langdock.com privacy policy — score 78/100 (low risk)
Sidst analyseret
Rapportindholdet (resumé, fund, citater) er genereret på engelsk og er ikke lokaliseret.
Langdock GmbH · langdock.com
Rapportdetaljer
low risikoLangdock is a privacy-conscious EU-based AI platform that explicitly bans using your content to train AI models and keeps data in the EU, though it relies on some US sub-processors and has vague retention periods in places.
Langdock GmbH's privacy policy is well-structured and GDPR-aligned, with strong commitments on AI training and EU data residency. Key strengths include a clear processor role for workspace content, an explicit no-AI-training pledge, and appointed DPO. Weaknesses include reliance on US providers (Microsoft, Google) with only generic safeguard references, vague retention periods for several categories, and a sub-processor list that is referenced but not included in the policy text itself.
Vurdering pr. kategori
Opdeling af politikken på vigtige compliance-områder. God = stærk, rimelig = blandet, dårlig = bekymrende.
Each processing purpose lists specific data categories; telemetry is explicitly anonymized and aggregated, and payment data is offloaded to Stripe.
Legal basis is cited for every processing activity with clear purpose descriptions; however, the sub-processor list is externalized to the Trust Center and not embedded in the policy.
Key sub-processors like Microsoft, Google, and Stripe are named, but the full list is only available via an external link; a merger/acquisition data sharing clause is broad.
Commits to EU-based processing as a rule, but allows third-country transfers 'in rare cases' with standard safeguards; the use of US cloud providers creates an inherent transfer risk not fully quantified.
Explicitly states 'Your data is not used for training AI models' and that content is processed solely to provide contracted services under the DPA.
All standard GDPR rights are listed with clear descriptions, contact email, and the specific supervisory authority (Berlin DPA) is named.
Vigtige fund
Bemærkelsesværdige klausuler, problemer eller gode praksisser (kritiske først)
Sub-processor list externalized and not in policy text
The policy references a sub-processor list in the Trust Center but does not include it inline. Users must navigate externally to see who processes their data. The named providers (Microsoft, Google, Stripe) are US-based, implying international transfers that are not individually detailed.
Vague retention periods for several data categories
While some retention periods are specific (30 days post-contract for user accounts, 10 years for billing, 6 months for job applications), others rely on vague language like 'after the expiration of the statutory retention periods for business communications' without specifying the duration.
Merger and acquisition data sharing clause is broad
Section 3(b) allows data sharing with prospective or actual acquirers and their advisors in M&A scenarios, subject only to confidentiality obligations and necessity. No specific safeguards like prior notification or consent are mentioned.
Explicit no-AI-training commitment
Section 2(g) states unambiguously that user content (chats, projects) is not used for training AI models. This is a strong privacy-positive commitment that addresses a key concern for AI platforms.
Legitimate interest used for product emails to existing users
Section 2(e) uses legitimate interest (Art. 6(1)(f) GDPR + Section 7(3) UWG) to send product update emails to registered users unless they object. This is a soft opt-out approach rather than explicit consent, which is permissible under German law but less privacy-protective than opt-in.
Telemetry data claims of non-personal nature are unverified
Section 2(g) claims telemetry data 'does not allow any conclusions to be drawn about individual persons' and 'never contains personal data,' but aggregated usage statistics and error messages tied to sessions could potentially be re-identifying, especially for small workspaces.
Automated decision-making with human review safeguard
Section 5 acknowledges that bot/spam detection may constitute Art. 22 GDPR automated decisions with significant effect, but provides a clear human review mechanism via support@langdock.com. This is a well-handled disclosure.
Resumé til brugeren
Your chat and workflow content on Langdock is NOT used to train AI models, and your employer (not Langdock) controls that data. However, some of your account and billing data flows to US-based sub-processors like Microsoft and Google.
Compliance-stilling
Strong GDPR compliance posture with DPO appointed, ISO 27001 and SOC 2 Type II certifications, and clear legal basis citations for every processing activity. Minor gaps in sub-processor transparency and retention specificity.
EU-overførsler
Data is generally processed in the EU, but transfers to third countries can occur 'in rare cases' using SCCs, adequacy decisions, or the EU-U.S. Data Privacy Framework. The use of Microsoft and Google as sub-processors likely involves some US transfers, which is not fully detailed.
Registrerede signaler
Specifikke datapunkter og praksisser identificeret i teksten
Bevisuddrag
Direkte citater fra politikken, der understøtter disse fund
Your data is not used for training AI models.
As a general rule, we process personal data on servers within the European Union. In rare cases, particularly when services are not available in the EU or when you are located outside the EU and contact us, data may be transferred to 'third countries' outside the EU or the European Economic Area.
We delete your user account and associated data upon request or no later than within 30 days after termination of the contractual relationship, unless statutory retention obligations apply.
The processors used in the Langdock platform can be found in our list of sub-processors in our Trust Center.
In the context of a merger, acquisition, or sale, data may also be shared with the prospective or actual acquirer and their advisors. Such disclosure occurs only to the extent necessary and subject to confidentiality obligations.
Mangler eller uklart
- Full sub-processor list with transfer mechanisms for each
- Specific retention periods for support communications and social media data
- Details on which third-country transfers actually occur and with which providers
- Cookie categories and specific cookies used
- Data breach notification procedures
- DPIA (Data Protection Impact Assessment) references
- Specific details on encryption standards used
Spørgsmål at stille
- Which sub-processors process data outside the EU, and what specific transfer mechanisms (SCCs, DPF certification) are in place for each?
- What are the exact retention periods for support communications, social media messages, and telemetry data?
- How is telemetry data anonymized, and has a re-identification risk assessment been conducted, especially for small workspaces?
- In the event of an M&A transaction, will data subjects be notified before their data is shared with the acquirer?
- What specific cookies and tracking technologies are currently deployed on the website beyond technically necessary ones?
- How quickly does Langdock respond to data subject rights requests (access, deletion, portability), and is there an automated self-service mechanism?
Del denne analyse
Alle med dette link kan se resultatet ovenfor.
Bygget af DentroChat
100 % europæisk AI-chat for alle
Chat med AI, arbejd med filer, generer billeder og søg på nettet. Data forbliver i Europa.