact details

Zoom may also share personal data with third-party applications that organizations choose to integrate, such as apps approved by schools for student accounts. In these cases, the organization decides whether to grant access, but the data still leaves Zoom’s systems and goes to the external app.

## International data transfers

Zoom may transfer and process customer personal data to and in the United States and other countries where its affiliates, professional advisors, or authorized subprocessors are located.

Data transfers may also occur when an end user connects to Zoom services from a different location, such as during international travel. In each case, personal data moves across borders and becomes subject to different legal systems and regulations, which may not provide the same protections as the user’s country of origin.

Zoom states in its [privacy statement](https://www.zoom.com/en/trust/privacy/privacy-statement/) that it will carry out all such transfers in compliance with applicable data protection laws and the terms of its DPA.

Organizations based in the European Union, the European Economic Area, Switzerland, or the United Kingdom have specific compliance requirements. If personal data is sent to a country without an adequacy decision from the European Commission, the Swiss Federal Data Protection and Information Commissioner, or the UK Information Commissioner’s Office, Zoom relies on Standard Contractual Clauses (SCCs) for transferring the data lawfully.

This legal mechanism provides the necessary safeguards for the data as required by the respective data protection authorities in those regions.

## Using Zoom in industries with sensitive personal data

Educational institutions and healthcare providers that use Zoom face specific challenges related to sensitive personal data. Many global and regional data privacy laws provide special protections for this data, which your business must adhere to if it falls under either of these categories.

Because of the added risks, Zoom includes specific provisions for how its platform can be used in education and healthcare settings.

> Read more about protecting [sensitive personal data](https://usercentrics.com/knowledge-hub/sensitive-information-guide/).

### Educational use

When schools or other organizations use Zoom to provide educational services to students under the age of 18, Zoom’s [Children’s Educational Privacy Statement](https://www.zoom.com/en/trust/schools-privacy-statement/?lang=null) supplements the main DPA.

This statement adds to the terms in the DPA by describing how Zoom collects, uses, and discloses personal data from students.

While the personal data collected from students is largely the same as that of other users — including names, email addresses, meeting recordings, and chats — there are some types of personal data that are unique to an educational environment.

These may include contact lists that the educational service adds or allows students to access on their account, such as the names and email addresses of other students. It may also include calendar information, such as a class schedule or upcoming school events.

Zoom may use this data to:

- **Deliver educational services:** Such as providing schools with access to the platform, customizing products for classroom needs, and supplying customer support
- **Develop new features for schools:** including conducting product research and making improvements designed for educational environments
- **Authenticate and secure accounts:** Verifying student logins, preventing unauthorized access, and addressing potential safety risks
- **Meet legal obligations:** Such as responding to official requests and complying with applicable education or privacy regulations

Control over how this data is used ultimately belongs to the school or educational organization. Institutions may also approve third-party applications that gain access to personal data from student accounts, extending data sharing beyond Zoom itself.

In the US, specific federal laws apply to data belonging to minors. Under the [Children’s Online Privacy Protection Act (COPPA)](https://usercentrics.com/knowledge-hub/student-data-privacy-laws/#:~:text=for%20student%20privacy.-,Children%E2%80%99s%20Online%20Privacy%20Protection%20Act%20(COPPA),-As%20classrooms%20become), schools are responsible for obtaining verifiable parental consent before installing any third-party app that will be used by children under age 13 and that collects their data. Zoom’s terms explicitly place this obligation on the educational institution.

Under the [Family Educational Rights and Privacy Act (FERPA)](https://media.zoom.com/download/assets/zoom-ferpa-guide.pdf/f1ccb4f0afb011eeba61dab4b6f59d8c?ampDeviceId=8eb73d22-b737-4ded-ab77-df5df58eacd5&ampSessionId=1755840321687&_gl=1*8mhvzz*_gcl_au*MjAzOTkwMjUwMS4xNzU1ODQwMjIx*_ga*MTQ0MjA3MzY4NS4xNzU1ODQxODA1*_ga_L8TBF28DDX*czE3NTU4NTI5ODUkbzMkZzEkdDE3NTU4NTMwMTQkajMxJGwwJGgw), Zoom is considered a “school official” when providing services, which means it maintains student data solely on behalf of the school and cannot use it independently except as permitted by law. Zoom holds and manages student data on the school’s behalf and is limited to using that information only as directed by the institution or as otherwise allowed under the law.

