DentroChat logo
Probar gratis

kolsetu.com privacy policy — score 85/100 (low risk)

Último análisis

Este informe tiene más de 28 días. Muestra el último análisis guardado para esta política — actualízalo para volver a obtener la página en vivo y renovar la puntuación.

El contenido del informe (resumen, hallazgos, citas) se generó en inglés y no está localizado.

Detalles del informe

low riesgo

Kolsetu generally respects EU privacy rules, but it over‑collects usage data, lacks a public DPO, and provides limited detail on some international transfers.

Kolsetu’s Product, Website, and Data Processing Agreement policies are detailed, reference GDPR articles, and include rights, security measures, and transfer mechanisms. They explicitly exclude user data from AI model training and rely on SCCs or adequacy decisions for cross‑border flows. However, the policies retain extensive technical logs, do not name a Data Protection Officer, and keep legitimate‑interest assessments behind a request barrier, which reduces transparency.

Último análisis
FuenteURL
Longitud67,946 caracteres

Evaluación por categoría

Desglose de la política en las principales áreas de cumplimiento. Bueno = sólido, regular = mixto, deficiente = preocupante.

Data Minimisationfair

Collects extensive usage logs (IP, device IDs) retained for 12 months, which may exceed what is needed for a B2B admin platform.

Transparencygood

Policies are comprehensive and cite GDPR articles, but legitimate‑interest assessments are only available on request.

Third‑party Sharingfair

Shares data with many sub‑processors; most are EEA‑based, but some US entities (LiveKit) rely on SCCs without detailed safeguards.

International Transfersgood

Uses adequacy decisions, SCCs, and the EU‑U.S. Data Privacy Framework; however, the exact scope of SCCs for each sub‑processor is not listed.

AI/Model Traininggood

Explicitly prohibits using Platform User data for AI model training and includes contractual AI training exclusions.

User Rightsgood

Provides full GDPR rights, clear contact details, and response timelines; some statutory retention limits are noted.

Hallazgos clave

Cláusulas destacadas, problemas o buenas prácticas detectadas (críticos primero)

Advertencia

Broad technical data collection and retention

The policy logs IP addresses, device identifiers, browser type, OS, and retains usage logs for 12 months, which may be disproportionate for a business‑to‑business admin tool.

Advertencia

No appointed Data Protection Officer (DPO)

The Website Privacy Policy states Kolsetu has not formally appointed a DPO, despite processing large volumes of personal data across multiple services.

Advertencia

US‑based sub‑processor LiveKit lacks disclosed safeguards

LiveKit (US) processes real‑time audio; the policy only mentions SCCs but provides no detail on encryption, data minimisation, or audit rights for this sub‑processor.

Info

Limited transparency on legitimate‑interest assessments

Legitimate‑interest assessments are said to be “available on request” but are not published, reducing accountability for the Art. 6(1)(f) basis.

Resumen para el usuario

Kolsetu’s privacy stance is solid overall, but users should ask for more detail on how long technical data is kept and what safeguards apply to US‑based sub‑processors.

Postura de cumplimiento

Kolsetu demonstrates a proactive compliance posture with documented legal bases, rights mechanisms, and security certifications (ISO 27001, GDPR). Yet, some gaps in transparency and data minimisation could be tightened.

Transferencias en la UE

All primary processing occurs in the EEA. Transfers to non‑EEA sub‑processors (e.g., LiveKit in the US) are covered by Standard Contractual Clauses, and adequacy decisions are used where available. Transfer impact assessments are performed but not publicly disclosed.

