Privacy Policy Analyzer

Paste a legal page URL or text and get a detailed compliance-style report on data collection, sharing, model training signals, and possible EU transfer risks.

Informational tool only. This is not legal advice.

85/ 100

Analysis Report

low risk

Iteration Layer limits data collection, never uses your content to train AI, and gives clear GDPR rights, but relies on US‑based sub‑processors under the EU‑US Data Privacy Framework and keeps aggregated analytics indefinitely.

The privacy policy is detailed and largely compliant with GDPR principles, offering strong data‑minimization, transparent legal bases, clear user rights, and explicit prohibitions on AI model training. Notable concerns are the indefinite retention of aggregated analytics, reliance on the EU‑US Data Privacy Framework for trans‑Atlantic transfers, and limited detail on audit‑log retention for organization invitations.

SourcePasted text

Length12,527 chars

Enginellm

Category Assessment

Breakdown of the policy across key compliance areas

Data Minimizationfair

Collects only necessary categories, but retains aggregated analytics indefinitely and audit logs for an unspecified period.

Transparencygood

Provides detailed sections on data categories, legal bases, retention periods, and user rights.

Third-party Sharingfair

Shares data with a limited set of sub‑processors (Stripe, Google Vertex AI, etc.) under DPAs, but includes US‑based processors.

International Transfersfair

Relies on the EU‑US Data Privacy Framework and SCCs; fallback mechanisms are described but the framework’s stability is uncertain.

AI/Model Traininggood

Explicitly states that user content is never used to train or fine‑tune AI models.

User Rightsgood

Clearly enumerates GDPR rights and provides a contact point with a 30‑day response commitment.

Key Findings

Notable clauses, issues, or positive practices discovered

Info

Indefinite retention of aggregated analytics

The policy states that aggregated, anonymized analytics are retained indefinitely, claiming re‑identification is impossible, but provides no independent audit or technical justification.

Warning

Reliance on EU‑US Data Privacy Framework for US transfers

International transfers to Stripe and Google Vertex AI are justified by the EU‑US Data Privacy Framework, which may be invalidated, creating legal uncertainty despite the SCC fallback.

Info

Limited detail on audit‑log retention for organization invitations

The policy mentions that expired invitations are retained for audit purposes but does not specify the retention period or access controls.

Info

Clear prohibition of AI model training using customer data

Both the main text and the sub‑processor table explicitly state that content is not used for training and that Google Vertex AI’s terms prohibit such use.

Info

Comprehensive legal bases and legitimate‑interest balancing tests

The policy lists contract performance, legitimate interests (with documented purposes), legal obligations, and consent, and informs users of their right to object under Article 21.

Consumer Takeaway

Your personal data is kept to what is needed for the service, is not used to improve AI models, and you can exercise GDPR rights, but some data may be stored indefinitely and some processing occurs on US‑based services.

Compliance Posture

Overall privacy‑friendly with minor areas for improvement.

EU Transfers

Transfers outside the EEA are covered by the EU‑US Data Privacy Framework and SCCs, with a fallback plan if the framework is invalidated.

Detected Signals

Specific data points and practices identified in the text

Data Collected

Email addressProfile imageOAuth provider user IDOrganization nameOrganization URL slugOrganization logoMember rolesAPI key nameAPI key hashAPI key last‑used timestampSubscription planBilling periodCredit balanceStripe customer IDStripe subscription IDAPI usage logs (endpoint, status code, credits, timestamp)Submitted documents and images (processed transiently)IP addressBrowser typeOperating systemReferral URLAggregated website usage counters

Processing Purposes

Account management and authenticationAPI service deliveryBilling and subscription managementSecurity monitoring and fraud preventionService improvement (aggregated usage statistics)Regulatory compliance and tax reportingCommunicating service updates and security alerts

Third-party Sharing

Stripe, Inc. – payment processing (United States) – EU‑US Data Privacy FrameworkGoogle LLC (Vertex AI) – AI model inference (United States; data processed in Netherlands) – EU‑US Data Privacy FrameworkLettermint B.V. – transactional email delivery (Netherlands) – N/A (EEA)OpenStatus SAS – uptime monitoring (France) – N/A (EEA); SCCs for non‑EEA monitoring regionsHetzner Online GmbH – cloud infrastructure and DNS (Germany) – N/A (EEA)

International Transfers

Primary infrastructure in the EU (Hetzner, Germany)Transfers to US sub‑processors rely on EU‑US Data Privacy Framework or SCCsData processed by Google Vertex AI is handled in the Netherlands (EU)

AI / Model Training

Content is processed transiently in memory and deleted after the request completesExplicit statement: "Your content is never used to train, fine‑tune, or improve any AI models"Google Vertex AI terms explicitly prohibit using customer data for model training

Evidence Snippets

Direct quotes from the policy supporting these findings

We do not store passwords — authentication uses secure magic links sent to your email.

Your content is never used to train, fine‑tune, or improve any AI models, whether ours or those of our sub‑processors.

Aggregated, anonymized analytics — retained indefinitely. Re‑identification is technically impossible because the underlying individual‑level data never exists.

We share data with a small number of third‑party providers, all bound by data processing agreements. See the sub‑processors section below for the full list.

Where transfers outside the EEA are necessary — for example, when content is processed through Google Vertex AI (data processed in the Netherlands) — we rely on the EU‑US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or adequacy decisions.

Missing or Unclear

Exact retention period for audit logs of organization invitations
Technical details or independent audit proving that aggregated analytics cannot be re‑identified
Specific mechanisms for users to verify that their data has been deleted from sub‑processors after request

Questions to Ask

How long are organization invitation audit logs retained, and what safeguards prevent misuse?
Can you provide an independent assessment or audit report confirming that aggregated analytics cannot be re‑identified?
What is the exact fallback process if the EU‑US Data Privacy Framework is invalidated, and how quickly will SCCs be enforced?
Do you have a mechanism for users to request deletion of their data from sub‑processors (e.g., Stripe, Google) after the primary controller deletes it?
Are there any circumstances under which you would share personal data with law enforcement beyond the legal‑obligation basis mentioned?

This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe

Try free →