> Read more about [student data privacy laws](https://usercentrics.com/knowledge-hub/student-data-privacy-laws/) around the world.

### Health information and HIPAA

The [Health Insurance Portability and Accountability Act (HIPAA)](https://usercentrics.com/knowledge-hub/health-insurance-portability-and-accountability-act-hipaa/) is a US federal law that sets strict rules for how healthcare providers and other covered entities handle protected health information (PHI). These rules cover the collection, use, and protection of PHI.

For organizations subject to HIPAA, Zoom’s standard DPA alone is not sufficient. HIPAA requires a specific contract known as a [Business Associate Agreement (BAA)](https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0067751&cms_guid=false&lang=null) for vendors that handle PHI. Healthcare entities must also subscribe to a [Zoom for Healthcare](https://www.zoom.com/en/industry/healthcare/) plan and execute a separate BAA with Zoom.

Zoom’s [HIPAA compliance guide](https://kgrbaj.files.cmp.optimizely.com/download/assets/hipaa-compliance-guide.pdf/e34cc93867fd11ee98cd0e134a0acb97) highlights safeguards for PHI, such as enhanced security controls, access restrictions, data encryption, and authentication measures.

Zoom also provides account administrators with specific tools and features designed to help them configure the platform in line with their security and HIPAA compliance objectives.

These measures support HIPAA compliance, but the healthcare organization is still responsible for configuring and monitoring them.

### Health-related personal data under the GDPR

Health-related personal data is considered a special category of data under the [EU’s General Data Protection Regulation (GDPR)](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/) and receives additional protections. Importantly, processing of health data is prohibited under [Art 9. GDPR](https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/) unless certain conditions are met, such as if explicit consent from the data subject has been obtained, or if processing is needed for the provision of healthcare, or for public interest in public health.

Zoom does not have an equivalent to the HIPAA-mandated BAA when it comes to health data belonging to persons located in the EU/EEA, to whom the GDPR applies.

As a healthcare provider in the EU/EEA, you may be permitted to use Zoom for clinical consultations, but you must follow the GDPR’s rules for special category data. This includes identifying and documenting a valid [Art. 6 GDPR](https://gdpr.eu/article-6-how-to-process-personal-data-legally/) legal basis and an Art. 9 condition before processing health data.

[According to Zoom](https://www.zoom.com/en/trust/gdpr/), the platform supports GDPR compliance by providing technical and organizational safeguards, such as encryption, [data minimization](https://usercentrics.com/knowledge-hub/data-minimization/), and transparency tools.

These include:

- Enabling businesses to implement end-to-end encryption for meetings so that no provider or system may access the communications, including Zoom
- Implementing safeguards to prevent unauthorized persons from accessing a meeting
- Providing role-based user security
- Enabling admins to choose the [storage location](https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0066473) for some of the data for their account, including cloud recordings, meeting transcripts, chat transcripts, and files

It is strongly advised to obtain legal advice before using Zoom for providing healthcare services in the EU/EEA.

> Read more about [GDPR sensitive personal data](https://usercentrics.com/knowledge-hub/gdpr-sensitive-personal-data/).

## How to align your business with privacy laws and Zoom’s privacy requirements

Organizations that use Zoom are responsible for handling personal data in a way that meets the standards set by global privacy laws in relevant jurisdictions and Zoom’s terms. Here are some steps your business can take.

### Consent requirements

Your organization must obtain explicit consent where required by law before processing personal data through Zoom. This obligation applies in several situations.

Under laws such as the GDPR and Brazil’s [Lei Geral de Proteção de Dados (LGPD)](https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/), you must have a legitimate basis for processing personal data. Explicit consent is one of the accepted legal bases. Explicit consent may also be necessary for processing special category data like health information.

> Learn [seven conditions for valid consent](https://usercentrics.com/knowledge-hub/7-criteria-for-a-gdpr-compliant-consent/) under the GDPR.

In the US, [state-level data privacy laws](https://usercentrics.com/us/knowledge-hub/us-data-privacy-laws-by-state/) generally operate on an opt-out model, with some exceptions. However, these laws typically require prior opt-in consent when the data is classified as sensitive or if it belongs to a known minor. Federal laws like COPPA impose consent obligations on schools using Zoom with students. Under state privacy laws such as the [California Consumer Privacy Act (CCPA)](https://usercentrics.com/us/knowledge-hub/california-consumer-privacy-act/), you must give individuals a clear method to opt out of the sale or sharing of their personal information, even when it is not classified as sensitive. Where sensitive data is involved, you must also provide a way to limit how it is used and disclosed.

