qdrant.tech privacy policy — score 65/100 (medium risk)

Sist analysert 7 April 2026

Denne rapporten er mer enn 28 dager gammel. Den viser den sist lagrede analysen for denne erklæringen — oppdater for å hente den live siden og fornye poengsummen.

Rapportinnholdet (sammendrag, funn, sitater) er generert på engelsk og er ikke lokalisert.

65personvernscore

Rapportdetaljer

medium risiko

Qdrant’s policy leans heavily on legitimate‑interest and US third‑party transfers, gives consent options for newsletters, but lacks clear limits on data collection and any mention of AI model training, making it only moderately privacy‑friendly.

The privacy policy provides the required legal bases and lists many processors, but it often relies on legitimate interest for core website functions, gives vague retention periods, and does not disclose whether user data is used to train AI models. International transfers are covered by SCCs and the EU‑US Data Privacy Framework, yet the reliance on US providers remains a risk. User rights are described, but practical mechanisms (e.g., easy withdrawal of consent, DPO contact process) are not detailed.

Sist analysert7 April 2026

KildeURL

Lengde120,000 tegn

Vurdering per kategori

Oppdeling av erklæringen på viktige compliance-områder. God = sterk, rimelig = blandet, dårlig = bekymringsfull.

Data Minimizationfair

The policy does not specify limits on the amount of data collected; it lists many data points (IP, browser details, usage logs) collected by default.

Transparencyfair

Legal bases are listed, but the description of processing purposes is generic and does not detail profiling or AI model training.

Third-party Sharingfair

Numerous third parties (HubSpot, Segment, Google Analytics, Mixpanel, Stripe, Netlify) are used, many based outside the EEA, with reliance on SCCs.

International Transfersfair

Transfers are covered by SCCs and the EU‑US Data Privacy Framework, but the policy lacks per‑processor risk assessments.

AI/Model Trainingpoor

No mention of whether personal data is used to train Qdrant’s AI models or how users can opt‑out.

User Rightsgood

Rights are enumerated (access, rectification, erasure, portability, objection) and contact details for the DPO are provided.

Viktige funn

Bemerkelsesverdige klausuler, problemer eller gode praksiser (kritiske først)

Kritisk

No disclosure of AI or model‑training usage

The policy never mentions whether personal data collected via the website or cloud service is used to train or improve Qdrant’s AI models, leaving a significant transparency gap.

Advarsel

Extensive reliance on legitimate interest for core website functions

The policy states that IP address, browser details, and other log data are processed on the basis of Art. 6(1)(f) GDPR as a legitimate interest, without offering a clear opt‑out mechanism for users.

Advarsel

Broad international data transfers to US providers

Multiple US‑based processors (HubSpot, Segment, Google Analytics, Mixpanel, OneTrust, Netlify) are used, with transfers justified by standard contractual clauses or the EU‑US Data Privacy Framework, but the policy does not disclose specific safeguards per processor.

Info

Vague data retention periods for many categories

While log files are deleted after 14 days and IPs after 90 days, other data (e.g., newsletter contacts, customer accounts) have no explicit retention schedule, relying on “as long as necessary” language.

Info

Consent management for newsletters is described, but the revocation process is unclear

The policy says consent can be revoked by clicking a link or emailing, but does not specify how quickly the revocation is processed or whether it automatically stops all marketing communications.

Oppsummering for brukeren

Your data may be shared with many US‑based services (e.g., HubSpot, Google Analytics, Mixpanel) under standard contractual clauses; you can object to direct marketing, but the policy does not clearly explain how your data might be used for AI training or profiling beyond marketing.

Compliance-stilling

Mixed – the policy meets many formal GDPR requirements (legal bases, rights, DPO contact) but falls short on transparency about data minimisation, purpose limitation, and AI usage.

EU-overføringer

Transfers to the US are justified by SCCs and the EU‑US Data Privacy Framework, but the policy does not provide detailed safeguards for each processor, nor does it offer an easy way for data subjects to object to such transfers.

Oppdagede signaler

Spesifikke datapunkter og praksiser identifisert i teksten

Innsamlede data

IP addressDate and time of requestTime zone difference to GMTContent of the request (specific page)Access status/HTTP status codeAmount of data transferredWebsite referrer URLBrowser operating system and versionLanguage and version of the browser softwareFirst and last nameE‑mail addressCustomer IDRegionCluster statusCloud providerAuthentication typePayment informationRAM usageDeployment type

Behandlingsformål

Website stability and securityProviding and maintaining Qdrant Cloud ServiceCustomer support and contact form handlingMarketing newsletters and direct advertisingStatistical analysis and service improvementPayment processingEmployment recruitmentAnalytics and profiling for advertising

Deling med tredjeparter

HubSpot (USA, EU processing)Segment (USA)Google Analytics (USA)Google Tag Manager (USA)Mixpanel (USA)OneTrust (USA)Netlify (USA)Stripe (USA and EU)Auth0 (USA, SCCs and EU‑US Data Privacy Framework)Mailjet (EU)HeyData (EU)

Internasjonale overføringer

Standard contractual clauses for Netlify, Segment, OneTrust, Stripe, Auth0EU‑US Data Privacy Framework for HubSpot, Stripe, Auth0

Bevisutdrag

Direkte sitater fra erklæringen som støtter disse funnene

During the informative use of the website, ... we collect the personal data that the browser transmits to our server ... This is our legitimate interest, so that the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

We use HubSpot to manage leads ... The provider processes usage data ... in the EU. The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR.

We use Google Analytics for analytics. ... The legal basis for the processing is Art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent.

Data subjects have the following rights ... Right of access, Right to correction or deletion, Right to limit processing, Right to object ...

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred ... is guaranteed by standard data protection clauses (Art. 46 para. 2 lit. c GDPR).

Mangler eller uklart

Explicit statement on whether personal data is used for AI model training or improvement
Detailed retention periods for non‑log data (e.g., newsletter contacts, customer accounts)
Clear opt‑out mechanism for legitimate‑interest processing of website logs
Information on profiling beyond direct marketing

Spørsmål å stille

Do you use any of the collected personal data (including log data) to train or improve Qdrant’s AI models, and if so, can users opt‑out?
What specific safeguards (technical or contractual) are in place for each US‑based processor beyond the generic SCCs?
How is consent for analytics (Google Analytics, Mixpanel, etc.) obtained and recorded, and can users withdraw it easily?
Can you provide a detailed retention schedule for each data category (e.g., newsletter subscribers, customer accounts, payment data)?
Is there a mechanism for users to object to the legitimate‑interest processing of website logs, and how is that request handled?

Denne analysen er generert av AI og er ikke juridisk rådgivning. Rådfør deg alltid med en kvalifisert jurist for compliance-beslutninger.

Del denne analysen

Alle med denne lenken kan se resultatet ovenfor.

Bygget av DentroChat

100 % europeisk AI-chat for alle

Chat med AI, jobb med filer, generer bilder og søk på nettet. Data forblir i Europa.

Infrastruktur hostet i EUTekst, filer, bilder og nettsøkRask-, Tenk- og Kreativ-modusPersonvern først som standardIngen data forlater Europa

Prøv gratis →