There is a history of international legal action as a result of them violating privacy laws, nevermind being privacy friendly:

France’s data protection regulator (CNIL) fined Google €325 million in 2025 for displaying ads between Gmail messages without consent and for placing cookies during account creation without consent. This is on top of prior fines of €100 million in 2020 and €150 million in 2021 for cookie violations, so this is a documented pattern.

The Dutch government commissioned Data Protection Impact Assessments (DPIAs) on Office/Microsoft 365. The 2018 report found Microsoft collected 23,000–25,000 different telemetry events from Office and called it “large scale and covert collection of personal data”

The FTC went after Zoom in 2020. The complaint alleged that since at least 2016, Zoom misled users by claiming “end-to-end, 256-bit encryption” when it actually provided a lower level of security, and Zoom saved the cryptographic keys that would allow it to access the content of customers’ meetings.

You could also just go read their own policy documents, or ask AI to explain what is possible under those to you if they are too dense.