eustella.com privacy policy — score 87/100 (low risk)
Τελευταία ανάλυση
Το περιεχόμενο της αναφοράς (περίληψη, ευρήματα, αποσπάσματα) δημιουργήθηκε στα αγγλικά και δεν έχει μεταφραστεί.
Λεπτομέρειες αναφοράς
low κίνδυνοςeustella publishes a strongly EU-aligned privacy policy that explicitly bans AI training on user data and keeps all processing in the EU, but it is undermined by an internal contradiction over mandatory account fields and the unexplained absence of a Data Protection Officer.
eustella's policy is a privacy-first document that explicitly prohibits using customer data for AI model training, pledges to keep all data within the EU, and relies on EU-hosted infrastructure and sub-processors. It provides clear legal bases under GDPR, detailed retention schedules, and granular user controls over personalisation. However, the policy contradicts itself on whether date of birth is required at sign-up, does not name its payment processor, and omits any mention of a Data Protection Officer despite the scale and sensitivity of processing.
Αξιολόγηση ανά κατηγορία
Ανάλυση της πολιτικής σε βασικούς τομείς συμμόρφωσης. Καλό = ισχυρό, μέτριο = μικτό, κακό = ανησυχητικό.
The policy avoids sensitive data by design and does not use data for advertising, but it mandates date of birth for age verification while admitting such verification is technically impossible, and it contradicts itself on whether DOB is a required account field versus only name, email, and password.
The document is written in plain language with specific GDPR legal bases, retention periods, and sub-processor disclosures, though it is undermined by the conflicting account-creation requirements and the failure to name the payment provider.
Sharing is kept to a minimum with EU-based infrastructure providers, an EU-hosted analytics processor (PostHog), and professional advisors, but the unnamed payment processor and lack of detail on open-source LLM provenance leave small gaps.
The policy contains an explicit, repeated commitment that no personal data leaves the EU, including self-hosted open-source LLMs on EU infrastructure, which removes the need for SCCs or adequacy decisions.
eustella makes a clear, prominent commitment that it does not use conversations, files, preferences, or connected-service data to train, fine-tune, or improve any AI models, eliminating the need for an opt-out toggle.
GDPR rights are comprehensively listed with specific exercise methods (email and in-app), a one-month response timeline, and the correct Austrian supervisory authority, though the absence of DPO contact details is notable.
Βασικά ευρήματα
Σημαντικές ρήτρες, ζητήματα ή θετικές πρακτικές (κρίσιμα πρώτα)
Contradictory mandatory account fields
Section 2 states that account creation requires only name, email address, and password, while Section 12 states that users cannot create an account without providing name, email address, and date of birth. This inconsistency makes it impossible to know what data is actually required at sign-up.
Missing Data Protection Officer
Despite being an EU controller processing personal data at scale—including systematic monitoring via PostHog, content moderation with human review, and potential special category data—the policy does not mention the appointment or contact details of a Data Protection Officer as required by Article 37 GDPR.
Unverifiable age verification collects excessive data
Section 12 acknowledges that 'no currently available technical means can fully verify a person's age without disproportionately intruding on their privacy,' yet it still mandates collection of date of birth from all users and prohibits false entries. This creates a tension between the stated futility of verification and the data collected.
Human review of conversation content
Section 7 discloses that 'a limited number of trained safety staff may review the flagged content,' but it does not quantify the number of staff, the scope of their access, or the specific internal access controls beyond 'strict confidentiality obligations,' leaving some uncertainty about insider risk.
Unnamed payment provider
Section 8 states that payment is processed by 'our payment provider' without naming the entity or confirming its location, reducing transparency about who processes financial data and under what jurisdiction.
Περίληψη για τον χρήστη
eustella is a comparatively privacy-safe AI assistant because it promises not to train models on your chats and keeps everything in the EU, but you should ask why a date of birth is mandatory and whether a DPO exists before sharing sensitive information.
Στάση συμμόρφωσης
strong
Μεταφορές ΕΕ
no-transfer
Εντοπισμένα σήματα
Συγκεκριμένα δεδομένα και πρακτικές που εντοπίστηκαν στο κείμενο
Αποσπάσματα αποδείξεων
Απευθείας αποσπάσματα από την πολιτική που υποστηρίζουν αυτά τα ευρήματα
When you create an account, we collect your name, email address, and password.
You cannot create an account without providing your name, email address, and date of birth.
We do not train AI models on your data. We do not use your conversations, your files, your preferences, or any data from your connected third-party services to train, fine-tune, or improve AI models.
We do not transfer your data outside the European Union. All of our infrastructure, data processing, and storage takes place within the EU.
Where a flag is raised, a limited number of trained safety staff may review the flagged content.
Λείπει ή ασαφές
- No mention of a Data Protection Officer (DPO) or their contact details
- No cookie policy or consent mechanism described despite analytics usage
- Identity and location of the payment processor not disclosed
- Specific names of open-source LLMs used not provided
- No mention of Data Protection Impact Assessment (DPIA) or records of processing activities
Ερωτήσεις προς υποβολή
- Section 2 lists name, email, and password as required for account creation, while Section 12 adds date of birth; which fields are actually mandatory and why the discrepancy?
- Is a Data Protection Officer appointed under Article 37 GDPR, and if so, why are their contact details not provided in the policy?
- Which specific payment provider is used, and can you confirm it is also EU-based and bound by a data processing agreement?
- Do the original developers or communities behind the open-source LLMs receive any telemetry, error reports, or model improvement signals derived from eustella's usage?
- Given the admission that age cannot be technically verified without disproportionate intrusion, what is the legal basis and necessity for mandating date of birth collection under Article 5(1)(c) GDPR?
Κοινοποίηση αυτής της ανάλυσης
Οποιοσδήποτε με αυτόν τον σύνδεσμο μπορεί να δει το αποτέλεσμα παραπάνω.
Δημιουργήθηκε από το DentroChat
100% ευρωπαϊκό AI chat για όλους
Συνομιλήστε με AI, εργαστείτε με αρχεία, δημιουργήστε εικόνες και αναζητήστε στο διαδίκτυο. Τα δεδομένα παραμένουν στην Ευρώπη.