> Unsure about what type of consent you need? Learn the [differences between opt-in and opt-out consent](https://usercentrics.com/knowledge-hub/opt-out-vs-opt-in/) and which you need under different global privacy laws.

### Consider an acceptable use policy document for your business

An acceptable use policy (AUP) can set the rules for how employees — and students, if your organization is an educational institution — are permitted to use Zoom, including its AI features.

This document may include, among other things:

- What types of information can be discussed in meetings and how sensitive topics must be handled
- Which security and privacy settings must be enabled before hosting or joining calls
- Clear contact details for the IT or security team so users know where to turn with questions or to report issues

A well-defined AUP helps prevent users from inadvertently sharing sensitive data through insecure configurations or using AI features that haven’t been approved.

In addition to the AUP, you could also consider creating a Zoom privacy and security policy document with tips or checklists to help users use the platform securely.

Your business should work with privacy or security experts to draft a version tailored to your organization’s specific needs and legal obligations.

### Zoom’s Business Associate Agreement for HIPAA

If your business is subject to HIPAA or handles protected health information covered by HIPAA, you likely need a Business Associate Agreement with Zoom. Without a BAA, any use of Zoom for PHI could fall outside HIPAA’s requirements and expose your organization to liability.

After signing the BAA, you must also configure account and meeting settings in line with HIPAA safeguards. This includes enabling end-to-end encryption so patient data cannot be intercepted, and setting role-based permissions so only authorized users can view, download, or delete meeting content.

### Be transparent with users

If your business uses Zoom, your privacy policy must clearly explain how this affects employees, clients, patients, students, or anyone who attends a call or webinar your business hosts.

> Read more about [what a privacy policy is](https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/), and why your business needs one.

Below is a non-exhaustive checklist of what to include in a Zoom privacy policy.

- Describe how your business collects, uses, and shares personal data with Zoom and for what purposes. Explain that Zoom may use collected data according to the DPA.
- Disclose that personal data processed in Zoom may be shared with third parties, including Zoom’s subprocessors or connected apps.
- Explain users’ rights under relevant privacy laws, such as the right to delete under the GDPR and the right to opt out under the CCPA/CPRA. Provide clear instructions on how users can exercise these rights.
- If you use personal data for behavioral targeting, provide a “[Do Not Sell Or Share My Personal Information](https://usercentrics.com/guides/website-disclaimers/do-not-sell-my-personal-information/)” link for California users, as required by state law.
- Provide a clear point of contact for any questions or concerns about your data practices. If your organization has a [Data Protection Officer (DPO)](https://usercentrics.com/knowledge-hub/what-is-dpo-data-protection-officer/) or a designated privacy contact, include their information.

Your privacy policy must be written in clear, simple language that is easy for a general audience to understand. It should also be easy to find, such as through a persistent link in your website’s footer or within your application's settings menu.

Keep it updated to reflect any changes in your organization’s data practices, Zoom’s terms, or relevant privacy laws. If you host webinars, link to your privacy policy in the registration form and include it in confirmation emails.

*Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.*

## Android privacy policy: What to include, where to publish, and how to create one for your Android app

There are more than 2 million Android apps available on the Google Play Store, and around 1,500 new ones are added every day. If you add an app to that growing list, you need to be aware of a few important terms and agreements regarding personal data collected from users:

- [Google Play Developer Distribution Agreement (DDA)](https://play.google/developer-distribution-agreement.html): This agreement defines your obligations as a developer and provides information on how Google may use personal data it obtains through your app.
- [Google Privacy Policy](https://policies.google.com/privacy): The DDA specifies that any personal data collected or used under the agreement is handled in accordance with Google’s Privacy Policy.
- [Firebase Data Processing and Security Terms](https://firebase.google.com/terms/data-processing-terms#5.-processing-of-data): These terms apply if you use Google's Firebase platform for app development.

Developers must also provide a privacy policy that complies with both Google’s requirements and the data protection laws that apply where users are located.

This article outlines how Google handles personal data, what responsibilities fall on developers, and what to include in your Android app’s privacy policy to meet both Google’s terms and broader data privacy laws.

