kolsetu.com privacy policy — score 85/100 (low risk)
Dernière analyse
Ce rapport date de plus de 28 jours. Il affiche la dernière analyse enregistrée pour cette politique — actualisez pour récupérer la page en direct et mettre à jour le score.
Le contenu du rapport (résumé, constats, citations) a été généré en anglais et n'est pas localisé.
Détails du rapport
low risqueKolsetu generally respects EU privacy rules, but it over‑collects usage data, lacks a public DPO, and provides limited detail on some international transfers.
Kolsetu’s Product, Website, and Data Processing Agreement policies are detailed, reference GDPR articles, and include rights, security measures, and transfer mechanisms. They explicitly exclude user data from AI model training and rely on SCCs or adequacy decisions for cross‑border flows. However, the policies retain extensive technical logs, do not name a Data Protection Officer, and keep legitimate‑interest assessments behind a request barrier, which reduces transparency.
Évaluation par catégorie
Répartition de la politique selon les principaux domaines de conformité. Bon = solide, moyen = mitigé, faible = préoccupant.
Collects extensive usage logs (IP, device IDs) retained for 12 months, which may exceed what is needed for a B2B admin platform.
Policies are comprehensive and cite GDPR articles, but legitimate‑interest assessments are only available on request.
Shares data with many sub‑processors; most are EEA‑based, but some US entities (LiveKit) rely on SCCs without detailed safeguards.
Uses adequacy decisions, SCCs, and the EU‑U.S. Data Privacy Framework; however, the exact scope of SCCs for each sub‑processor is not listed.
Explicitly prohibits using Platform User data for AI model training and includes contractual AI training exclusions.
Provides full GDPR rights, clear contact details, and response timelines; some statutory retention limits are noted.
Constats clés
Clauses notables, problèmes ou bonnes pratiques identifiées (critiques en premier)
Broad technical data collection and retention
The policy logs IP addresses, device identifiers, browser type, OS, and retains usage logs for 12 months, which may be disproportionate for a business‑to‑business admin tool.
No appointed Data Protection Officer (DPO)
The Website Privacy Policy states Kolsetu has not formally appointed a DPO, despite processing large volumes of personal data across multiple services.
US‑based sub‑processor LiveKit lacks disclosed safeguards
LiveKit (US) processes real‑time audio; the policy only mentions SCCs but provides no detail on encryption, data minimisation, or audit rights for this sub‑processor.
Limited transparency on legitimate‑interest assessments
Legitimate‑interest assessments are said to be “available on request” but are not published, reducing accountability for the Art. 6(1)(f) basis.
Synthèse pour l'utilisateur
Kolsetu’s privacy stance is solid overall, but users should ask for more detail on how long technical data is kept and what safeguards apply to US‑based sub‑processors.
Posture de conformité
Kolsetu demonstrates a proactive compliance posture with documented legal bases, rights mechanisms, and security certifications (ISO 27001, GDPR). Yet, some gaps in transparency and data minimisation could be tightened.
Transferts UE
All primary processing occurs in the EEA. Transfers to non‑EEA sub‑processors (e.g., LiveKit in the US) are covered by Standard Contractual Clauses, and adequacy decisions are used where available. Transfer impact assessments are performed but not publicly disclosed.
Signaux détectés
Données et pratiques spécifiques identifiées dans le texte
Extraits probants
Citations directes de la politique à l'appui de ces constats
We collect and process only the personal data that is necessary for the purposes described in this Policy (Art. 5(1)(c) GDPR - data minimisation).
We do not use Platform User data for advertising, behavioural profiling, or AI model training.
All financial transactions are completed on the payment provider's own infrastructure; Kolsetu's data exposure is limited to the confirmation event.
Kolsetu implements and maintains appropriate technical and organisational measures (TOMs) in accordance with Art. 32 GDPR to protect Platform User data.
We do not derive biometric identifiers or voiceprints from voice recordings... and does not process voice recordings as biometric data within the meaning of Art. 9 GDPR.
Google Analytics data is processed by Google Ireland Limited... transferred to the United States for processing on Google LLC infrastructure. This transfer is protected by EU Standard Contractual Clauses.
Manquant ou flou
- No publicly available Data Protection Impact Assessment (DPIA) for voice‑recording processing.
- No explicit statement on the method of IP‑address anonymisation.
- No detailed description of how the legitimate‑interest assessment is documented or reviewed.
Questions à poser
- Can Kolsetu provide the documented legitimate‑interest assessment for processing usage logs and IP addresses?
- What technical and contractual safeguards are in place for the US‑based sub‑processor LiveKit?
- How is IP‑address anonymisation performed before any cross‑border transfer?
- Why has Kolsetu not appointed a Data Protection Officer, and how are DPO responsibilities covered?
- Is there a publicly available DPIA for the processing of demo‑call recordings and transcripts?
Partager cette analyse
Toute personne disposant de ce lien peut consulter le résultat ci-dessus.
Conçu par DentroChat
Chat IA 100 % européen pour tous
Discutez avec l'IA, travaillez avec des fichiers, générez des images et cherchez sur le web. Les données restent en Europe.