cake.com privacy policy — score 62/100 (medium risk)
Sist analysert
Rapportinnholdet (sammendrag, funn, sitater) er generert på engelsk og er ikke lokalisert.
CAKE.com Inc. · cake.com
Rapportdetaljer
medium risikoCAKE.com provides standard EU data rights and transfer safeguards but collects highly intrusive workplace surveillance data—like screenshots, background location, and app usage—on behalf of employers, who act as the data controllers for their employees.
The privacy policy covers CAKE.com's suite of productivity and tracking tools (Clockify, Pumble, Plaky). It distinguishes between Business Users (employers) and Authorized Users (employees). While it includes a robust section for EEA users detailing GDPR rights, legal bases, and Standard Contractual Clauses for international transfers, the core product features involve extensive employee monitoring. Authorized Users are largely dependent on their employers (the Business Users) for privacy notices, consent collection, and the exercise of data subject rights, creating a potential power imbalance and friction for individual privacy.
Vurdering per kategori
Oppdeling av erklæringen på viktige compliance-områder. God = sterk, rimelig = blandet, dårlig = bekymringsfull.
The policy describes collecting highly intrusive data for employee monitoring, including precise background location, desktop screenshots, and continuous app/website usage tracking, which goes well beyond what is strictly necessary for basic project management.
The policy clearly delineates between Business Users and Authorized Users, lists specific data types collected per product feature, and provides a dedicated, detailed section for EEA individuals outlining legal bases and rights.
Data is shared with a published list of subprocessors for legitimate operational purposes, but the policy also permits sharing for personalized advertising and broad sharing at the Business User's direction without explicit limitations.
While default processing occurs in the US, CAKE.com implements SCCs and the UK addendum for EU transfers, and offers an EEA data storage option for some services, though many subprocessors are US-based.
The policy is completely silent on the use of personal data for AI or model training, which leaves a gap regarding whether employee messages, files, or tracking data might be used to train algorithms.
Full GDPR rights are enumerated for EEA users, but Authorized Users are explicitly told to contact their Business User (employer) to exercise these rights, limiting their direct recourse against CAKE.com as the processor.
Viktige funn
Bemerkelsesverdige klausuler, problemer eller gode praksiser (kritiske først)
Invasive Employee Surveillance Features
The policy details the collection of precise location (even in the background), desktop screenshots at timed intervals, and auto-tracking of all applications and websites used. This level of surveillance poses a high risk to employee privacy and requires careful balancing under GDPR Article 5(1)(b) and (c).
Shift of GDPR Responsibility to Employers
CAKE.com explicitly states that Business Users are responsible for providing notices and collecting consents from Authorized Users, and that Authorized Users must contact their employer to exercise data subject rights. This shields CAKE.com but leaves employees dependent on their employer's compliance efforts.
Behavioral Advertising on Third-Party Platforms
The policy states they use information to 'Personalize the advertisements you see on third-party platforms and websites' and rely on legitimate interest for data analytics, which requires careful scrutiny under GDPR regarding whether tracking employees for ad personalization is truly a legitimate interest.
Ambiguous Data Retention for Sensitive Categories
While the policy mentions that screenshots, GPS location, and auto-tracking info are 'automatically and routinely deleted after a designated time,' it fails to specify what that designated time is, leaving Authorized Users in the dark about how long their sensitive surveillance data persists.
Oppsummering for brukeren
If you are an employee using Clockify, your employer can track your location, take screenshots of your desktop, and monitor your app usage; you must ask your employer, not CAKE.com, to delete your data.
Compliance-stilling
CAKE.com attempts to shield itself from GDPR liability regarding employees by positioning the employer as the data controller, but the invasive nature of the tracking tools (background location, screenshots) requires strict adherence to data minimization and purpose limitation principles by the employers, which CAKE.com only loosely enforces.
EU-overføringer
Data is primarily processed in the US, but CAKE.com implements Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. They also offer an option for EEA-based data storage for some services, which is a positive step, though US subprocessors still handle support, payments, and analytics.
Oppdagede signaler
Spesifikke datapunkter og praksiser identifisert i teksten
Bevisutdrag
Direkte sitater fra erklæringen som støtter disse funnene
Location Tracker tool information (Clockify only): in accordance with your device permissions, we may collect information about the precise location of your device... Locations are collected even if the mobile application works in the background.
CAKE.com does not directly control the processing of Authorized User personal information, but rather Business Users are responsible for providing their Authorized Users any required notices and collecting any necessary consents...
Personalize the advertisements you see on third-party platforms and websites (for more information, see the Advertising and Analytics section below)
Additionally, some information, including but not limited to screenshots, GPS location, auto-tracking, and audit-log information are automatically and routinely deleted after a designated time as part of our data retention policies.
Mangler eller uklart
- Specific retention periods for surveillance data (screenshots, location, auto-tracking)
- Whether CAKE.com conducts Data Protection Impact Assessments (DPIAs) for its high-risk tracking features
- Explicit details on the legal basis used for specific tracking features (e.g., is screenshotting based on legitimate interest or contract?)
- Whether the EEA data storage option is the default for EEA customers or an opt-in feature
Spørsmål å stille
- What is the exact 'designated time' after which screenshots, GPS location, and auto-tracking data are automatically deleted?
- Does CAKE.com require Business Users to complete a Data Protection Impact Assessment (DPIA) before activating the Location Tracker, Screenshot, or Auto Tracker tools for Authorized Users?
- How does CAKE.com justify the use of Authorized User data for 'personalizing advertisements' under the legitimate interest legal basis in the EEA?
- Is the option to store and process data exclusively within the EEA enabled by default for Business Users and Authorized Users located in the EEA?
- Does CAKE.com use any of the chat messages, files, or tracking data from Authorized Users to train AI models or improve algorithms?
Del denne analysen
Alle med denne lenken kan se resultatet ovenfor.
Bygget av DentroChat
100 % europeisk AI-chat for alle
Chat med AI, jobb med filer, generer bilder og søk på nettet. Data forblir i Europa.