tella.com privacy policy — score 55/100 (medium risk)
Zuletzt analysiert
Der Berichtsinhalt (Zusammenfassung, Befunde, Zitate) wurde auf Englisch erstellt und ist nicht lokalisiert.
Tella HQ Inc. · tella.com
Berichtsdetails
medium RisikoTella collects sensitive video data and shares it with numerous US-based AI and analytics providers without clearly stating if your data trains their models, making it a mixed bag for EU users.
The policy is relatively transparent about data categories and legal bases, correctly identifying video recordings as special category data requiring explicit consent. However, it suffers from significant gaps regarding AI sub-processors, contradictory language on profiling, and a massive list of US-based third parties receiving EU user data, including biometric and video content. While Standard Contractual Clauses are mentioned for international transfers, the scope of data sharing with AI companies without explicit model training opt-outs is a major concern.
Kategoriebewertung
Aufschlüsselung der Richtlinie nach zentralen Compliance-Bereichen. Gut = stark, mittel = gemischt, schlecht = bedenklich.
Collects necessary account and support data, but the breadth of analytics tracking and sending video content to multiple AI providers pushes the boundaries of minimization.
The policy lists purposes and legal bases clearly, but uses confusing terminology regarding profiling and completely omits whether AI providers use data for model training.
An exceptionally long list of sub-processors, predominantly US-based, handle user data, including highly sensitive video content analyzed by AI companies.
Data is stored in the US and shared with over 20 US-based sub-processors; while SCCs are mentioned, the scale of US transfers for special category data is concerning.
The policy is completely silent on whether user data (especially video transcriptions and summaries) is used to train third-party AI models, which is a critical gap.
GDPR rights are clearly listed with specific explanations, contact details are provided, and the response window complies with the one-month statutory limit.
Wichtigste Befunde
Bemerkenswerte Klauseln, Probleme oder positive Praktiken (kritische zuerst)
AI Sub-processor Ambiguity on Model Training
The policy lists several AI providers (Anthropic, OpenAI, AssemblyAI) for analyzing, summarizing, and transcribing video content, but it fails to explicitly state whether these third parties use the input data to train their own AI models. This is a major red flag under the GDPR principle of purpose limitation and data minimization, especially for special category data.
Contradictory Profiling Claims
Section 3.5 explicitly lists 'Profiling for our research, development and improvement of our Services' as a purpose based on legitimate interest, while Section 5 claims 'We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.' This creates confusion about what kind of profiling is actually occurring and whether it goes beyond Article 22.
Extensive US Transfers of Special Category Data
The vast majority of sub-processors are located in the United States, meaning EU user data, including special category video data, is heavily transferred out of the EEA. While Standard Contractual Clauses are mentioned, the volume and nature of these transfers present significant privacy risks given the US surveillance landscape.
Special Category Data Handling
The policy correctly identifies video recordings (facial image, voice) as special category data and relies on explicit consent (Article 9 GDPR) for consumer accounts, which is appropriate, but requires strict verification that consent is genuinely obtained before processing begins.
Fazit für Nutzer
Your video recordings, including your face and voice, are processed by Tella and sent to US-based AI companies like OpenAI and Anthropic for transcription and summarization. It is unclear if these AI companies use your videos to train their models.
Compliance-Posture
mixed
EU-Übermittlungen
poor
Erkannte Signale
Konkrete Datenpunkte und Praktiken im Text identifiziert
Textbelege
Direkte Zitate aus der Richtlinie, die diese Befunde stützen
Anthropic (Anthropic PBC) Location: United States Purpose: To analyse and summarise video content created with Tella.
3.5. Website analytics data... Purpose: Profiling for our research, development and improvement of our Services. Legal basis: Necessary for the purpose of our legitimate interests...
We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.
If we share your personal data in accordance with this Tella Privacy Policy within group, or with a third party located outside the European Economic Area, we ensure where required that appropriate safeguards are in place... particularly by signing the Standard Contractual Clauses
Fehlend oder unklar
- AI model training opt-out
- Data Protection Impact Assessment (DPIA) summary
- Cookie consent details
- Anonymization or pseudonymization strategies for analytics
Fragen zum Nachfragen
- Do your agreements with AI sub-processors like OpenAI and Anthropic explicitly prohibit the use of Tella customer data for training their foundation models?
- What specific profiling activities are occurring under Section 3.5, and how do they differ from the Article 22 profiling denied in Section 5?
- How exactly is explicit consent collected from consumer users before their facial image and voice (special category data) in video recordings are processed and sent to third parties?
- Have Data Protection Impact Assessments (DPIAs) been conducted for the processing of special category video data and its transfer to US-based AI providers?
Diese Analyse teilen
Jeder mit diesem Link kann das Ergebnis oben einsehen.
Entwickelt von DentroChat
100 % europäischer KI-Chat für alle
Chatte mit KI, arbeite mit Dateien, generiere Bilder und suche im Web. Daten bleiben in Europa.