Privacy Policy Analyzer

Paste a legal page URL or text and get a detailed compliance-style report on data collection, sharing, model training signals, and possible EU transfer risks.

Informational tool only. This is not legal advice.

78/ 100

Analysis Report

low risk

Iteration Layer’s privacy policy limits data collection, never uses your content to train AI, and only shares it with a few vetted partners under EU‑approved safeguards.

The policy is detailed and generally privacy‑friendly, with clear data categories, purpose limitation, and strong security measures. However, reliance on the EU‑US Data Privacy Framework for US transfers and indefinite retention of aggregated analytics introduce moderate risk.

SourcePasted text

Length11,493 chars

Enginellm

Category Assessment

Breakdown of the policy across key compliance areas

Data Minimizationgood

Collects only data needed for account, billing, usage monitoring, and security.

Transparencygood

Provides exhaustive lists of data categories, purposes, retention periods, and sub‑processors.

Third-party Sharingfair

Shares data with a limited set of processors, but includes US‑based Stripe and Google Vertex AI.

International Transfersfair

Relies on the EU‑US Data Privacy Framework and SCCs; framework stability is uncertain.

AI/Model Traininggood

Explicitly states no user data is used to train or fine‑tune any AI models.

User Rightsgood

Clearly enumerates GDPR rights and provides a contact point for exercising them.

Key Findings

Notable clauses, issues, or positive practices discovered

Critical

Indefinite retention of aggregated analytics

The policy states that "Aggregated, anonymized analytics — retained indefinitely" even though it claims the data contains no personal data, but provides no technical justification or risk assessment for re‑identification.

Warning

Reliance on EU‑US Data Privacy Framework for US transfers

Transfers to Stripe and Google Vertex AI are justified by "EU‑US Data Privacy Framework" which is currently under legal challenge, creating uncertainty about lawful cross‑border safeguards.

Warning

Broad legitimate‑interest basis for security and fraud monitoring

Legitimate interests are used for "service improvement, security monitoring, fraud prevention" with a balancing test, but the description is generic and may not meet the strict necessity test for all data points (e.g., IP logs retained 90 days).

Info

No Data Protection Officer (DPO) appointed despite processing personal data

The policy claims a DPO is not required because they do not conduct large‑scale systematic monitoring, yet they process IP addresses, usage logs, and billing data, which could be considered large‑scale.

Consumer Takeaway

Your personal data is mostly kept within the EU, not used for AI training, and shared only with a small list of service providers, but some cross‑border transfers depend on a framework that may be legally challenged.

Compliance Posture

mixed

EU Transfers

fair

Detected Signals

Specific data points and practices identified in the text

Data Collected

Email addressProfile imageOAuth provider user IDOrganization nameOrganization URL slugOrganization logoMember rolesInvitation email address and statusAPI key name, prefix, hash, last‑used timestampSubscription planBilling periodCredit balancePayment processor identifiers (customer ID, subscription ID)API usage logs (endpoint, status code, credits consumed, timestamp)Submitted documents and images (processed transiently)IP addressBrowser typeOperating systemReferral URL

Processing Purposes

Account creation and managementAPI service deliveryBilling and subscription managementSecurity monitoring and fraud preventionService performance monitoringRegulatory compliance and tax reportingCommunicating service updates and security alerts

Third-party Sharing

Stripe, Inc. – payment processing (United States) – EU‑US Data Privacy FrameworkGoogle LLC (Vertex AI) – AI inference (United States; data processed in Netherlands) – EU‑US Data Privacy FrameworkHetzner Online GmbH – cloud infrastructure (Germany) – no transfer neededLettermint B.V. – transactional email (Netherlands) – no transfer neededOpenStatus SAS – uptime monitoring (France) – no transfer needed

International Transfers

EU‑US Data Privacy Framework used for Stripe and Google Vertex AIStandard Contractual Clauses as fallback if Framework invalidatedData processed in Netherlands for Google Vertex AI (within EU)

AI / Model Training

Content submitted through APIs is not stored and "never used to train, fine‑tune, or improve any AI models"

Evidence Snippets

Direct quotes from the policy supporting these findings

Aggregated, anonymized analytics — retained indefinitely. This data contains no personal data and cannot be re‑identified

We share data with a small number of third‑party providers, all bound by data processing agreements

Where transfers outside the EEA are necessary — for example, when content is processed through Google Vertex AI (data processed in the Netherlands) — we rely on the EU‑US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or adequacy decisions

We do not use your personal data or submitted content to train, fine‑tune, or improve AI models

Missing or Unclear

Technical details on how aggregated analytics are anonymised and why re‑identification is impossible.
Specific retention period for IP address logs beyond the stated 90‑day window for usage logs.
Clarification on whether any profiling occurs for fraud detection beyond generic rate‑limiting.

Questions to Ask

Can you provide a technical description of the anonymisation methods applied to the aggregated analytics that are retained indefinitely?
If the EU‑US Data Privacy Framework is invalidated, will you automatically switch to SCCs for Stripe and Google, and how will that transition be communicated to users?
What exact data elements are logged for security monitoring, and are any of those logs subject to profiling or automated decision‑making?
Do you retain IP addresses or other technical logs beyond the 90‑day usage‑log retention period for any other purposes?
How do you verify that sub‑processors (e.g., Stripe, Google) do not use the transferred data for model training, and can you share the relevant clauses from their DPA?

This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe

Try free →