signal.org privacy policy — score 72/100 (medium risk)

Τελευταία ανάλυση

Το περιεχόμενο της αναφοράς (περίληψη, ευρήματα, αποσπάσματα) δημιουργήθηκε στα αγγλικά και δεν έχει μεταφραστεί.

Νέα ανάλυση σε άλλη πολιτική

Signal Messenger LLC · signal.org

Λεπτομέρειες αναφοράς

medium κίνδυνος

Signal genuinely collects almost nothing and encrypts everything, but its legal documentation is outdated and missing critical GDPR-mandated disclosures like transfer safeguards, retention periods, and user rights procedures.

Signal's architecture and data practices are among the most privacy-friendly in the industry—end-to-end encryption by default, no data monetization, and minimal collection. However, the privacy policy has not been updated since May 2018 and lacks formal GDPR compliance elements: no description of data subject rights, no legal bases for processing, no retention periods, no DPO contact, and no mention of appropriate safeguards for US transfers. The mandatory California jurisdiction clause is also problematic for EU consumers.

Τελευταία ανάλυση
ΠηγήURL
Μήκος15,082 χαρακτήρες

Αξιολόγηση ανά κατηγορία

Ανάλυση της πολιτικής σε βασικούς τομείς συμμόρφωσης. Καλό = ισχυρό, μέτριο = μικτό, κακό = ανησυχητικό.

Data Minimizationgood

Only the phone number is mandatory; profile data is optional and end-to-end encrypted; technical metadata is limited to the minimum required to operate the service.

Transparencyfair

The policy is clear about encryption and what is collected, but lacks retention periods, legal bases for processing, and has not been updated since May 2018.

Third-party Sharingfair

Sharing is limited to verification code providers and optional third-party services like Giphy, but no subprocessor list is provided and no contractual safeguards are described.

International Transferspoor

Data is explicitly transferred to the US and other countries, but no GDPR-compliant transfer mechanism (SCCs, adequacy decision, BCRs) is mentioned anywhere in the policy.

AI/Model Trainingfair

The policy is silent on AI training, but Signal's firm no-monetization stance and minimal data collection make it unlikely; however, it is not explicitly prohibited.

User Rightspoor

No explicit description of GDPR rights (access, rectification, deletion, portability, objection, restriction); only a vague reference to managing info in app settings.

Βασικά ευρήματα

Σημαντικές ρήτρες, ζητήματα ή θετικές πρακτικές (κρίσιμα πρώτα)

Κρίσιμο

No GDPR transfer safeguards for US data flows

The Terms state users agree to 'the transfer of your encrypted information and metadata to the United States and other countries where we have or use facilities, service providers or partners,' but the policy mentions no Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules. Post-Schrems II, this is a significant compliance gap for EU users.

Κρίσιμο

GDPR data subject rights are not described

The privacy policy does not enumerate or explain any GDPR rights (Articles 15–22): no right of access, rectification, erasure, restriction, portability, or objection. The only mention is that users can 'manage your personal information in Signal's application Settings,' which is insufficient under GDPR Article 13(2)(b).

Προειδοποίηση

No data retention periods specified

The policy states that support data is 'kept only for the purposes of researching the issue' and that technical information is 'limited to the minimum required,' but no specific retention periods are provided for any data category, as required by GDPR Article 13(2)(a).

Προειδοποίηση

Mandatory US jurisdiction clause conflicts with EU consumer rights

The Terms require disputes to be resolved exclusively in 'the United States District Court for the Northern District of California or a state court in San Mateo County, California,' which may be unenforceable against EU consumers under the Brussels I Regulation and is inconsistent with GDPR Article 79(2).

Προειδοποίηση

Privacy policy outdated — last updated May 2018

The privacy policy has not been updated since May 25, 2018, raising questions about whether it reflects current data practices, third-party relationships, and regulatory requirements that have evolved since then.

Προειδοποίηση

No legal basis for processing specified

The policy does not identify the legal basis under GDPR Article 6 for any processing activity (e.g., contract performance for account registration, legitimate interest for security), as required by GDPR Article 13(1)(c).

Info

Third-party providers lack contractual detail

The policy mentions 'Third-Party Providers' that send verification codes and states they 'are bound by their Privacy Policies to safeguard that information,' but does not name them, describe contractual safeguards, or provide a subprocessor list as expected under GDPR accountability principles.

Info

Strong no-monetization commitment

The Terms explicitly state: 'Signal does not sell, rent or monetize your personal data or content in any way – ever.' This is a strong, unqualified commitment that goes beyond typical industry language.