### What data does Google collect from Android app users

- **Android privacy policy is required:** An Android privacy policy is essential for app developers to comply with Google Play Store requirements and global data privacy laws.
- **Google's data practices:** Google collects various usage data from Android devices and Google Play, which may be shared under specific circumstances, including with user consent or for legal compliance.
- **Developer responsibilities:** Developers must provide an easily accessible and clear privacy policy that is kept updated, and that details data collection, usage, sharing, security measures, and retention policies. It must follow specific requirements for location, format, etc.
- **Consequences of noncompliance:** Failure to comply with Android's privacy requirements can lead to app suspension, account termination, legal repercussions (including fines), and a loss of user trust.
- **Legal and platform alignment:** Compliance requires aligning data practices with both Google's terms and relevant data privacy laws.
- **Policy creation and provision:** Privacy policies should be created in conjunction with a data audit, drafted clearly, prominently displayed on the Google Play Store listing, within the app, and on any associated website, and kept up to date.
- **Minors’ data and consent:** Stricter requirements apply when handling data from minors, including specific parental consent obligations and clear disclosures.
- **Data safety section:** Developers must accurately complete Google Play’s Data safety section, ensuring it aligns with their app’s privacy policy, even if no user data is collected.

The Google DDA states that Google collects usage data from Google Play and Android devices to support its services and improve both the developer and user experience. This data provides insight into how your app, the Google Play ecosystem, and the devices themselves are being used.

According to Google’s Privacy Policy, this information may include, among other things:

- Device and network information, such as unique identifiers, browser and device types and settings, operating systems, application version numbers, app version in use, and mobile network details like the operator’s name and phone number
- Details about the interactions among a user’s apps, browsers, and devices, and Google’s services. These can include the user’s IP address, crash reports, system activity, and the date, time, and referrer URL of their request
- Information about which apps are installed on a user’s device when the user is signed into Google apps

## Who does Google share personal data with?

According to Google’s Privacy Policy, personal data may be shared in the following circumstances:

- When the user has explicitly agreed to the sharing. Google states that it will obtain explicit consent before sharing any [sensitive personal information](https://usercentrics.com/knowledge-hub/sensitive-information-guide/).
- With domain administrators if the user’s Google Account is managed by an organization like a school or workplace.
- For external processing, with Google’s affiliates or other trusted businesses or individuals who process data on Google’s behalf, under instructions and with confidentiality and security requirements.
- When necessary to comply with laws; enforce Google’s terms; detect or prevent fraud, security, or technical issues; or protect rights, property, or safety.

## What is an Android privacy policy for developers?

Google’s [Policy Center](https://support.google.com/googleplay/android-developer/answer/10144311) shares information on what Google requires from an Android app’s privacy policy, which must be published in the Google Play Console.

This requirement applies even if your app does not access any personal or sensitive user data.

This document, along with any in-app disclosures, must give a complete account of how your app collects, uses, and shares personal data. At a minimum, your [privacy policy](https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/) must cover:

- **Developer and contact details:** Information that identifies the developer and provides a point of contact or a way for users to submit privacy-related inquiries.
- **Description of data practices:** What categories of personal and sensitive data your app collects, how that data is used, and with whom it is shared.
- **Data handling measures:** A description of the procedures your app follows to keep personal and sensitive data secure.
- **Retention and deletion policies:** For how long you store user data and under what conditions it is deleted.

The policy document must be clearly labeled as a privacy policy. The name of the entity listed in your app store listing, whether that is a developer or a company, must also be named in the privacy policy itself.

Google also requires that the privacy policy be accessible at a live, publicly available URL. It cannot be geofenced, cannot be a PDF, and must be in a format that users cannot edit.

## Why developers must comply with Android’s privacy requirements

Failing to comply with Android’s privacy rules can lead to serious consequences. Legal risks, platform penalties, and reputational harm can threaten the viability of your app and business.

