Privacy Policy Analyzer

Paste a legal page URL or text and get a detailed compliance-style report on data collection, sharing, model training signals, and possible EU transfer risks.

Informational tool only. This is not legal advice.

82/ 100

Analysis Report

low risk

Iteration Layer’s policy largely respects GDPR, but vague legitimate‑interest justifications and a 90‑day log retention period keep it from being fully privacy‑friendly.

The privacy policy is detailed, lists data categories, purposes, legal bases, sub‑processors, and user rights. It limits data collection, does not use content for AI training, and keeps most processing within the EU. However, the reliance on legitimate interests for service improvement lacks a transparent balancing test, the 90‑day mandatory log retention is not justified, and the primary transfer mechanism (EU‑US Data Privacy Framework) is legally uncertain.

SourcePasted text

Length10,385 chars

Enginellm

Category Assessment

Breakdown of the policy across key compliance areas

Data Minimizationgood

Only data strictly needed for account, billing, API usage, and security is collected.

Transparencyfair

Policy is detailed, but legitimate‑interest justification and some retention periods lack full explanation.

Third-party Sharingfair

Limited list of sub‑processors with DPAs, yet reliance on Stripe and Google involves US transfers.

International Transfersfair

Depends on EU‑US Data Privacy Framework, which is under legal challenge; SCCs are mentioned as fallback but not elaborated.

AI/Model Traininggood

Explicitly states no user data is used to train or fine‑tune AI models.

User Rightsgood

All GDPR rights are listed with contact details and a 30‑day response commitment.

Key Findings

Notable clauses, issues, or positive practices discovered

Warning

Legitimate interests basis lacks detailed balancing test

The policy cites legitimate interests for "service improvement" but only says it uses "aggregated, non‑identifiable usage patterns" without describing the assessment of necessity versus data subject rights.

Warning

90‑day retention of API usage logs without early deletion

API usage logs are retained for 90 days and "early deletion is not available during this period," which may be disproportionate to the billing and dispute purposes claimed.

Warning

Reliance on EU‑US Data Privacy Framework for US transfers

International transfers to Stripe and Google Vertex AI depend on the EU‑US Data Privacy Framework, which is currently subject to legal challenges, creating uncertainty about lawful transfer.

Info

Indefinite retention of aggregated analytics

Aggregated, anonymized analytics are retained indefinitely and the policy asserts they "cannot be re‑identified," but no technical safeguards or re‑identification risk assessment are provided.

Consumer Takeaway

Your data is mostly protected, but be aware that some usage logs are kept for three months and the company leans on a contested US‑EU data‑transfer framework.

Compliance Posture

Generally compliant with GDPR, with minor gaps in transparency of legitimate‑interest assessments and data‑retention justification.

EU Transfers

Uses EU‑US Data Privacy Framework and SCCs; fallback mechanisms are mentioned but not detailed, posing a moderate risk if the framework is invalidated.

Detected Signals

Specific data points and practices identified in the text

Data Collected

Email addressProfile imageOAuth provider user IDOrganization nameOrganization URL slugOrganization logoMember rolesInvitation email address and statusAPI key nameAPI key hashAPI key last‑used timestampSubscription planBilling periodCredit balancePayment processor identifiers (customer ID, subscription ID)API usage details (endpoint, status code, credits consumed, timestamp)Submitted documents and images (transient)IP addressBrowser typeOperating systemReferral URL

Processing Purposes

Account creation and managementAPI service deliveryBilling and subscription managementSecurity monitoring and fraud preventionService improvement via aggregated usage analysisRegulatory compliance and tax reportingCommunicating service updates and security alerts

Third-party Sharing

Stripe, Inc. – payment processing (United States)Google LLC (Vertex AI) – AI model inference (United States; data processed in Netherlands)Lettermint B.V. – transactional email delivery (Netherlands)OpenStatus SAS – uptime monitoring (France)Hetzner Online GmbH – cloud infrastructure (Germany)

International Transfers

EU‑US Data Privacy FrameworkEU Standard Contractual Clauses (SCCs)Adequacy decisions for EU locations

AI / Model Training

Content is not used to train, fine‑tune, or improve any AI models.

Evidence Snippets

Direct quotes from the policy supporting these findings

We collect the following categories of personal data, each for a specific purpose explained in the sections below.

Legitimate interests (Art. 6(1)(f)) — service improvement, security monitoring, fraud prevention. You have the right to object to processing based on legitimate interests under Article 21 of the GDPR.

API usage logs — 90 days (required for billing reconciliation and dispute evidence; early deletion is not available during this period).

We use Stripe, Inc. as our payment processor — we never see or store full card numbers.

Where transfers outside the EEA are necessary — for example, when content is processed through Google Vertex AI (data processed in the Netherlands) — we rely on the EU‑US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or adequacy decisions.

Missing or Unclear

No detailed description of the legitimate‑interest balancing test or a public record of the assessment.
No explicit mention of a Data Protection Officer (DPO) despite processing special categories not being present; justification is based on scale but could be clarified.
No specific technical or organizational measures described for preventing re‑identification of aggregated analytics.

Questions to Ask

Can you provide the documented legitimate‑interest assessment that justifies processing for service improvement?
What is the legal basis for retaining API usage logs for a full 90 days without the ability to delete them earlier?
If the EU‑US Data Privacy Framework is invalidated, how will you ensure continued lawful transfers to Stripe and Google under SCCs?
What technical safeguards guarantee that the indefinitely retained aggregated analytics cannot be re‑identified?
Do you have a Data Protection Officer or a designated point of contact for data protection matters beyond the generic support email?

This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe

Try free →