cal.com privacy policy — score 55/100 (medium risk)
Viimeksi analysoitu
Raportin sisältö (yhteenveto, havainnot, lainaukset) on luotu englanniksi eikä sitä ole lokalisoitu.
Cal.com, Inc. · cal.com
Raportin tiedot
medium riskiCal.com provides standard GDPR rights and a subprocessor list, but fails to specify the legal basis for EU-to-US data transfers and remains silent on AI training data usage.
The privacy policy demonstrates some compliance awareness by listing GDPR rights, appointing a DPO, and naming an EU Representative. However, it suffers from significant gaps typical of US-centric policies, such as relying on vague 'adequate controls' for international data transfers without naming the legal mechanism. Furthermore, the policy is completely silent on AI model training despite the company actively marketing an AI product (Cal.ai), and it uses overly broad language regarding the personal data it collects.
Kategoria-arviointi
Käytännön jakautuminen keskeisille vaatimustenmukaisuusalueille. Hyvä = vahva, kohtalainen = ristiriitainen, heikko = huolestuttava.
Collects standard scheduling data but uses advertising cookies and shares emails for ad matching, which goes beyond strict necessity.
Lists subprocessors and rights clearly, but the categories of personal data collected are vaguely defined.
Subprocessors are well-documented, but sharing data with ad platforms like Google and Meta for audience matching raises consent questions.
Explicitly transfers EU data to the US but fails to name the legal transfer mechanism required by GDPR Chapter V.
The policy is completely silent on whether user data is used for AI training, despite the company marketing an AI product.
Clearly lists all standard GDPR rights, provides a DPO contact, and has appointed an EU Representative under Article 27.
Keskeiset havainnot
Huomionarvoiset ehdot, ongelmat tai hyvät käytännöt (kriittiset ensin)
Missing Legal Basis for International Transfers
The policy admits transferring data to the US but does not cite Standard Contractual Clauses, Binding Corporate Rules, or the EU-US Data Privacy Framework, relying instead on vague language about 'adequate controls'.
Silence on AI Training Practices
Despite prominently advertising 'Cal.ai' and AI-powered calls, the privacy policy contains absolutely no disclosure regarding whether user data, meeting content, or transcripts are used to train AI models.
Vague Definition of Personal Data Categories
The policy states personal data 'may include, but is not limited to: Cookies and Usage Data', failing to explicitly list the specific categories of personal data collected (e.g., name, email address) in the definitions section, violating GDPR Article 13(2)(a) specificity requirements.
Ambiguous Advertising Tracking and Consent
The policy admits to using advertising cookies and sharing emails with ad platforms (Google, Meta, LinkedIn) for audience matching, framing it as a U.S.-only feature with an email opt-out, but fails to clarify how explicit GDPR-standard consent is obtained for any EU users who might fall into these tracking nets.
Yhteenveto käyttäjälle
Your data will likely be shipped to the US under unspecified legal protections, and while basic GDPR rights are offered, the policy leaves dangerous gray areas around advertising tracking and AI usage.
Vaatimustenmukaisuusasento
Mixed compliance posture; structural GDPR elements exist but substantive safeguards for international transfers and AI processing are missing.
EU-siirrot
Inadequate. The policy explicitly transfers data to the US but fails to name a valid GDPR transfer mechanism like Standard Contractual Clauses or the EU-US Data Privacy Framework.
Havaitut signaalit
Tekstistä tunnistetut erityiset tiedot ja käytännöt
Todisteiden otteet
Suorat lainaukset käytännöstä näiden havaintojen tueksi
If you are located outside United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to United States and process it there.
Personally identifiable information may include, but is not limited to: Cookies and Usage Data
For users located in the United States, we may share limited information—such as your email address—with advertising platforms including Google Ads, Meta (Facebook and Instagram), and LinkedIn.
Puuttuu tai epäselvä
- Legal mechanism for EU-US data transfers
- Specific categories of personal data collected
- AI model training disclosures
- Data retention timeframes
- Lawful basis for processing under GDPR Article 6
Kysyttävät kysymykset
- What is the specific legal mechanism (e.g., Standard Contractual Clauses, EU-US Data Privacy Framework) used to authorize the transfer of EU personal data to the United States?
- Is any user data, including booking content, video transcripts, or call recordings, used to train or improve the Cal.ai models or any other machine learning algorithms?
- How is explicit consent obtained from EU users before placing advertising cookies or sharing their data with ad networks for audience matching?
- What are the specific retention periods for the different categories of personal data you collect?
Jaa tämä analyysi
Kuka tahansa, jolla on tämä linkki, voi nähdä yllä olevan tuloksen.
DentroChatin rakentama
100 % eurooppalainen tekoälychat kaikille
Keskustele tekoälyn kanssa, käsittele tiedostoja, luo kuvia ja hae verkosta. Tiedot pysyvät Euroopassa.