tella.com privacy policy — score 55/100 (medium risk)
Sist analysert
Rapportinnholdet (sammendrag, funn, sitater) er generert på engelsk og er ikke lokalisert.
Tella HQ Inc. · tella.com
Rapportdetaljer
medium risikoTella collects sensitive video data and shares it with numerous US-based AI and analytics providers without clearly stating if your data trains their models, making it a mixed bag for EU users.
The policy is relatively transparent about data categories and legal bases, correctly identifying video recordings as special category data requiring explicit consent. However, it suffers from significant gaps regarding AI sub-processors, contradictory language on profiling, and a massive list of US-based third parties receiving EU user data, including biometric and video content. While Standard Contractual Clauses are mentioned for international transfers, the scope of data sharing with AI companies without explicit model training opt-outs is a major concern.
Vurdering per kategori
Oppdeling av erklæringen på viktige compliance-områder. God = sterk, rimelig = blandet, dårlig = bekymringsfull.
Collects necessary account and support data, but the breadth of analytics tracking and sending video content to multiple AI providers pushes the boundaries of minimization.
The policy lists purposes and legal bases clearly, but uses confusing terminology regarding profiling and completely omits whether AI providers use data for model training.
An exceptionally long list of sub-processors, predominantly US-based, handle user data, including highly sensitive video content analyzed by AI companies.
Data is stored in the US and shared with over 20 US-based sub-processors; while SCCs are mentioned, the scale of US transfers for special category data is concerning.
The policy is completely silent on whether user data (especially video transcriptions and summaries) is used to train third-party AI models, which is a critical gap.
GDPR rights are clearly listed with specific explanations, contact details are provided, and the response window complies with the one-month statutory limit.
Viktige funn
Bemerkelsesverdige klausuler, problemer eller gode praksiser (kritiske først)
AI Sub-processor Ambiguity on Model Training
The policy lists several AI providers (Anthropic, OpenAI, AssemblyAI) for analyzing, summarizing, and transcribing video content, but it fails to explicitly state whether these third parties use the input data to train their own AI models. This is a major red flag under the GDPR principle of purpose limitation and data minimization, especially for special category data.
Contradictory Profiling Claims
Section 3.5 explicitly lists 'Profiling for our research, development and improvement of our Services' as a purpose based on legitimate interest, while Section 5 claims 'We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.' This creates confusion about what kind of profiling is actually occurring and whether it goes beyond Article 22.
Extensive US Transfers of Special Category Data
The vast majority of sub-processors are located in the United States, meaning EU user data, including special category video data, is heavily transferred out of the EEA. While Standard Contractual Clauses are mentioned, the volume and nature of these transfers present significant privacy risks given the US surveillance landscape.
Special Category Data Handling
The policy correctly identifies video recordings (facial image, voice) as special category data and relies on explicit consent (Article 9 GDPR) for consumer accounts, which is appropriate, but requires strict verification that consent is genuinely obtained before processing begins.
Oppsummering for brukeren
Your video recordings, including your face and voice, are processed by Tella and sent to US-based AI companies like OpenAI and Anthropic for transcription and summarization. It is unclear if these AI companies use your videos to train their models.
Compliance-stilling
mixed
EU-overføringer
poor
Oppdagede signaler
Spesifikke datapunkter og praksiser identifisert i teksten
Bevisutdrag
Direkte sitater fra erklæringen som støtter disse funnene
Anthropic (Anthropic PBC) Location: United States Purpose: To analyse and summarise video content created with Tella.
3.5. Website analytics data... Purpose: Profiling for our research, development and improvement of our Services. Legal basis: Necessary for the purpose of our legitimate interests...
We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.
If we share your personal data in accordance with this Tella Privacy Policy within group, or with a third party located outside the European Economic Area, we ensure where required that appropriate safeguards are in place... particularly by signing the Standard Contractual Clauses
Mangler eller uklart
- AI model training opt-out
- Data Protection Impact Assessment (DPIA) summary
- Cookie consent details
- Anonymization or pseudonymization strategies for analytics
Spørsmål å stille
- Do your agreements with AI sub-processors like OpenAI and Anthropic explicitly prohibit the use of Tella customer data for training their foundation models?
- What specific profiling activities are occurring under Section 3.5, and how do they differ from the Article 22 profiling denied in Section 5?
- How exactly is explicit consent collected from consumer users before their facial image and voice (special category data) in video recordings are processed and sent to third parties?
- Have Data Protection Impact Assessments (DPIAs) been conducted for the processing of special category video data and its transfer to US-based AI providers?
Del denne analysen
Alle med denne lenken kan se resultatet ovenfor.
Bygget av DentroChat
100 % europeisk AI-chat for alle
Chat med AI, jobb med filer, generer bilder og søk på nettet. Data forblir i Europa.