[Noncompliance can result in](https://support.google.com/googleplay/android-developer/answer/9899234?hl=en):

- **App suspension or removal:** If your app violates Google Play’s privacy requirements, it may be rejected during review or removed from the store entirely. Repeat violations may lead to the app’s suspension.
- **Loss of developer account:** Google may suspend or permanently ban developer accounts for repeated or serious policy violations. Account termination means losing access to Google Play entirely, along with all existing apps and the ability to publish new ones. That means you no longer have the ability to distribute Android apps.
- **Legal consequences:** Some of Google’s privacy requirements reflect legal obligations under laws such as the GDPR and the CCPA/CPRA. Failure to meet these obligations may result in regulatory investigations or fines.
- **Loss of user trust:** [Research shows](https://usercentrics.com/press/mobile-games-report/) that 40 percent of players will uninstall a mobile game if they have concerns about data privacy. Losing user trust leads to long-term business damage even when legal and platform penalties are avoided.

To stay in good standing, developers must not only follow Google’s privacy requirements but also keep all disclosures accurate and up to date.

## How to align your app data practices with privacy laws and Google’s privacy requirements

Developers that publish Android apps on the Google Play Store must handle personal data in compliance with both global privacy regulations and Google’s contractual requirements.

Here are some steps you can take to achieve and maintain compliance with both.

### Update your Android privacy policy to meet Google’s disclosure requirements

Your Android privacy policy must meet Google’s specific disclosure requirements and also comply with applicable data privacy laws based on where your users are located. This means your policy must account for various regulations, which may include:

- The [General Data Protection Regulation (GDPR)](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/) for users in the European Union (EU) and European Economic Area (EEA)
- The [United Kingdom General Data Protection Regulation (UK-GDPR)](https://www.cookiebot.com/en/uk-gdpr/) for users in the UK
- Multiple [US state-level data privacy laws](https://usercentrics.com/us/knowledge-hub/us-data-privacy-laws-by-state/), including the [California Consumer Privacy Act (CCPA)](https://usercentrics.com/us/knowledge-hub/california-consumer-privacy-act/) and [Children’s Online Privacy Protection Act (COPPA)](https://usercentrics.com/knowledge-hub/childrens-online-privacy-protection-act-coppa/)
- Canada’s [Personal Information Protection and Electronic Documents Act (PIPEDA)](https://usercentrics.com/knowledge-hub/canada-personal-information-protection-and-electronic-documents-act-pipeda/)
- Brazil’s [Lei Geral de Proteção de Dados Pessoais (LGPD)](https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/)
- South Africa’s [Protection of Personal Information Act (POPIA)](https://usercentrics.com/knowledge-hub/south-africa-popia-protection-of-personal-information-act-overview/)
- Laws relevant in other jurisdictions where your app is available

> Read more about [global privacy policies](https://usercentrics.com/knowledge-hub/global-privacy-policy/).

Below is a non-exhaustive checklist of what must be disclosed in your Android privacy policy to meet Google’s requirements and most global regulations.

- Your business’s contact information and a method for users to submit privacy-related questions. If a [Data Protection Officer (DPO)](https://usercentrics.com/knowledge-hub/what-is-dpo-data-protection-officer/) or other designated privacy contact is appointed, include their information.
- Details about what personal and sensitive data your app collects, how it is used, and with whom it is shared.
- A disclosure stating that personal data sent to Google may be shared with third parties, such as its affiliate companies.
- A description of the steps your business takes to protect personal and sensitive data against misuse or unauthorized access.
- The amount of time user data is kept and an outline of the process for deletion, including how users can request their data to be removed.
- An explanation of user rights under applicable laws, such as the right to object under the GDPR or the right to opt out of data sales under the CCPA/CPRA.
- If you process data for targeted advertising, include a “[Do Not Sell Or Share My Personal Information](https://usercentrics.com/guides/website-disclaimers/do-not-sell-my-personal-information/)” link for California users, as required by law.
- A description of how the personal data of minors is collected and used, including the processes for obtaining valid parental or guardian consent where it is required.

If your app accesses, collects, uses, or shares personal and sensitive data in a way a user might not reasonably expect — for example, if it collects data in the background — you must adhere to stricter disclosure rules.

That means providing a clear disclosure within the app explaining what data is being accessed, collected, used, or shared. This disclosure must be presented immediately before any request for in-app user consent or runtime permissions.

For apps covered by [Google Play Families Policies](https://support.google.com/googleplay/android-developer/answer/9893335), you must disclose the collection of children’s data, including information gathered through application programming interfaces (APIs) and software development kits (SDKs). This includes information like authentication details, microphone and camera data, device identifiers, Android IDs, and advertising usage data.

Apps that provide anti-virus, anti-malware, or similar security features must publish a privacy policy that describes what data the app collects and transmits, the purposes for which it is used, and which parties may receive that data.

