tella.com privacy policy — score 55/100 (medium risk)
Laatst geanalyseerd
De rapportinhoud (samenvatting, bevindingen, citaten) is in het Engels gegenereerd en niet gelokaliseerd.
Tella HQ Inc. · tella.com
Rapportdetails
medium risicoTella collects sensitive video data and shares it with numerous US-based AI and analytics providers without clearly stating if your data trains their models, making it a mixed bag for EU users.
The policy is relatively transparent about data categories and legal bases, correctly identifying video recordings as special category data requiring explicit consent. However, it suffers from significant gaps regarding AI sub-processors, contradictory language on profiling, and a massive list of US-based third parties receiving EU user data, including biometric and video content. While Standard Contractual Clauses are mentioned for international transfers, the scope of data sharing with AI companies without explicit model training opt-outs is a major concern.
Beoordeling per categorie
Uitsplitsing van het beleid over belangrijke compliancegebieden. Goed = sterk, redelijk = gemengd, slecht = zorgwekkend.
Collects necessary account and support data, but the breadth of analytics tracking and sending video content to multiple AI providers pushes the boundaries of minimization.
The policy lists purposes and legal bases clearly, but uses confusing terminology regarding profiling and completely omits whether AI providers use data for model training.
An exceptionally long list of sub-processors, predominantly US-based, handle user data, including highly sensitive video content analyzed by AI companies.
Data is stored in the US and shared with over 20 US-based sub-processors; while SCCs are mentioned, the scale of US transfers for special category data is concerning.
The policy is completely silent on whether user data (especially video transcriptions and summaries) is used to train third-party AI models, which is a critical gap.
GDPR rights are clearly listed with specific explanations, contact details are provided, and the response window complies with the one-month statutory limit.
Belangrijkste bevindingen
Opvallende clausules, problemen of positieve praktijken (kritiek eerst)
AI Sub-processor Ambiguity on Model Training
The policy lists several AI providers (Anthropic, OpenAI, AssemblyAI) for analyzing, summarizing, and transcribing video content, but it fails to explicitly state whether these third parties use the input data to train their own AI models. This is a major red flag under the GDPR principle of purpose limitation and data minimization, especially for special category data.
Contradictory Profiling Claims
Section 3.5 explicitly lists 'Profiling for our research, development and improvement of our Services' as a purpose based on legitimate interest, while Section 5 claims 'We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.' This creates confusion about what kind of profiling is actually occurring and whether it goes beyond Article 22.
Extensive US Transfers of Special Category Data
The vast majority of sub-processors are located in the United States, meaning EU user data, including special category video data, is heavily transferred out of the EEA. While Standard Contractual Clauses are mentioned, the volume and nature of these transfers present significant privacy risks given the US surveillance landscape.
Special Category Data Handling
The policy correctly identifies video recordings (facial image, voice) as special category data and relies on explicit consent (Article 9 GDPR) for consumer accounts, which is appropriate, but requires strict verification that consent is genuinely obtained before processing begins.
Samenvatting voor de gebruiker
Your video recordings, including your face and voice, are processed by Tella and sent to US-based AI companies like OpenAI and Anthropic for transcription and summarization. It is unclear if these AI companies use your videos to train their models.
Nalevingshouding
mixed
EU-overdrachten
poor
Gedetecteerde signalen
Specifieke gegevens en praktijken geïdentificeerd in de tekst
Bewijsfragmenten
Directe citaten uit het beleid ter ondersteuning van deze bevindingen
Anthropic (Anthropic PBC) Location: United States Purpose: To analyse and summarise video content created with Tella.
3.5. Website analytics data... Purpose: Profiling for our research, development and improvement of our Services. Legal basis: Necessary for the purpose of our legitimate interests...
We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.
If we share your personal data in accordance with this Tella Privacy Policy within group, or with a third party located outside the European Economic Area, we ensure where required that appropriate safeguards are in place... particularly by signing the Standard Contractual Clauses
Ontbreekt of onduidelijk
- AI model training opt-out
- Data Protection Impact Assessment (DPIA) summary
- Cookie consent details
- Anonymization or pseudonymization strategies for analytics
Vragen om te stellen
- Do your agreements with AI sub-processors like OpenAI and Anthropic explicitly prohibit the use of Tella customer data for training their foundation models?
- What specific profiling activities are occurring under Section 3.5, and how do they differ from the Article 22 profiling denied in Section 5?
- How exactly is explicit consent collected from consumer users before their facial image and voice (special category data) in video recordings are processed and sent to third parties?
- Have Data Protection Impact Assessments (DPIAs) been conducted for the processing of special category video data and its transfer to US-based AI providers?
Deel deze analyse
Iedereen met deze link kan het resultaat hierboven bekijken.
Gebouwd door DentroChat
100% Europese AI-chat voor iedereen
Chat met AI, werk met bestanden, genereer afbeeldingen en zoek op het web. Gegevens blijven in Europa.