langdock.com privacy policy — score 78/100 (low risk)
Utolsó elemzés
A jelentés tartalma (összefoglaló, megállapítások, idézetek) angolul készült és nincs lokalizálva.
Langdock GmbH · langdock.com
Jelentés részletei
low kockázatLangdock is a privacy-conscious EU-based AI platform that explicitly bans using your content to train AI models and keeps data in the EU, though it relies on some US sub-processors and has vague retention periods in places.
Langdock GmbH's privacy policy is well-structured and GDPR-aligned, with strong commitments on AI training and EU data residency. Key strengths include a clear processor role for workspace content, an explicit no-AI-training pledge, and appointed DPO. Weaknesses include reliance on US providers (Microsoft, Google) with only generic safeguard references, vague retention periods for several categories, and a sub-processor list that is referenced but not included in the policy text itself.
Kategória szerinti értékelés
A szabályzat bontása a fő megfelelőségi területekre. Jó = erős, közepes = vegyes, gyenge = aggasztó.
Each processing purpose lists specific data categories; telemetry is explicitly anonymized and aggregated, and payment data is offloaded to Stripe.
Legal basis is cited for every processing activity with clear purpose descriptions; however, the sub-processor list is externalized to the Trust Center and not embedded in the policy.
Key sub-processors like Microsoft, Google, and Stripe are named, but the full list is only available via an external link; a merger/acquisition data sharing clause is broad.
Commits to EU-based processing as a rule, but allows third-country transfers 'in rare cases' with standard safeguards; the use of US cloud providers creates an inherent transfer risk not fully quantified.
Explicitly states 'Your data is not used for training AI models' and that content is processed solely to provide contracted services under the DPA.
All standard GDPR rights are listed with clear descriptions, contact email, and the specific supervisory authority (Berlin DPA) is named.
Fő megállapítások
Fontos záradékok, problémák vagy jó gyakorlatok (kritikusak először)
Sub-processor list externalized and not in policy text
The policy references a sub-processor list in the Trust Center but does not include it inline. Users must navigate externally to see who processes their data. The named providers (Microsoft, Google, Stripe) are US-based, implying international transfers that are not individually detailed.
Vague retention periods for several data categories
While some retention periods are specific (30 days post-contract for user accounts, 10 years for billing, 6 months for job applications), others rely on vague language like 'after the expiration of the statutory retention periods for business communications' without specifying the duration.
Merger and acquisition data sharing clause is broad
Section 3(b) allows data sharing with prospective or actual acquirers and their advisors in M&A scenarios, subject only to confidentiality obligations and necessity. No specific safeguards like prior notification or consent are mentioned.
Explicit no-AI-training commitment
Section 2(g) states unambiguously that user content (chats, projects) is not used for training AI models. This is a strong privacy-positive commitment that addresses a key concern for AI platforms.
Legitimate interest used for product emails to existing users
Section 2(e) uses legitimate interest (Art. 6(1)(f) GDPR + Section 7(3) UWG) to send product update emails to registered users unless they object. This is a soft opt-out approach rather than explicit consent, which is permissible under German law but less privacy-protective than opt-in.
Telemetry data claims of non-personal nature are unverified
Section 2(g) claims telemetry data 'does not allow any conclusions to be drawn about individual persons' and 'never contains personal data,' but aggregated usage statistics and error messages tied to sessions could potentially be re-identifying, especially for small workspaces.
Automated decision-making with human review safeguard
Section 5 acknowledges that bot/spam detection may constitute Art. 22 GDPR automated decisions with significant effect, but provides a clear human review mechanism via support@langdock.com. This is a well-handled disclosure.
Összefoglaló a felhasználónak
Your chat and workflow content on Langdock is NOT used to train AI models, and your employer (not Langdock) controls that data. However, some of your account and billing data flows to US-based sub-processors like Microsoft and Google.
Megfelelőségi helyzet
Strong GDPR compliance posture with DPO appointed, ISO 27001 and SOC 2 Type II certifications, and clear legal basis citations for every processing activity. Minor gaps in sub-processor transparency and retention specificity.
EU-s átvitelek
Data is generally processed in the EU, but transfers to third countries can occur 'in rare cases' using SCCs, adequacy decisions, or the EU-U.S. Data Privacy Framework. The use of Microsoft and Google as sub-processors likely involves some US transfers, which is not fully detailed.
Észlelt jelek
A szövegben azonosított konkrét adatok és gyakorlatok
Bizonyító részletek
Közvetlen idézetek a szabályzatból e megállapítások alátámasztására
Your data is not used for training AI models.
As a general rule, we process personal data on servers within the European Union. In rare cases, particularly when services are not available in the EU or when you are located outside the EU and contact us, data may be transferred to 'third countries' outside the EU or the European Economic Area.
We delete your user account and associated data upon request or no later than within 30 days after termination of the contractual relationship, unless statutory retention obligations apply.
The processors used in the Langdock platform can be found in our list of sub-processors in our Trust Center.
In the context of a merger, acquisition, or sale, data may also be shared with the prospective or actual acquirer and their advisors. Such disclosure occurs only to the extent necessary and subject to confidentiality obligations.
Hiányzó vagy nem egyértelmű
- Full sub-processor list with transfer mechanisms for each
- Specific retention periods for support communications and social media data
- Details on which third-country transfers actually occur and with which providers
- Cookie categories and specific cookies used
- Data breach notification procedures
- DPIA (Data Protection Impact Assessment) references
- Specific details on encryption standards used
Felteendő kérdések
- Which sub-processors process data outside the EU, and what specific transfer mechanisms (SCCs, DPF certification) are in place for each?
- What are the exact retention periods for support communications, social media messages, and telemetry data?
- How is telemetry data anonymized, and has a re-identification risk assessment been conducted, especially for small workspaces?
- In the event of an M&A transaction, will data subjects be notified before their data is shared with the acquirer?
- What specific cookies and tracking technologies are currently deployed on the website beyond technically necessary ones?
- How quickly does Langdock respond to data subject rights requests (access, deletion, portability), and is there an automated self-service mechanism?
Elemzés megosztása
Bárki, aki rendelkezik ezzel a linkkel, megtekintheti a fenti eredményt.
A DentroChat készítette
100%-ban európai AI chat mindenkinek
Csevegj AI-val, dolgozz fájlokkal, generálj képeket és keress a weben. Az adatok Európában maradnak.