duckduckgo.com privacy policy — score 82/100 (low risk)
Última análise
O conteúdo do relatório (resumo, conclusões, citações) foi gerado em inglês e não está localizado.
Duck Duck Go, Inc. · duckduckgo.com
Detalhes do relatório
low riscoDuckDuckGo lives up to its no-tracking promise for core search and browsing, but its growing optional features (Duck.ai, Sync & Backup) and the Microsoft ad partnership introduce data flows the policy doesn't fully explain, especially around AI training and international transfer safeguards.
DuckDuckGo's privacy policy is unusually strong for a major tech product: it explicitly disclaims tracking, does not save IP addresses or unique identifiers alongside searches/chats/browsing, and does not sell personal information. However, the policy has notable gaps. It does not address whether Duck.ai chat data is used for AI model training. It acknowledges cross-border data transfers but fails to specify legal safeguards such as Standard Contractual Clauses. The Microsoft advertising relationship means ad-click data flows to a third party under a contractual commitment rather than a technical guarantee. Optional features like Sync & Backup and Email Protection each collect personal data under separate sub-policies, creating a fragmented privacy landscape. User rights are referenced but not detailed within the main policy itself.
Avaliação por categoria
Repartição da política pelas principais áreas de conformidade. Bom = sólido, razoável = misto, fraco = preocupante.
Core services collect no persistent identifiers; optional features request only what is necessary and are clearly opt-in.
Plain language is excellent for core services, but critical details on Duck.ai data handling and international transfer safeguards are deferred to sub-policies or omitted entirely.
Anonymous info shared with hosting/content providers; ad-click data flows to Microsoft under a contractual commitment; corporate SaaS vendors access voluntarily provided data — all described but with limited specificity on contracts.
The policy acknowledges global servers and a distributed team but provides no detail on transfer mechanisms (SCCs, adequacy decisions, or BCRs), only a vague commitment to 'follow applicable legal requirements.'
The policy is silent on whether Duck.ai chats or other data are used to train AI models; no opt-in or opt-out mechanism is mentioned in this document.
Rights are acknowledged and a dedicated Privacy Rights page is referenced, but the specific rights (access, deletion, portability, objection) are not enumerated in this policy itself.
Conclusões principais
Cláusulas relevantes, problemas ou boas práticas identificadas (críticas primeiro)
AI training data usage is completely unaddressed
The policy covers Duck.ai chats but never states whether chat content is used to train AI models (either DuckDuckGo's own or those of third-party AI providers like OpenAI and Anthropic). Given the June 2026 update specifically adding Duck.ai coverage, this is a critical omission.
Microsoft ad network receives ad-click data with only a contractual privacy commitment
Ad clicks are managed by Microsoft's ad network. The policy says 'Microsoft has committed to not associate your ad-click behavior with a user profile and to not store or share that information other than for accounting purposes.' This relies on Microsoft's contractual commitment rather than a technical anonymization guarantee, creating a trust dependency on a third party.
International transfer safeguards are unspecified
The policy acknowledges that data may be transferred across borders due to global servers and a distributed team, but only states 'we will follow applicable legal requirements' without identifying the legal mechanism (e.g., Standard Contractual Clauses, adequacy decisions). This is insufficient under GDPR Article 44 et seq.
Optional features create a fragmented privacy framework
Duck.ai, Email Protection, Sync & Backup, and the Subscription each have separate privacy policies. Users must consult multiple documents to understand the full picture, and the core 'we don't track you' promise does not apply to these features by definition.
No-tracking commitment is technically enforced, not just a promise
The policy states IP addresses and unique identifiers are never logged to disk in association with searches, chats, or browsing. This is a strong technical guarantee, not merely a policy commitment, making it significantly more trustworthy than a typical privacy policy.
Anonymous experiments use browser storage without full transparency
The policy mentions 'anonymous experiments to test different designs' that use browser storage, but does not specify what data is stored, how anonymity is ensured, or how users can identify or opt out of these experiments.
Resumo para o utilizador
DuckDuckGo's core search and browsing are genuinely private and don't create profiles about you, but if you use optional features like Duck.ai or Sync & Backup, you're trusting separate policies and third-party AI providers with your data.
Postura de conformidade
Largely compliant with GDPR principles, especially data minimization and purpose limitation for core services. Gaps exist around transparency on international transfer mechanisms and AI training data usage for Duck.ai.
Transferências UE
The policy acknowledges cross-border transfers (distributed team, global servers) but states only that it 'will follow applicable legal requirements' without specifying whether it relies on adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. This is insufficiently specific under GDPR Chapter V.
Sinais detetados
Dados e práticas específicas identificadas no texto
Fragmentos de evidência
Citações diretas da política que suportam estas conclusões
We don't save your IP address alongside your searches, Duck.ai chats, or visits to our websites, and we never log IP addresses to disk that could be tied back to you.
Ad clicks are managed by Microsoft's ad network and Microsoft has committed to not associate your ad-click behavior with a user profile and to not store or share that information other than for accounting purposes.
In such scenarios, if any cross-border transfers are necessary, we will follow applicable legal requirements.
We have never sold any personal information. Period.
Em falta ou pouco claro
- AI model training usage and opt-out mechanism
- Specific international transfer legal mechanisms (SCCs, adequacy, BCRs)
- Data retention periods for optional feature data
- Details of Microsoft ad data processing agreement
- Cookie and local storage inventory
- DPIA or legitimate interest assessments
- Subprocessor list for optional features
Perguntas a fazer
- Is Duck.ai chat content shared with third-party AI providers (e.g., OpenAI, Anthropic), and if so, do those providers use it for model training?
- What specific legal mechanism does DuckDuckGo rely on for international data transfers — Standard Contractual Clauses, adequacy decisions, or something else?
- What data exactly is stored in browser storage during 'anonymous experiments,' and how can users opt out?
- Under what legal basis does DuckDuckGo process IP addresses and device information for security purposes — legitimate interest or consent?
- What are the specific retention periods for data collected through optional features like Email Protection and Sync & Backup?
- Does the Microsoft advertising agreement include audit rights for DuckDuckGo to verify compliance with the no-profiling commitment?
Partilhar esta análise
Qualquer pessoa com esta ligação pode ver o resultado acima.
Criado pela DentroChat
Chat de IA 100% europeu para todos
Converse com IA, trabalhe com ficheiros, gere imagens e pesquise na web. Os dados permanecem na Europa.