duckduckgo.com privacy policy — score 82/100 (low risk)
Laatst geanalyseerd
De rapportinhoud (samenvatting, bevindingen, citaten) is in het Engels gegenereerd en niet gelokaliseerd.
Duck Duck Go, Inc. · duckduckgo.com
Rapportdetails
low risicoDuckDuckGo lives up to its no-tracking promise for core search and browsing, but its growing optional features (Duck.ai, Sync & Backup) and the Microsoft ad partnership introduce data flows the policy doesn't fully explain, especially around AI training and international transfer safeguards.
DuckDuckGo's privacy policy is unusually strong for a major tech product: it explicitly disclaims tracking, does not save IP addresses or unique identifiers alongside searches/chats/browsing, and does not sell personal information. However, the policy has notable gaps. It does not address whether Duck.ai chat data is used for AI model training. It acknowledges cross-border data transfers but fails to specify legal safeguards such as Standard Contractual Clauses. The Microsoft advertising relationship means ad-click data flows to a third party under a contractual commitment rather than a technical guarantee. Optional features like Sync & Backup and Email Protection each collect personal data under separate sub-policies, creating a fragmented privacy landscape. User rights are referenced but not detailed within the main policy itself.
Beoordeling per categorie
Uitsplitsing van het beleid over belangrijke compliancegebieden. Goed = sterk, redelijk = gemengd, slecht = zorgwekkend.
Core services collect no persistent identifiers; optional features request only what is necessary and are clearly opt-in.
Plain language is excellent for core services, but critical details on Duck.ai data handling and international transfer safeguards are deferred to sub-policies or omitted entirely.
Anonymous info shared with hosting/content providers; ad-click data flows to Microsoft under a contractual commitment; corporate SaaS vendors access voluntarily provided data — all described but with limited specificity on contracts.
The policy acknowledges global servers and a distributed team but provides no detail on transfer mechanisms (SCCs, adequacy decisions, or BCRs), only a vague commitment to 'follow applicable legal requirements.'
The policy is silent on whether Duck.ai chats or other data are used to train AI models; no opt-in or opt-out mechanism is mentioned in this document.
Rights are acknowledged and a dedicated Privacy Rights page is referenced, but the specific rights (access, deletion, portability, objection) are not enumerated in this policy itself.
Belangrijkste bevindingen
Opvallende clausules, problemen of positieve praktijken (kritiek eerst)
AI training data usage is completely unaddressed
The policy covers Duck.ai chats but never states whether chat content is used to train AI models (either DuckDuckGo's own or those of third-party AI providers like OpenAI and Anthropic). Given the June 2026 update specifically adding Duck.ai coverage, this is a critical omission.
Microsoft ad network receives ad-click data with only a contractual privacy commitment
Ad clicks are managed by Microsoft's ad network. The policy says 'Microsoft has committed to not associate your ad-click behavior with a user profile and to not store or share that information other than for accounting purposes.' This relies on Microsoft's contractual commitment rather than a technical anonymization guarantee, creating a trust dependency on a third party.
International transfer safeguards are unspecified
The policy acknowledges that data may be transferred across borders due to global servers and a distributed team, but only states 'we will follow applicable legal requirements' without identifying the legal mechanism (e.g., Standard Contractual Clauses, adequacy decisions). This is insufficient under GDPR Article 44 et seq.
Optional features create a fragmented privacy framework
Duck.ai, Email Protection, Sync & Backup, and the Subscription each have separate privacy policies. Users must consult multiple documents to understand the full picture, and the core 'we don't track you' promise does not apply to these features by definition.
No-tracking commitment is technically enforced, not just a promise
The policy states IP addresses and unique identifiers are never logged to disk in association with searches, chats, or browsing. This is a strong technical guarantee, not merely a policy commitment, making it significantly more trustworthy than a typical privacy policy.
Anonymous experiments use browser storage without full transparency
The policy mentions 'anonymous experiments to test different designs' that use browser storage, but does not specify what data is stored, how anonymity is ensured, or how users can identify or opt out of these experiments.
Samenvatting voor de gebruiker
DuckDuckGo's core search and browsing are genuinely private and don't create profiles about you, but if you use optional features like Duck.ai or Sync & Backup, you're trusting separate policies and third-party AI providers with your data.
Nalevingshouding
Largely compliant with GDPR principles, especially data minimization and purpose limitation for core services. Gaps exist around transparency on international transfer mechanisms and AI training data usage for Duck.ai.
EU-overdrachten
The policy acknowledges cross-border transfers (distributed team, global servers) but states only that it 'will follow applicable legal requirements' without specifying whether it relies on adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. This is insufficiently specific under GDPR Chapter V.
Gedetecteerde signalen
Specifieke gegevens en praktijken geïdentificeerd in de tekst
Bewijsfragmenten
Directe citaten uit het beleid ter ondersteuning van deze bevindingen
We don't save your IP address alongside your searches, Duck.ai chats, or visits to our websites, and we never log IP addresses to disk that could be tied back to you.
Ad clicks are managed by Microsoft's ad network and Microsoft has committed to not associate your ad-click behavior with a user profile and to not store or share that information other than for accounting purposes.
In such scenarios, if any cross-border transfers are necessary, we will follow applicable legal requirements.
We have never sold any personal information. Period.
Ontbreekt of onduidelijk
- AI model training usage and opt-out mechanism
- Specific international transfer legal mechanisms (SCCs, adequacy, BCRs)
- Data retention periods for optional feature data
- Details of Microsoft ad data processing agreement
- Cookie and local storage inventory
- DPIA or legitimate interest assessments
- Subprocessor list for optional features
Vragen om te stellen
- Is Duck.ai chat content shared with third-party AI providers (e.g., OpenAI, Anthropic), and if so, do those providers use it for model training?
- What specific legal mechanism does DuckDuckGo rely on for international data transfers — Standard Contractual Clauses, adequacy decisions, or something else?
- What data exactly is stored in browser storage during 'anonymous experiments,' and how can users opt out?
- Under what legal basis does DuckDuckGo process IP addresses and device information for security purposes — legitimate interest or consent?
- What are the specific retention periods for data collected through optional features like Email Protection and Sync & Backup?
- Does the Microsoft advertising agreement include audit rights for DuckDuckGo to verify compliance with the no-profiling commitment?
Deel deze analyse
Iedereen met deze link kan het resultaat hierboven bekijken.
Gebouwd door DentroChat
100% Europese AI-chat voor iedereen
Chat met AI, werk met bestanden, genereer afbeeldingen en zoek op het web. Gegevens blijven in Europa.