tella.com privacy policy — score 55/100 (medium risk)
Último análisis
El contenido del informe (resumen, hallazgos, citas) se generó en inglés y no está localizado.
Tella HQ Inc. · tella.com
Detalles del informe
medium riesgoTella collects sensitive video data and shares it with numerous US-based AI and analytics providers without clearly stating if your data trains their models, making it a mixed bag for EU users.
The policy is relatively transparent about data categories and legal bases, correctly identifying video recordings as special category data requiring explicit consent. However, it suffers from significant gaps regarding AI sub-processors, contradictory language on profiling, and a massive list of US-based third parties receiving EU user data, including biometric and video content. While Standard Contractual Clauses are mentioned for international transfers, the scope of data sharing with AI companies without explicit model training opt-outs is a major concern.
Evaluación por categoría
Desglose de la política en las principales áreas de cumplimiento. Bueno = sólido, regular = mixto, deficiente = preocupante.
Collects necessary account and support data, but the breadth of analytics tracking and sending video content to multiple AI providers pushes the boundaries of minimization.
The policy lists purposes and legal bases clearly, but uses confusing terminology regarding profiling and completely omits whether AI providers use data for model training.
An exceptionally long list of sub-processors, predominantly US-based, handle user data, including highly sensitive video content analyzed by AI companies.
Data is stored in the US and shared with over 20 US-based sub-processors; while SCCs are mentioned, the scale of US transfers for special category data is concerning.
The policy is completely silent on whether user data (especially video transcriptions and summaries) is used to train third-party AI models, which is a critical gap.
GDPR rights are clearly listed with specific explanations, contact details are provided, and the response window complies with the one-month statutory limit.
Hallazgos clave
Cláusulas destacadas, problemas o buenas prácticas detectadas (críticos primero)
AI Sub-processor Ambiguity on Model Training
The policy lists several AI providers (Anthropic, OpenAI, AssemblyAI) for analyzing, summarizing, and transcribing video content, but it fails to explicitly state whether these third parties use the input data to train their own AI models. This is a major red flag under the GDPR principle of purpose limitation and data minimization, especially for special category data.
Contradictory Profiling Claims
Section 3.5 explicitly lists 'Profiling for our research, development and improvement of our Services' as a purpose based on legitimate interest, while Section 5 claims 'We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.' This creates confusion about what kind of profiling is actually occurring and whether it goes beyond Article 22.
Extensive US Transfers of Special Category Data
The vast majority of sub-processors are located in the United States, meaning EU user data, including special category video data, is heavily transferred out of the EEA. While Standard Contractual Clauses are mentioned, the volume and nature of these transfers present significant privacy risks given the US surveillance landscape.
Special Category Data Handling
The policy correctly identifies video recordings (facial image, voice) as special category data and relies on explicit consent (Article 9 GDPR) for consumer accounts, which is appropriate, but requires strict verification that consent is genuinely obtained before processing begins.
Resumen para el usuario
Your video recordings, including your face and voice, are processed by Tella and sent to US-based AI companies like OpenAI and Anthropic for transcription and summarization. It is unclear if these AI companies use your videos to train their models.
Postura de cumplimiento
mixed
Transferencias en la UE
poor
Señales detectadas
Datos y prácticas específicas identificadas en el texto
Fragmentos de evidencia
Citas directas de la política que respaldan estos hallazgos
Anthropic (Anthropic PBC) Location: United States Purpose: To analyse and summarise video content created with Tella.
3.5. Website analytics data... Purpose: Profiling for our research, development and improvement of our Services. Legal basis: Necessary for the purpose of our legitimate interests...
We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.
If we share your personal data in accordance with this Tella Privacy Policy within group, or with a third party located outside the European Economic Area, we ensure where required that appropriate safeguards are in place... particularly by signing the Standard Contractual Clauses
Ausente o poco claro
- AI model training opt-out
- Data Protection Impact Assessment (DPIA) summary
- Cookie consent details
- Anonymization or pseudonymization strategies for analytics
Preguntas que hacer
- Do your agreements with AI sub-processors like OpenAI and Anthropic explicitly prohibit the use of Tella customer data for training their foundation models?
- What specific profiling activities are occurring under Section 3.5, and how do they differ from the Article 22 profiling denied in Section 5?
- How exactly is explicit consent collected from consumer users before their facial image and voice (special category data) in video recordings are processed and sent to third parties?
- Have Data Protection Impact Assessments (DPIAs) been conducted for the processing of special category video data and its transfer to US-based AI providers?
Compartir este análisis
Cualquiera con este enlace puede ver el resultado anterior.
Creado por DentroChat
Chat de IA 100 % europeo para todos
Chatea con la IA, trabaja con archivos, genera imágenes y busca en la web. Los datos permanecen en Europa.