duckduckgo.com privacy policy — score 82/100 (low risk)
Senast analyserad
Rapportinnehållet (sammanfattning, fynd, citat) genererades på engelska och är inte lokaliserat.
Duck Duck Go, Inc. · duckduckgo.com
Rapportdetaljer
low riskDuckDuckGo lives up to its no-tracking promise for core search and browsing, but its growing optional features (Duck.ai, Sync & Backup) and the Microsoft ad partnership introduce data flows the policy doesn't fully explain, especially around AI training and international transfer safeguards.
DuckDuckGo's privacy policy is unusually strong for a major tech product: it explicitly disclaims tracking, does not save IP addresses or unique identifiers alongside searches/chats/browsing, and does not sell personal information. However, the policy has notable gaps. It does not address whether Duck.ai chat data is used for AI model training. It acknowledges cross-border data transfers but fails to specify legal safeguards such as Standard Contractual Clauses. The Microsoft advertising relationship means ad-click data flows to a third party under a contractual commitment rather than a technical guarantee. Optional features like Sync & Backup and Email Protection each collect personal data under separate sub-policies, creating a fragmented privacy landscape. User rights are referenced but not detailed within the main policy itself.
Bedömning per kategori
Uppdelning av policyn över viktiga efterlevnadsområden. Bra = stark, rimlig = blandad, dålig = oroande.
Core services collect no persistent identifiers; optional features request only what is necessary and are clearly opt-in.
Plain language is excellent for core services, but critical details on Duck.ai data handling and international transfer safeguards are deferred to sub-policies or omitted entirely.
Anonymous info shared with hosting/content providers; ad-click data flows to Microsoft under a contractual commitment; corporate SaaS vendors access voluntarily provided data — all described but with limited specificity on contracts.
The policy acknowledges global servers and a distributed team but provides no detail on transfer mechanisms (SCCs, adequacy decisions, or BCRs), only a vague commitment to 'follow applicable legal requirements.'
The policy is silent on whether Duck.ai chats or other data are used to train AI models; no opt-in or opt-out mechanism is mentioned in this document.
Rights are acknowledged and a dedicated Privacy Rights page is referenced, but the specific rights (access, deletion, portability, objection) are not enumerated in this policy itself.
Viktiga fynd
Anmärkningsvärda klausuler, problem eller positiva rutiner (kritiska först)
AI training data usage is completely unaddressed
The policy covers Duck.ai chats but never states whether chat content is used to train AI models (either DuckDuckGo's own or those of third-party AI providers like OpenAI and Anthropic). Given the June 2026 update specifically adding Duck.ai coverage, this is a critical omission.
Microsoft ad network receives ad-click data with only a contractual privacy commitment
Ad clicks are managed by Microsoft's ad network. The policy says 'Microsoft has committed to not associate your ad-click behavior with a user profile and to not store or share that information other than for accounting purposes.' This relies on Microsoft's contractual commitment rather than a technical anonymization guarantee, creating a trust dependency on a third party.
International transfer safeguards are unspecified
The policy acknowledges that data may be transferred across borders due to global servers and a distributed team, but only states 'we will follow applicable legal requirements' without identifying the legal mechanism (e.g., Standard Contractual Clauses, adequacy decisions). This is insufficient under GDPR Article 44 et seq.
Optional features create a fragmented privacy framework
Duck.ai, Email Protection, Sync & Backup, and the Subscription each have separate privacy policies. Users must consult multiple documents to understand the full picture, and the core 'we don't track you' promise does not apply to these features by definition.
No-tracking commitment is technically enforced, not just a promise
The policy states IP addresses and unique identifiers are never logged to disk in association with searches, chats, or browsing. This is a strong technical guarantee, not merely a policy commitment, making it significantly more trustworthy than a typical privacy policy.
Anonymous experiments use browser storage without full transparency
The policy mentions 'anonymous experiments to test different designs' that use browser storage, but does not specify what data is stored, how anonymity is ensured, or how users can identify or opt out of these experiments.
Sammanfattning för användaren
DuckDuckGo's core search and browsing are genuinely private and don't create profiles about you, but if you use optional features like Duck.ai or Sync & Backup, you're trusting separate policies and third-party AI providers with your data.
Efterlevnadsställning
Largely compliant with GDPR principles, especially data minimization and purpose limitation for core services. Gaps exist around transparency on international transfer mechanisms and AI training data usage for Duck.ai.
EU-överföringar
The policy acknowledges cross-border transfers (distributed team, global servers) but states only that it 'will follow applicable legal requirements' without specifying whether it relies on adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. This is insufficiently specific under GDPR Chapter V.
Upptäckta signaler
Specifika datapunkter och rutiner identifierade i texten
Bevisutdrag
Direkta citat från policyn som stödjer dessa fynd
We don't save your IP address alongside your searches, Duck.ai chats, or visits to our websites, and we never log IP addresses to disk that could be tied back to you.
Ad clicks are managed by Microsoft's ad network and Microsoft has committed to not associate your ad-click behavior with a user profile and to not store or share that information other than for accounting purposes.
In such scenarios, if any cross-border transfers are necessary, we will follow applicable legal requirements.
We have never sold any personal information. Period.
Saknas eller otydligt
- AI model training usage and opt-out mechanism
- Specific international transfer legal mechanisms (SCCs, adequacy, BCRs)
- Data retention periods for optional feature data
- Details of Microsoft ad data processing agreement
- Cookie and local storage inventory
- DPIA or legitimate interest assessments
- Subprocessor list for optional features
Frågor att ställa
- Is Duck.ai chat content shared with third-party AI providers (e.g., OpenAI, Anthropic), and if so, do those providers use it for model training?
- What specific legal mechanism does DuckDuckGo rely on for international data transfers — Standard Contractual Clauses, adequacy decisions, or something else?
- What data exactly is stored in browser storage during 'anonymous experiments,' and how can users opt out?
- Under what legal basis does DuckDuckGo process IP addresses and device information for security purposes — legitimate interest or consent?
- What are the specific retention periods for data collected through optional features like Email Protection and Sync & Backup?
- Does the Microsoft advertising agreement include audit rights for DuckDuckGo to verify compliance with the no-profiling commitment?
Dela den här analysen
Alla med den här länken kan se resultatet ovan.
Byggd av DentroChat
100 % europeisk AI-chatt för alla
Chatta med AI, arbeta med filer, generera bilder och sök på webben. Data stannar i Europa.