You must write your privacy policy in simple, clear language that is easy for a general user to understand. The privacy policy must be regularly updated to reflect any changes in your data handling practices, Google’s terms, or relevant privacy laws.

### Take additional precautions when handling minors’ data

If your app is directed at children or is likely to be used by anyone under 18, you’re responsible for meeting stricter legal requirements, even if minors aren’t your primary audience. Specific requirements depend on the geographic location of your users and the type of data your app processes.

Data protection laws may impose specific parental consent requirements when collecting information from minors.

In the US, COPPA requires businesses to obtain verifiable parental consent before collecting data from minors. You must obtain separate consent for data collection and data sharing activities.

In the EU, the GDPR requires explicit consent from a parent or legal guardian in order to collect data from minors under 16, though individual EU member states can lower this age threshold to 13.

Google also requires developers to disclose when their app collects personal or sensitive data from children, regardless of jurisdiction. Your privacy policy must transparently explain how you collect and use data from minors.

You must also implement age verification mechanisms when age determines data collection practices or service eligibility.

If there’s a chance your Android app collects personal data from anyone under 18, you must be prepared to meet these requirements.

### Meet consent requirements

Data protection laws in certain jurisdictions, like the EU and Brazil, require you to have a legal basis for processing personal data through your app. Explicit consent is one accepted legal basis.

These same laws often require explicit consent when you process sensitive personal data such as health information.

> Learn more about the [GDPR’s 7 conditions for valid consent](https://usercentrics.com/knowledge-hub/7-criteria-for-a-gdpr-compliant-consent/).

Most US state-level data privacy laws work on an opt-out model, but they do require prior opt-in consent when data is classified as sensitive or when it belongs to a known minor. COPPA, which is a federal regulation, also imposes consent obligations for personal data belonging to minors.

Some laws like the CCPA/CPRA require you to provide all users with a clear method to opt out of the sale or sharing of their personal data. When sensitive data is involved, your app must also provide users with a way to limit how that data is used or disclosed.

> Learn the [differences between opt-in and opt-out consent](https://usercentrics.com/knowledge-hub/opt-out-vs-opt-in/), and which type you need under different global privacy laws.

You are legally responsible for complying with all consent obligations in the regions where your app is available. A consent management platform (CMP) like the [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) can help you obtain, store, and signal the required consent.

If your app uses a CMP, the [consent banner](https://usercentrics.com/knowledge-hub/cookie-banner/) it displays must clearly state how personal data will be used and provide appropriate controls for users to opt in or out, depending on the legal requirements in their location.

> Learn about [mobile app consent](https://usercentrics.com/knowledge-hub/best-practices-for-mobile-app-consent/).

### Prominently display your Android privacy policy

Your Android app’s privacy policy must be easy to find. You are required to display it in all of the following locations:

- On your app’s Google Play Store listing
- Within the app itself, usually in the app’s menu
- On your app’s website, if one exists

On the website, the privacy policy must be linked from a persistent, easy to find location, like the footer, and clearly labeled using the term “privacy policy.”

Apps that require users to sign in or create an account should also include a link to the privacy policy from the login or sign-up page.

Google’s [app review guidance](https://support.google.com/googleplay/android-developer/answer/9859455) includes specific placement requirements for your Android privacy policy.

Apps that request access to sensitive permissions or data must include a privacy policy link both on the app store listing page and within the app itself.

Apps designed for children must link to a privacy policy on both the app store listing page and within the app, even if they do not collect any personal or sensitive user data.

In all cases, your privacy policy must be hosted on an active URL, apply specifically to your app, and address user privacy practices.

### Complete Google Play’s Data safety section

Google requires every app listed on the Play Store to include a [completed Data safety section](https://support.google.com/googleplay/android-developer/answer/10787469). This section must accurately describe what user data your app collects, how that data is used, and whether it is shared with third parties.

It is your responsibility as the developer to provide correct, complete information and to keep the section updated as your data practices change. The details you provide must align with your app’s privacy policy disclosures.

Even if your app does not collect any user data, you must still submit the form for this section and link to your privacy policy. In this case, you may state that your app does not collect or share user data.

### Practice purpose limitation

If your app handles personal and sensitive user data, you must limit its access, collection, use, and sharing. Data processing must be confined to purposes that directly support your app’s functionality and services, align with your stated purposes, and that the user might reasonably expect.

