qdrant.tech privacy policy — score 65/100 (medium risk)
Zuletzt analysiert
Dieser Bericht ist älter als 28 Tage. Er zeigt die zuletzt gespeicherte Analyse für diese Richtlinie — aktualisiere, um die Live-Seite neu abzurufen und den Score zu aktualisieren.
Der Berichtsinhalt (Zusammenfassung, Befunde, Zitate) wurde auf Englisch erstellt und ist nicht lokalisiert.
Berichtsdetails
medium RisikoQdrant’s policy leans heavily on legitimate‑interest and US third‑party transfers, gives consent options for newsletters, but lacks clear limits on data collection and any mention of AI model training, making it only moderately privacy‑friendly.
The privacy policy provides the required legal bases and lists many processors, but it often relies on legitimate interest for core website functions, gives vague retention periods, and does not disclose whether user data is used to train AI models. International transfers are covered by SCCs and the EU‑US Data Privacy Framework, yet the reliance on US providers remains a risk. User rights are described, but practical mechanisms (e.g., easy withdrawal of consent, DPO contact process) are not detailed.
Kategoriebewertung
Aufschlüsselung der Richtlinie nach zentralen Compliance-Bereichen. Gut = stark, mittel = gemischt, schlecht = bedenklich.
The policy does not specify limits on the amount of data collected; it lists many data points (IP, browser details, usage logs) collected by default.
Legal bases are listed, but the description of processing purposes is generic and does not detail profiling or AI model training.
Numerous third parties (HubSpot, Segment, Google Analytics, Mixpanel, Stripe, Netlify) are used, many based outside the EEA, with reliance on SCCs.
Transfers are covered by SCCs and the EU‑US Data Privacy Framework, but the policy lacks per‑processor risk assessments.
No mention of whether personal data is used to train Qdrant’s AI models or how users can opt‑out.
Rights are enumerated (access, rectification, erasure, portability, objection) and contact details for the DPO are provided.
Wichtigste Befunde
Bemerkenswerte Klauseln, Probleme oder positive Praktiken (kritische zuerst)
No disclosure of AI or model‑training usage
The policy never mentions whether personal data collected via the website or cloud service is used to train or improve Qdrant’s AI models, leaving a significant transparency gap.
Extensive reliance on legitimate interest for core website functions
The policy states that IP address, browser details, and other log data are processed on the basis of Art. 6(1)(f) GDPR as a legitimate interest, without offering a clear opt‑out mechanism for users.
Broad international data transfers to US providers
Multiple US‑based processors (HubSpot, Segment, Google Analytics, Mixpanel, OneTrust, Netlify) are used, with transfers justified by standard contractual clauses or the EU‑US Data Privacy Framework, but the policy does not disclose specific safeguards per processor.
Vague data retention periods for many categories
While log files are deleted after 14 days and IPs after 90 days, other data (e.g., newsletter contacts, customer accounts) have no explicit retention schedule, relying on “as long as necessary” language.
Consent management for newsletters is described, but the revocation process is unclear
The policy says consent can be revoked by clicking a link or emailing, but does not specify how quickly the revocation is processed or whether it automatically stops all marketing communications.
Fazit für Nutzer
Your data may be shared with many US‑based services (e.g., HubSpot, Google Analytics, Mixpanel) under standard contractual clauses; you can object to direct marketing, but the policy does not clearly explain how your data might be used for AI training or profiling beyond marketing.
Compliance-Posture
Mixed – the policy meets many formal GDPR requirements (legal bases, rights, DPO contact) but falls short on transparency about data minimisation, purpose limitation, and AI usage.
EU-Übermittlungen
Transfers to the US are justified by SCCs and the EU‑US Data Privacy Framework, but the policy does not provide detailed safeguards for each processor, nor does it offer an easy way for data subjects to object to such transfers.
Erkannte Signale
Konkrete Datenpunkte und Praktiken im Text identifiziert
Textbelege
Direkte Zitate aus der Richtlinie, die diese Befunde stützen
During the informative use of the website, ... we collect the personal data that the browser transmits to our server ... This is our legitimate interest, so that the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.
We use HubSpot to manage leads ... The provider processes usage data ... in the EU. The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR.
We use Google Analytics for analytics. ... The legal basis for the processing is Art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent.
Data subjects have the following rights ... Right of access, Right to correction or deletion, Right to limit processing, Right to object ...
The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred ... is guaranteed by standard data protection clauses (Art. 46 para. 2 lit. c GDPR).
Fehlend oder unklar
- Explicit statement on whether personal data is used for AI model training or improvement
- Detailed retention periods for non‑log data (e.g., newsletter contacts, customer accounts)
- Clear opt‑out mechanism for legitimate‑interest processing of website logs
- Information on profiling beyond direct marketing
Fragen zum Nachfragen
- Do you use any of the collected personal data (including log data) to train or improve Qdrant’s AI models, and if so, can users opt‑out?
- What specific safeguards (technical or contractual) are in place for each US‑based processor beyond the generic SCCs?
- How is consent for analytics (Google Analytics, Mixpanel, etc.) obtained and recorded, and can users withdraw it easily?
- Can you provide a detailed retention schedule for each data category (e.g., newsletter subscribers, customer accounts, payment data)?
- Is there a mechanism for users to object to the legitimate‑interest processing of website logs, and how is that request handled?
Diese Analyse teilen
Jeder mit diesem Link kann das Ergebnis oben einsehen.
Entwickelt von DentroChat
100 % europäischer KI-Chat für alle
Chatte mit KI, arbeite mit Dateien, generiere Bilder und suche im Web. Daten bleiben in Europa.