bestalternatives.eu privacy policy — score 65/100 (medium risk)
Ultima analisi
Il contenuto del report (sintesi, risultati, citazioni) è stato generato in inglese e non è localizzato.
Best European Alternatives · bestalternatives.eu
Dettagli del report
medium rischioBest European Alternatives genuinely minimizes data and avoids cookies, but uses US-based processors without addressing international transfer safeguards and omits key GDPR rights and legal details.
This privacy policy belongs to a small European alternatives directory that practices strong data minimization — no cookies, anonymized analytics only, and limited voluntary product submissions. However, it has notable compliance gaps: both Vercel and Supabase are US-based processors with no mention of transfer safeguards (SCCs, adequacy decisions), Supabase is omitted from the third-party services disclosure, no legal basis for processing is specified, no retention periods are given, and several GDPR rights (portability, restriction, complaint, automated decision-making) are missing. The policy's claim that 'most GDPR rights have limited applicability' is a questionable framing that could mislead users.
Valutazione per categoria
Suddivisione dell'informativa nelle principali aree di conformità. Buono = solido, discreto = misto, scarso = preoccupante.
No cookies, anonymized analytics only, and product submissions are voluntary with limited fields — genuinely minimal collection.
Clear about analytics and cookies but omits Supabase from third-party list, specifies no legal basis, no retention periods, and no transfer safeguards.
Only two processors but Supabase is hidden in the security section rather than disclosed in the third-party services list; Vercel's global CDN raises transfer concerns.
Vercel CDN spans 51 countries and both Vercel and Supabase are US-based with zero mention of SCCs, adequacy decisions, or any transfer mechanism.
Policy is completely silent on AI/model training — no explicit prohibition or permission stated, though unlikely given minimal data.
Lists access, rectification, erasure, and objection but omits portability, restriction, complaint to supervisory authority, and automated decision-making; dismisses rights applicability.
Risultati chiave
Clausole rilevanti, problemi o buone pratiche individuate (critici per primi)
No international transfer safeguards documented
Vercel (US-based) hosts the site and provides analytics via a CDN spanning 51 countries. Supabase (US-based) is the database provider. The policy mentions no Standard Contractual Clauses, adequacy decisions, or other Chapter V GDPR safeguards. The only acknowledgment is a vague plan to 'move to a fully European based solution soon.'
Supabase omitted from third-party services disclosure
Supabase is mentioned only in the Data Security section as the 'database provider' but is conspicuously absent from the Third-Party Services section, which only lists Vercel. This is an incomplete processor disclosure under Article 13(1)(e) GDPR.
Incomplete GDPR rights listing
The rights section lists only access, rectification, erasure, and objection. It omits the right to data portability (Article 20), the right to restrict processing (Article 18), the right not to be subject to automated decision-making (Article 22), and the right to lodge a complaint with a supervisory authority (Article 77). The framing that 'most GDPR rights have limited applicability' is misleading — controllers cannot unilaterally declare rights inapplicable.
No legal basis for processing specified
The policy never states the legal basis under Article 6 GDPR for any processing activity — whether consent, legitimate interest, contract, or otherwise. This is a core transparency requirement under Articles 13(1)(c) and 14(1)(c).
No data retention periods specified
The policy does not state how long product submission data is retained. Article 13(2)(a) requires specifying the period for which data will be stored, or if not possible, the criteria used to determine that period.
Controller identity unclear
The policy uses 'I/my' throughout and identifies the controller only as 'Best European Alternatives (BEA)' — no legal entity name, registration details, or address is provided, making it difficult to verify the controller's identity as required by Article 13(1)(a).
Sintesi per l'utente
Your browsing data is largely anonymous here and there are no cookies, which is great. But if you submit a product, your submission data likely flows to US-based servers without clearly documented legal protections, and you're not told how long it's kept.
Postura di conformità
The controller demonstrates privacy-friendly intent but falls short on several GDPR transparency and accountability requirements — particularly around international transfers, complete third-party disclosure, legal basis, retention, and the full set of data subject rights.
Trasferimenti UE
Both Vercel (hosting/analytics) and Supabase (database) are US-based companies. Vercel's CDN spans 51 countries. The policy mentions no transfer safeguards such as Standard Contractual Clauses, adequacy decisions, or supplementary measures. The controller acknowledges planning to move to a European solution but has not done so yet. This is a significant gap under Chapter V GDPR.
Segnali rilevati
Dati e pratiche specifiche identificate nel testo
Estratti probatori
Citazioni dirette dall'informativa a supporto di questi risultati
Vercel — Hosting and anonymized analytics (global CDN has 126 Points of Presence in 94 cities across 51 countries.) - I'm planning to moving this to a fully European based solution soon.
My infrastructure uses HTTPS encryption, and my database provider (Supabase) implements industry-standard security practices.
As I collect minimal data, most GDPR rights have limited applicability.
No personally identifiable information is collected through analytics.
I do not use cookies. My website functions without storing any cookies on your device.
Mancante o poco chiaro
- Legal basis for processing under Article 6 GDPR
- Data retention periods for product submissions
- Standard Contractual Clauses or other transfer mechanisms for US-based processors
- Full list of GDPR data subject rights (portability, restriction, complaint, automated decision-making)
- Legal identity and contact details of the controller (beyond email)
- Data breach notification procedures
- Supabase listed as a third-party processor
- Information about Buy Me a Coffee integration and any data flows to that service
Domande da porre
- What specific transfer safeguards (SCCs, adequacy decisions, supplementary measures) are in place for data processed by Vercel and Supabase, both US-based companies?
- Why is Supabase not listed in the Third-Party Services section alongside Vercel, and what data exactly does it process?
- What is the legal basis under Article 6 GDPR for processing product submission data — consent, legitimate interest, or something else?
- How long is product submission data retained in the Supabase database, and what is the deletion process?
- Can you provide the full legal name and address of the data controller, not just the brand name 'Best European Alternatives'?
- Does the Buy Me a Coffee integration involve any personal data flows, and if so, why is this not addressed in the privacy policy?
Condividi questa analisi
Chiunque abbia questo link può visualizzare il risultato sopra.
Realizzato da DentroChat
Chat IA 100% europea per tutti
Chatta con l'IA, lavora con file, genera immagini e cerca sul web. I dati restano in Europa.