langdock.com privacy policy — score 78/100 (low risk)
Dernière analyse
Le contenu du rapport (résumé, constats, citations) a été généré en anglais et n'est pas localisé.
Langdock GmbH · langdock.com
Détails du rapport
low risqueLangdock is a privacy-conscious EU-based AI platform that explicitly bans using your content to train AI models and keeps data in the EU, though it relies on some US sub-processors and has vague retention periods in places.
Langdock GmbH's privacy policy is well-structured and GDPR-aligned, with strong commitments on AI training and EU data residency. Key strengths include a clear processor role for workspace content, an explicit no-AI-training pledge, and appointed DPO. Weaknesses include reliance on US providers (Microsoft, Google) with only generic safeguard references, vague retention periods for several categories, and a sub-processor list that is referenced but not included in the policy text itself.
Évaluation par catégorie
Répartition de la politique selon les principaux domaines de conformité. Bon = solide, moyen = mitigé, faible = préoccupant.
Each processing purpose lists specific data categories; telemetry is explicitly anonymized and aggregated, and payment data is offloaded to Stripe.
Legal basis is cited for every processing activity with clear purpose descriptions; however, the sub-processor list is externalized to the Trust Center and not embedded in the policy.
Key sub-processors like Microsoft, Google, and Stripe are named, but the full list is only available via an external link; a merger/acquisition data sharing clause is broad.
Commits to EU-based processing as a rule, but allows third-country transfers 'in rare cases' with standard safeguards; the use of US cloud providers creates an inherent transfer risk not fully quantified.
Explicitly states 'Your data is not used for training AI models' and that content is processed solely to provide contracted services under the DPA.
All standard GDPR rights are listed with clear descriptions, contact email, and the specific supervisory authority (Berlin DPA) is named.
Constats clés
Clauses notables, problèmes ou bonnes pratiques identifiées (critiques en premier)
Sub-processor list externalized and not in policy text
The policy references a sub-processor list in the Trust Center but does not include it inline. Users must navigate externally to see who processes their data. The named providers (Microsoft, Google, Stripe) are US-based, implying international transfers that are not individually detailed.
Vague retention periods for several data categories
While some retention periods are specific (30 days post-contract for user accounts, 10 years for billing, 6 months for job applications), others rely on vague language like 'after the expiration of the statutory retention periods for business communications' without specifying the duration.
Merger and acquisition data sharing clause is broad
Section 3(b) allows data sharing with prospective or actual acquirers and their advisors in M&A scenarios, subject only to confidentiality obligations and necessity. No specific safeguards like prior notification or consent are mentioned.
Explicit no-AI-training commitment
Section 2(g) states unambiguously that user content (chats, projects) is not used for training AI models. This is a strong privacy-positive commitment that addresses a key concern for AI platforms.
Legitimate interest used for product emails to existing users
Section 2(e) uses legitimate interest (Art. 6(1)(f) GDPR + Section 7(3) UWG) to send product update emails to registered users unless they object. This is a soft opt-out approach rather than explicit consent, which is permissible under German law but less privacy-protective than opt-in.
Telemetry data claims of non-personal nature are unverified
Section 2(g) claims telemetry data 'does not allow any conclusions to be drawn about individual persons' and 'never contains personal data,' but aggregated usage statistics and error messages tied to sessions could potentially be re-identifying, especially for small workspaces.
Automated decision-making with human review safeguard
Section 5 acknowledges that bot/spam detection may constitute Art. 22 GDPR automated decisions with significant effect, but provides a clear human review mechanism via support@langdock.com. This is a well-handled disclosure.
Synthèse pour l'utilisateur
Your chat and workflow content on Langdock is NOT used to train AI models, and your employer (not Langdock) controls that data. However, some of your account and billing data flows to US-based sub-processors like Microsoft and Google.
Posture de conformité
Strong GDPR compliance posture with DPO appointed, ISO 27001 and SOC 2 Type II certifications, and clear legal basis citations for every processing activity. Minor gaps in sub-processor transparency and retention specificity.
Transferts UE
Data is generally processed in the EU, but transfers to third countries can occur 'in rare cases' using SCCs, adequacy decisions, or the EU-U.S. Data Privacy Framework. The use of Microsoft and Google as sub-processors likely involves some US transfers, which is not fully detailed.
Signaux détectés
Données et pratiques spécifiques identifiées dans le texte
Extraits probants
Citations directes de la politique à l'appui de ces constats
Your data is not used for training AI models.
As a general rule, we process personal data on servers within the European Union. In rare cases, particularly when services are not available in the EU or when you are located outside the EU and contact us, data may be transferred to 'third countries' outside the EU or the European Economic Area.
We delete your user account and associated data upon request or no later than within 30 days after termination of the contractual relationship, unless statutory retention obligations apply.
The processors used in the Langdock platform can be found in our list of sub-processors in our Trust Center.
In the context of a merger, acquisition, or sale, data may also be shared with the prospective or actual acquirer and their advisors. Such disclosure occurs only to the extent necessary and subject to confidentiality obligations.
Manquant ou flou
- Full sub-processor list with transfer mechanisms for each
- Specific retention periods for support communications and social media data
- Details on which third-country transfers actually occur and with which providers
- Cookie categories and specific cookies used
- Data breach notification procedures
- DPIA (Data Protection Impact Assessment) references
- Specific details on encryption standards used
Questions à poser
- Which sub-processors process data outside the EU, and what specific transfer mechanisms (SCCs, DPF certification) are in place for each?
- What are the exact retention periods for support communications, social media messages, and telemetry data?
- How is telemetry data anonymized, and has a re-identification risk assessment been conducted, especially for small workspaces?
- In the event of an M&A transaction, will data subjects be notified before their data is shared with the acquirer?
- What specific cookies and tracking technologies are currently deployed on the website beyond technically necessary ones?
- How quickly does Langdock respond to data subject rights requests (access, deletion, portability), and is there an automated self-service mechanism?
Partager cette analyse
Toute personne disposant de ce lien peut consulter le résultat ci-dessus.
Conçu par DentroChat
Chat IA 100 % européen pour tous
Discutez avec l'IA, travaillez avec des fichiers, générez des images et cherchez sur le web. Les données restent en Europe.