Señales detectadas

Datos y prácticas específicas identificadas en el texto

Datos recopilados
NameWork email addressPhone number (optional)Company nameJob titleOrganisational roleLogin credentials (hashed password)IP addressBrowser typeOperating systemDevice identifiersLogin timestampsSession durationActivity logsSupport request contentSubscription tierBilling confirmation eventsVoice recordings (demo calls)Conversation transcriptsCall metadata (date, time, duration)Marketing preferences
Finalidades del tratamiento
Account creation, authentication, and platform access managementProvision and operation of the Elba platform and associated servicesSubscription management and billing confirmation processingTechnical support and incident resolutionPlatform security, fraud prevention, and system stability monitoringAudit logging for accountability and complianceService communications (critical updates, security notifications)Compliance with legal obligationsWebsite security and stabilityDemo call handling and quality improvementMarketing communications (with consent)
Cesión a terceros
Infrastructure and hosting providers (Microsoft Azure EU, Google Ireland)Payment providers (transaction confirmation only)Telephony providers (Twilio – confirmation only)Sub‑processors listed in Annex I‑C (e.g., AWS, Azure OpenAI, Anthropic, LiveKit, Meta WhatsApp Business API)Employees of Kolsetu for operational purposesAuditors, legal counsel, and competent authorities when required
Transferencias internacionales
All primary processing takes place within the EEA (Germany).Transfers to sub‑processors outside the EEA rely on EU adequacy decisions, Standard Contractual Clauses, or the EU‑U.S. Data Privacy Framework.Google Analytics transfers data to the United States under SCCs; IP addresses are anonymised before transfer.LiveKit (US) processes audio in EU endpoints but is covered by SCCs.
IA / Entrenamiento de modelos
We do not use Platform User data for advertising, behavioural profiling, or AI model training.AI training exclusion: Neither the Processor nor any of its sub‑processors shall use Customer Personal Data to train, fine‑tune, or improve any general‑purpose AI model.Data used for AI inference is limited to the minimum necessary and is not retained beyond the inference session.

Fragmentos de evidencia

Citas directas de la política que respaldan estos hallazgos

We collect and process only the personal data that is necessary for the purposes described in this Policy (Art. 5(1)(c) GDPR - data minimisation).

We do not use Platform User data for advertising, behavioural profiling, or AI model training.

All financial transactions are completed on the payment provider's own infrastructure; Kolsetu's data exposure is limited to the confirmation event.

Kolsetu implements and maintains appropriate technical and organisational measures (TOMs) in accordance with Art. 32 GDPR to protect Platform User data.

We do not derive biometric identifiers or voiceprints from voice recordings... and does not process voice recordings as biometric data within the meaning of Art. 9 GDPR.

Google Analytics data is processed by Google Ireland Limited... transferred to the United States for processing on Google LLC infrastructure. This transfer is protected by EU Standard Contractual Clauses.

Ausente o poco claro

  • No publicly available Data Protection Impact Assessment (DPIA) for voice‑recording processing.
  • No explicit statement on the method of IP‑address anonymisation.
  • No detailed description of how the legitimate‑interest assessment is documented or reviewed.

Preguntas que hacer

  • Can Kolsetu provide the documented legitimate‑interest assessment for processing usage logs and IP addresses?
  • What technical and contractual safeguards are in place for the US‑based sub‑processor LiveKit?
  • How is IP‑address anonymisation performed before any cross‑border transfer?
  • Why has Kolsetu not appointed a Data Protection Officer, and how are DPO responsibilities covered?
  • Is there a publicly available DPIA for the processing of demo‑call recordings and transcripts?
Este análisis lo genera la IA y no constituye asesoramiento legal. Consulta siempre a un profesional jurídico cualificado para decisiones de cumplimiento.

Compartir este análisis

Cualquiera con este enlace puede ver el resultado anterior.

Creado por DentroChat

Chat de IA 100 % europeo para todos

Chatea con la IA, trabaja con archivos, genera imágenes y busca en la web. Los datos permanecen en Europa.

Infraestructura alojada en la UETexto, archivos, imágenes y búsqueda webModos Rápido, Reflexión y CreativoPrivacidad por defectoNingún dato sale de Europa
Probar gratis →