Your use of data must also reflect the scope of the user’s consent. If you wish to use the data for a new purpose not covered by the original consent, you must first obtain additional consent as required by applicable data privacy laws.

## How to create a privacy policy for your Android app

Before you draft your privacy policy, start with a data audit. Review your app’s features to identify what personal data you collect, how you process it, where it’s stored, and how you keep it secure. This includes data collected directly from users, through third-party SDKs, or via background permissions.

Once you understand your app’s data flows, you can create a privacy policy that accurately reflects your practices.

There are several ways to create your privacy policy. You can:

- Write it yourself if you have a strong grasp of data protection requirements and your app’s technical architecture.
- Work with a legal professional who can help you draft a policy tailored to your app’s features and your legal obligations.
- Use a [privacy policy generator](https://usercentrics.com/privacy-policy-generator/) to create a customized policy that reflects your app’s data collection and usage.

Do not copy a privacy policy from another website or app, as it will not reflect your own data practices and could expose you to legal risks.

*Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.*

---

## Footer

### Products
- [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/)
- [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/)
- [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/)
- [Usercentrics Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/)
- [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/)
- [Usercentrics Preference Manager](https://usercentrics.com/preference-management/)
- [Audience Unlocker](https://usercentrics.com/audience-unlocker/)
- [Integrations](https://usercentrics.com/integrations/)
- [Web compliance scan](https://usercentrics.com/privacy-compliance-scanner/)
- [App compliance scan](https://usercentrics.com/app-data-privacy-audit/)
- [ROAS Calculator](https://usercentrics.com/roas-calculator/)

### Solutions
- [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/)
- [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/)
- [Migration](https://usercentrics.com/migration/)
- [Media & Publishing](https://usercentrics.com/media-publishing/)
- [Retail &amp; Ecommerce](https://usercentrics.com/retail-ecommerce/)
- [Banking, Finance &amp; Insurance](https://usercentrics.com/banking-finance-insurance/)
- [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/)
- [Gaming](https://usercentrics.com/gaming/)
- [Education](https://usercentrics.com/education/)
- [Automotive](https://usercentrics.com/automotive/)
- [Travel & Hospitality](https://usercentrics.com/travel/)

### Regulations
- [GDPR (EU)](https://usercentrics.com/gdpr/)
- [GDPR (UK)](https://usercentrics.com/uk-gdpr/)
- [CCPA (California)](https://usercentrics.com/ccpa/)
- [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/)
- [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/)
- [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/)
- [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/)
- [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/)
- [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/)
- [View all regulations](https://usercentrics.com/regulations-and-frameworks/)

### Resources
- [Blog](https://usercentrics.com/knowledge-hub/)
- [Whitepapers](https://usercentrics.com/whitepapers/)
- [Checklists](https://usercentrics.com/checklists/)
- [Courses](https://courses.usercentrics.com)
- [Case studies](https://usercentrics.com/case-studies/)
- [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/)
- [Events](https://usercentrics.com/webinar/)
- [CONSENTED podcast](https://usercentrics.com/consented/)
- [Guides](https://usercentrics.com/guides/)
- [Release notes](https://releases.usercentrics.com/en)
- [Developer documentation](https://usercentrics.com/docs/)
- [RFI template](https://usercentrics.com/resources/usercentrics-rfi-template/)
- [Customer directory](https://usercentrics.com/usercentrics-customer-directory/)

### Company
- [About us](https://usercentrics.com/about-us/)
- [Press](https://usercentrics.com/press/)
- [Our offices](https://usercentrics.com/contact/)
- [Trust center](https://trust.usercentrics.com/)
- [Careers](https://usercentrics.com/career/)
- [Open positions](https://apply.workable.com/usercentrics/)
- [Diversity and inclusion](https://usercentrics.com/dei/)

### Support
- [General support](https://support.usercentrics.com/hc/en-us)
- [Contact sales](https://usercentrics.com/book-a-consultation/)
- [Technical support](https://support.usercentrics.com/hc/en-us/requests/new)
- [Billing and account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing)
- [Suggest a feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340)
- [Partner login](https://partnerportal.usercentrics.com/)
- [Partner program](https://usercentrics.com/partner-program-overview/)
- [Affiliate program](https://usercentrics.com/affiliates/)