cake.com privacy policy — score 62/100 (medium risk)
Senast analyserad
Rapportinnehållet (sammanfattning, fynd, citat) genererades på engelska och är inte lokaliserat.
CAKE.com Inc. · cake.com
Rapportdetaljer
medium riskCAKE.com provides standard EU data rights and transfer safeguards but collects highly intrusive workplace surveillance data—like screenshots, background location, and app usage—on behalf of employers, who act as the data controllers for their employees.
The privacy policy covers CAKE.com's suite of productivity and tracking tools (Clockify, Pumble, Plaky). It distinguishes between Business Users (employers) and Authorized Users (employees). While it includes a robust section for EEA users detailing GDPR rights, legal bases, and Standard Contractual Clauses for international transfers, the core product features involve extensive employee monitoring. Authorized Users are largely dependent on their employers (the Business Users) for privacy notices, consent collection, and the exercise of data subject rights, creating a potential power imbalance and friction for individual privacy.
Bedömning per kategori
Uppdelning av policyn över viktiga efterlevnadsområden. Bra = stark, rimlig = blandad, dålig = oroande.
The policy describes collecting highly intrusive data for employee monitoring, including precise background location, desktop screenshots, and continuous app/website usage tracking, which goes well beyond what is strictly necessary for basic project management.
The policy clearly delineates between Business Users and Authorized Users, lists specific data types collected per product feature, and provides a dedicated, detailed section for EEA individuals outlining legal bases and rights.
Data is shared with a published list of subprocessors for legitimate operational purposes, but the policy also permits sharing for personalized advertising and broad sharing at the Business User's direction without explicit limitations.
While default processing occurs in the US, CAKE.com implements SCCs and the UK addendum for EU transfers, and offers an EEA data storage option for some services, though many subprocessors are US-based.
The policy is completely silent on the use of personal data for AI or model training, which leaves a gap regarding whether employee messages, files, or tracking data might be used to train algorithms.
Full GDPR rights are enumerated for EEA users, but Authorized Users are explicitly told to contact their Business User (employer) to exercise these rights, limiting their direct recourse against CAKE.com as the processor.
Viktiga fynd
Anmärkningsvärda klausuler, problem eller positiva rutiner (kritiska först)
Invasive Employee Surveillance Features
The policy details the collection of precise location (even in the background), desktop screenshots at timed intervals, and auto-tracking of all applications and websites used. This level of surveillance poses a high risk to employee privacy and requires careful balancing under GDPR Article 5(1)(b) and (c).
Shift of GDPR Responsibility to Employers
CAKE.com explicitly states that Business Users are responsible for providing notices and collecting consents from Authorized Users, and that Authorized Users must contact their employer to exercise data subject rights. This shields CAKE.com but leaves employees dependent on their employer's compliance efforts.
Behavioral Advertising on Third-Party Platforms
The policy states they use information to 'Personalize the advertisements you see on third-party platforms and websites' and rely on legitimate interest for data analytics, which requires careful scrutiny under GDPR regarding whether tracking employees for ad personalization is truly a legitimate interest.
Ambiguous Data Retention for Sensitive Categories
While the policy mentions that screenshots, GPS location, and auto-tracking info are 'automatically and routinely deleted after a designated time,' it fails to specify what that designated time is, leaving Authorized Users in the dark about how long their sensitive surveillance data persists.
Sammanfattning för användaren
If you are an employee using Clockify, your employer can track your location, take screenshots of your desktop, and monitor your app usage; you must ask your employer, not CAKE.com, to delete your data.
Efterlevnadsställning
CAKE.com attempts to shield itself from GDPR liability regarding employees by positioning the employer as the data controller, but the invasive nature of the tracking tools (background location, screenshots) requires strict adherence to data minimization and purpose limitation principles by the employers, which CAKE.com only loosely enforces.
EU-överföringar
Data is primarily processed in the US, but CAKE.com implements Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. They also offer an option for EEA-based data storage for some services, which is a positive step, though US subprocessors still handle support, payments, and analytics.
Upptäckta signaler
Specifika datapunkter och rutiner identifierade i texten
Bevisutdrag
Direkta citat från policyn som stödjer dessa fynd
Location Tracker tool information (Clockify only): in accordance with your device permissions, we may collect information about the precise location of your device... Locations are collected even if the mobile application works in the background.
CAKE.com does not directly control the processing of Authorized User personal information, but rather Business Users are responsible for providing their Authorized Users any required notices and collecting any necessary consents...
Personalize the advertisements you see on third-party platforms and websites (for more information, see the Advertising and Analytics section below)
Additionally, some information, including but not limited to screenshots, GPS location, auto-tracking, and audit-log information are automatically and routinely deleted after a designated time as part of our data retention policies.
Saknas eller otydligt
- Specific retention periods for surveillance data (screenshots, location, auto-tracking)
- Whether CAKE.com conducts Data Protection Impact Assessments (DPIAs) for its high-risk tracking features
- Explicit details on the legal basis used for specific tracking features (e.g., is screenshotting based on legitimate interest or contract?)
- Whether the EEA data storage option is the default for EEA customers or an opt-in feature
Frågor att ställa
- What is the exact 'designated time' after which screenshots, GPS location, and auto-tracking data are automatically deleted?
- Does CAKE.com require Business Users to complete a Data Protection Impact Assessment (DPIA) before activating the Location Tracker, Screenshot, or Auto Tracker tools for Authorized Users?
- How does CAKE.com justify the use of Authorized User data for 'personalizing advertisements' under the legitimate interest legal basis in the EEA?
- Is the option to store and process data exclusively within the EEA enabled by default for Business Users and Authorized Users located in the EEA?
- Does CAKE.com use any of the chat messages, files, or tracking data from Authorized Users to train AI models or improve algorithms?
Dela den här analysen
Alla med den här länken kan se resultatet ovan.
Byggd av DentroChat
100 % europeisk AI-chatt för alla
Chatta med AI, arbeta med filer, generera bilder och sök på webben. Data stannar i Europa.