qdrant.tech privacy policy — score 65/100 (medium risk)
Dernière analyse
Ce rapport date de plus de 28 jours. Il affiche la dernière analyse enregistrée pour cette politique — actualisez pour récupérer la page en direct et mettre à jour le score.
Le contenu du rapport (résumé, constats, citations) a été généré en anglais et n'est pas localisé.
Détails du rapport
medium risqueQdrant’s policy leans heavily on legitimate‑interest and US third‑party transfers, gives consent options for newsletters, but lacks clear limits on data collection and any mention of AI model training, making it only moderately privacy‑friendly.
The privacy policy provides the required legal bases and lists many processors, but it often relies on legitimate interest for core website functions, gives vague retention periods, and does not disclose whether user data is used to train AI models. International transfers are covered by SCCs and the EU‑US Data Privacy Framework, yet the reliance on US providers remains a risk. User rights are described, but practical mechanisms (e.g., easy withdrawal of consent, DPO contact process) are not detailed.
Évaluation par catégorie
Répartition de la politique selon les principaux domaines de conformité. Bon = solide, moyen = mitigé, faible = préoccupant.
The policy does not specify limits on the amount of data collected; it lists many data points (IP, browser details, usage logs) collected by default.
Legal bases are listed, but the description of processing purposes is generic and does not detail profiling or AI model training.
Numerous third parties (HubSpot, Segment, Google Analytics, Mixpanel, Stripe, Netlify) are used, many based outside the EEA, with reliance on SCCs.
Transfers are covered by SCCs and the EU‑US Data Privacy Framework, but the policy lacks per‑processor risk assessments.
No mention of whether personal data is used to train Qdrant’s AI models or how users can opt‑out.
Rights are enumerated (access, rectification, erasure, portability, objection) and contact details for the DPO are provided.
Constats clés
Clauses notables, problèmes ou bonnes pratiques identifiées (critiques en premier)
No disclosure of AI or model‑training usage
The policy never mentions whether personal data collected via the website or cloud service is used to train or improve Qdrant’s AI models, leaving a significant transparency gap.
Extensive reliance on legitimate interest for core website functions
The policy states that IP address, browser details, and other log data are processed on the basis of Art. 6(1)(f) GDPR as a legitimate interest, without offering a clear opt‑out mechanism for users.
Broad international data transfers to US providers
Multiple US‑based processors (HubSpot, Segment, Google Analytics, Mixpanel, OneTrust, Netlify) are used, with transfers justified by standard contractual clauses or the EU‑US Data Privacy Framework, but the policy does not disclose specific safeguards per processor.
Vague data retention periods for many categories
While log files are deleted after 14 days and IPs after 90 days, other data (e.g., newsletter contacts, customer accounts) have no explicit retention schedule, relying on “as long as necessary” language.
Consent management for newsletters is described, but the revocation process is unclear
The policy says consent can be revoked by clicking a link or emailing, but does not specify how quickly the revocation is processed or whether it automatically stops all marketing communications.
Synthèse pour l'utilisateur
Your data may be shared with many US‑based services (e.g., HubSpot, Google Analytics, Mixpanel) under standard contractual clauses; you can object to direct marketing, but the policy does not clearly explain how your data might be used for AI training or profiling beyond marketing.
Posture de conformité
Mixed – the policy meets many formal GDPR requirements (legal bases, rights, DPO contact) but falls short on transparency about data minimisation, purpose limitation, and AI usage.
Transferts UE
Transfers to the US are justified by SCCs and the EU‑US Data Privacy Framework, but the policy does not provide detailed safeguards for each processor, nor does it offer an easy way for data subjects to object to such transfers.
Signaux détectés
Données et pratiques spécifiques identifiées dans le texte
Extraits probants
Citations directes de la politique à l'appui de ces constats
During the informative use of the website, ... we collect the personal data that the browser transmits to our server ... This is our legitimate interest, so that the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.
We use HubSpot to manage leads ... The provider processes usage data ... in the EU. The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR.
We use Google Analytics for analytics. ... The legal basis for the processing is Art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent.
Data subjects have the following rights ... Right of access, Right to correction or deletion, Right to limit processing, Right to object ...
The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred ... is guaranteed by standard data protection clauses (Art. 46 para. 2 lit. c GDPR).
Manquant ou flou
- Explicit statement on whether personal data is used for AI model training or improvement
- Detailed retention periods for non‑log data (e.g., newsletter contacts, customer accounts)
- Clear opt‑out mechanism for legitimate‑interest processing of website logs
- Information on profiling beyond direct marketing
Questions à poser
- Do you use any of the collected personal data (including log data) to train or improve Qdrant’s AI models, and if so, can users opt‑out?
- What specific safeguards (technical or contractual) are in place for each US‑based processor beyond the generic SCCs?
- How is consent for analytics (Google Analytics, Mixpanel, etc.) obtained and recorded, and can users withdraw it easily?
- Can you provide a detailed retention schedule for each data category (e.g., newsletter subscribers, customer accounts, payment data)?
- Is there a mechanism for users to object to the legitimate‑interest processing of website logs, and how is that request handled?
Partager cette analyse
Toute personne disposant de ce lien peut consulter le résultat ci-dessus.
Conçu par DentroChat
Chat IA 100 % européen pour tous
Discutez avec l'IA, travaillez avec des fichiers, générez des images et cherchez sur le web. Les données restent en Europe.