bestalternatives.eu privacy policy — score 65/100 (medium risk)
Laatst geanalyseerd
De rapportinhoud (samenvatting, bevindingen, citaten) is in het Engels gegenereerd en niet gelokaliseerd.
Best European Alternatives · bestalternatives.eu
Rapportdetails
medium risicoBest European Alternatives genuinely minimizes data and avoids cookies, but uses US-based processors without addressing international transfer safeguards and omits key GDPR rights and legal details.
This privacy policy belongs to a small European alternatives directory that practices strong data minimization — no cookies, anonymized analytics only, and limited voluntary product submissions. However, it has notable compliance gaps: both Vercel and Supabase are US-based processors with no mention of transfer safeguards (SCCs, adequacy decisions), Supabase is omitted from the third-party services disclosure, no legal basis for processing is specified, no retention periods are given, and several GDPR rights (portability, restriction, complaint, automated decision-making) are missing. The policy's claim that 'most GDPR rights have limited applicability' is a questionable framing that could mislead users.
Beoordeling per categorie
Uitsplitsing van het beleid over belangrijke compliancegebieden. Goed = sterk, redelijk = gemengd, slecht = zorgwekkend.
No cookies, anonymized analytics only, and product submissions are voluntary with limited fields — genuinely minimal collection.
Clear about analytics and cookies but omits Supabase from third-party list, specifies no legal basis, no retention periods, and no transfer safeguards.
Only two processors but Supabase is hidden in the security section rather than disclosed in the third-party services list; Vercel's global CDN raises transfer concerns.
Vercel CDN spans 51 countries and both Vercel and Supabase are US-based with zero mention of SCCs, adequacy decisions, or any transfer mechanism.
Policy is completely silent on AI/model training — no explicit prohibition or permission stated, though unlikely given minimal data.
Lists access, rectification, erasure, and objection but omits portability, restriction, complaint to supervisory authority, and automated decision-making; dismisses rights applicability.
Belangrijkste bevindingen
Opvallende clausules, problemen of positieve praktijken (kritiek eerst)
No international transfer safeguards documented
Vercel (US-based) hosts the site and provides analytics via a CDN spanning 51 countries. Supabase (US-based) is the database provider. The policy mentions no Standard Contractual Clauses, adequacy decisions, or other Chapter V GDPR safeguards. The only acknowledgment is a vague plan to 'move to a fully European based solution soon.'
Supabase omitted from third-party services disclosure
Supabase is mentioned only in the Data Security section as the 'database provider' but is conspicuously absent from the Third-Party Services section, which only lists Vercel. This is an incomplete processor disclosure under Article 13(1)(e) GDPR.
Incomplete GDPR rights listing
The rights section lists only access, rectification, erasure, and objection. It omits the right to data portability (Article 20), the right to restrict processing (Article 18), the right not to be subject to automated decision-making (Article 22), and the right to lodge a complaint with a supervisory authority (Article 77). The framing that 'most GDPR rights have limited applicability' is misleading — controllers cannot unilaterally declare rights inapplicable.
No legal basis for processing specified
The policy never states the legal basis under Article 6 GDPR for any processing activity — whether consent, legitimate interest, contract, or otherwise. This is a core transparency requirement under Articles 13(1)(c) and 14(1)(c).
No data retention periods specified
The policy does not state how long product submission data is retained. Article 13(2)(a) requires specifying the period for which data will be stored, or if not possible, the criteria used to determine that period.
Controller identity unclear
The policy uses 'I/my' throughout and identifies the controller only as 'Best European Alternatives (BEA)' — no legal entity name, registration details, or address is provided, making it difficult to verify the controller's identity as required by Article 13(1)(a).
Samenvatting voor de gebruiker
Your browsing data is largely anonymous here and there are no cookies, which is great. But if you submit a product, your submission data likely flows to US-based servers without clearly documented legal protections, and you're not told how long it's kept.
Nalevingshouding
The controller demonstrates privacy-friendly intent but falls short on several GDPR transparency and accountability requirements — particularly around international transfers, complete third-party disclosure, legal basis, retention, and the full set of data subject rights.
EU-overdrachten
Both Vercel (hosting/analytics) and Supabase (database) are US-based companies. Vercel's CDN spans 51 countries. The policy mentions no transfer safeguards such as Standard Contractual Clauses, adequacy decisions, or supplementary measures. The controller acknowledges planning to move to a European solution but has not done so yet. This is a significant gap under Chapter V GDPR.
Gedetecteerde signalen
Specifieke gegevens en praktijken geïdentificeerd in de tekst
Bewijsfragmenten
Directe citaten uit het beleid ter ondersteuning van deze bevindingen
Vercel — Hosting and anonymized analytics (global CDN has 126 Points of Presence in 94 cities across 51 countries.) - I'm planning to moving this to a fully European based solution soon.
My infrastructure uses HTTPS encryption, and my database provider (Supabase) implements industry-standard security practices.
As I collect minimal data, most GDPR rights have limited applicability.
No personally identifiable information is collected through analytics.
I do not use cookies. My website functions without storing any cookies on your device.
Ontbreekt of onduidelijk
- Legal basis for processing under Article 6 GDPR
- Data retention periods for product submissions
- Standard Contractual Clauses or other transfer mechanisms for US-based processors
- Full list of GDPR data subject rights (portability, restriction, complaint, automated decision-making)
- Legal identity and contact details of the controller (beyond email)
- Data breach notification procedures
- Supabase listed as a third-party processor
- Information about Buy Me a Coffee integration and any data flows to that service
Vragen om te stellen
- What specific transfer safeguards (SCCs, adequacy decisions, supplementary measures) are in place for data processed by Vercel and Supabase, both US-based companies?
- Why is Supabase not listed in the Third-Party Services section alongside Vercel, and what data exactly does it process?
- What is the legal basis under Article 6 GDPR for processing product submission data — consent, legitimate interest, or something else?
- How long is product submission data retained in the Supabase database, and what is the deletion process?
- Can you provide the full legal name and address of the data controller, not just the brand name 'Best European Alternatives'?
- Does the Buy Me a Coffee integration involve any personal data flows, and if so, why is this not addressed in the privacy policy?
Deel deze analyse
Iedereen met deze link kan het resultaat hierboven bekijken.
Gebouwd door DentroChat
100% Europese AI-chat voor iedereen
Chat met AI, werk met bestanden, genereer afbeeldingen en zoek op het web. Gegevens blijven in Europa.