Περίληψη για τον χρήστη

Your messages and calls are genuinely private and encrypted, but if you need to exercise GDPR rights or want clarity on how your data moves to the US, the policy leaves you without clear answers.

Στάση συμμόρφωσης

Strong on technical privacy, weak on legal documentation. The substance is excellent but the formal GDPR compliance framework is incomplete.

Μεταφορές ΕΕ

The Terms explicitly acknowledge transfers to the US and other countries but mention no GDPR transfer mechanism (SCCs, adequacy decision, or BCRs). This is a significant compliance gap post-Schrems II.

Εντοπισμένα σήματα

Συγκεκριμένα δεδομένα και πρακτικές που εντοπίστηκαν στο κείμενο

Δεδομένα που συλλέγονται
Phone numberProfile nameProfile pictureContact hashesAuthentication tokensKeysPush tokensSupport inquiry data
Σκοποί επεξεργασίας
Account registration and verificationMessage delivery to offline devicesCall establishment and message transmissionContact discoveryUser support
Κοινοποίηση σε τρίτους
Third-party verification code providersLaw enforcement under legal processThird-party services (YouTube, Spotify, Giphy) when user activates them
Διεθνείς μεταφορές
United StatesOther countries where Signal has facilities, service providers, or partners

Αποσπάσματα αποδείξεων

Απευθείας αποσπάσματα από την πολιτική που υποστηρίζουν αυτά τα ευρήματα

Signal does not sell, rent or monetize your personal data or content in any way – ever.

you agree to our data practices as described in our Privacy Policy, as well as the transfer of your encrypted information and metadata to the United States and other countries where we have or use facilities, service providers or partners.

You can manage your personal information in Signal's application Settings. For example, you can update your profile information or choose to enable additional privacy features like a Registration Lock PIN.

Signal limits this additional technical information to the minimum required to operate the Services.

You agree to resolve any Claim you have with us relating to or arising out of our Terms, us, or our Services exclusively in the United States District Court for the Northern District of California or a state court in San Mateo County, California.

These providers are bound by their Privacy Policies to safeguard that information.

Λείπει ή ασαφές

  • No GDPR legal bases for processing
  • No data retention periods
  • No subprocessor list
  • No DPO contact information
  • No GDPR transfer mechanism (SCCs, adequacy, BCRs)
  • No explicit AI/model training policy
  • No cookie or tracking technology disclosure
  • No DPIA references
  • No data breach notification procedure
  • No explicit GDPR rights enumeration

Ερωτήσεις προς υποβολή

  • What Standard Contractual Clauses or other transfer mechanisms does Signal rely on for EU-to-US data transfers, and can you provide the relevant documentation?
  • What are the specific retention periods for each category of data you collect (phone numbers, technical metadata, support data)?
  • Who are the 'Third-Party Providers' that process verification codes, and what contractual data protection obligations do they have beyond their own privacy policies?
  • How can an EU user exercise their GDPR rights (access, erasure, portability, objection) — is there a dedicated process or contact beyond the general privacy@signal.org email?
  • Has Signal conducted a Data Protection Impact Assessment for its contact discovery feature, given that it involves hashing and transmitting address book data?
  • Why has the privacy policy not been updated since May 2018, and does it accurately reflect all current data processing activities and third-party relationships?
Αυτή η ανάλυση δημιουργείται από AI και δεν αποτελεί νομική συμβουλή. Συμβουλευτείτε πάντα εξειδικευμένο νομικό για αποφάσεις συμμόρφωσης GDPR.

Κοινοποίηση αυτής της ανάλυσης

Οποιοσδήποτε με αυτόν τον σύνδεσμο μπορεί να δει το αποτέλεσμα παραπάνω.

Δημιουργήθηκε από το DentroChat

100% ευρωπαϊκό AI chat για όλους

Συνομιλήστε με AI, εργαστείτε με αρχεία, δημιουργήστε εικόνες και αναζητήστε στο διαδίκτυο. Τα δεδομένα παραμένουν στην Ευρώπη.

Υποδομή φιλοξενούμενη στην ΕΕΚείμενο, αρχεία, εικόνες και αναζήτηση webΛειτουργίες Γρήγορη, Σκέψη και ΔημιουργικήΠροτεραιότητα στην ιδιωτικότηταΚανένα δεδομένο δεν φεύγει από την Ευρώπη
Δοκιμή δωρεάν →