Hey — welcome to Drift Intel.
Every week, StackDrift's monitoring system scans the Terms of Service, Privacy Policies, and Pricing pages of the vendors you depend on. When something changes, we break it down so you don't have to hire a lawyer (or become one).
This week: Google got creative with jurisdictions, and Stripe discovered it really, really wants your biometric data.
Let's get into it.
🔴 Google Gemini — "We're Moving. Don't Worry About It."
What changed: Google Gemini's Terms of Service quietly switched from Canadian jurisdiction to US jurisdiction.
Why you should care: If you're building on top of Gemini's API, your legal protections just got a haircut. Here's the damage:
Liability caps dropped from $500 / 125% of fees down to $200 / 100% of fees. So if something goes wrong, Google's maximum responsibility to you just got cut by more than half.
Warranty protections removed. Google dropped their "reasonable skill and care" commitment in favour of stricter "as is" disclaimers. Translation: you get what you get.
Indemnification protections weakened. Some business user protections around damages were quietly removed.
The vibe: Google basically moved your lease to a cheaper apartment and said "same thing, basically."
What to do: If you're using Gemini for anything business-critical, review your risk exposure. The liability cap change alone means you might want a backup AI provider — or at least a conversation with your insurance about the gap.
🟡 Stripe — "We'd Like to Know You Better. Much Better."
What changed: Stripe's Privacy Policy got a significant update covering data collection, processing, and partner sharing.
Why you should care:
Expanded data collection — Stripe broadened what qualifies as collected data, including new credit card service categories.
Biometric data processing — New language around processing biometric data. Yes, that word means what you think it means.
Broader Financial Partner sharing — The circle of who Stripe can share data with just got wider.
The vibe: Stripe went from "we process your payments" to "we process your payments and also here's everything else we'd like to know about you and your customers."
What to do: If you're passing customer data through Stripe (and you probably are), check your own Privacy Policy. Under GDPR and PIPEDA, you need to disclose what your processors do with data. If Stripe expanded their processing and you haven't updated your disclosures, that's a compliance gap — and it's on you, not Stripe.
This Week in Numbers
Metric | Count |
|---|---|
Vendors scanned | 29 |
Documents monitored | 97 |
Changes detected | 20 |
Stable (no changes) | 21 |
The Takeaway
Vendors change the rules constantly. Most of the time it's formatting and typos. But sometimes it's a jurisdiction shift that halves your liability protection, or a data policy change that creates a compliance gap you didn't know you had.
That's why we built StackDrift — so you catch these before they catch you.
Want the full breakdown? Sign up for early access and get severity-scored monitoring across your entire vendor stack.
Found this useful? Forward it to a founder who's too busy to read TOS (so... every founder). Got a vendor you want us to track?
See you next time.
Trish @ StackDrift
