Privacy Policy Analyzer

Paste a legal page URL or text and get a detailed compliance-style report on data collection, sharing, model training signals, and possible EU transfer risks.

Informational tool only. This is not legal advice.

82/ 100

Analysis Report

low risk

Iteration Layer’s policy limits data collection, deletes most data quickly, and only shares it with a few vetted partners, but it still relies on US‑based services under the EU‑US Data Privacy Framework.

The privacy policy is fairly comprehensive, detailing data categories, purposes, retention periods, and sub‑processor agreements. It shows strong data minimisation and transparency, uses self‑hosted analytics, and provides clear user rights. However, reliance on the EU‑US Data Privacy Framework for US transfers, a broad legitimate‑interests basis without a balancing test, and indefinite retention of anonymised analytics raise compliance concerns.

SourcePasted text

Length7,851 chars

Enginellm

Category Assessment

Breakdown of the policy across key compliance areas

Data Minimisationgood

Only data necessary for account, billing, and service operation is collected, and content is deleted immediately after processing.

Transparencygood

The policy clearly lists data categories, purposes, retention periods, and sub‑processors.

Third‑party Sharingfair

Data is shared with a limited set of sub‑processors, but includes US‑based Stripe and Google Vertex AI.

International Transfersfair

Relies on the EU‑US Data Privacy Framework and SCCs, which are currently under legal scrutiny.

AI/Model Trainingpoor

The policy does not state whether user‑submitted content is used to train AI models or offer an opt‑out.

User Rightsgood

All GDPR rights are enumerated with contact details and a 30‑day response commitment.

Key Findings

Notable clauses, issues, or positive practices discovered

Warning

Broad legitimate‑interest basis without balancing test

The policy cites legitimate interests for "service improvement, security monitoring, fraud prevention" but provides no description of a legitimate‑interest assessment, no information on how users can object, and no documentation of the balancing test required by GDPR Art. 6(1)(f).

Warning

Reliance on EU‑US Data Privacy Framework for US transfers

International transfers to Stripe and Google Vertex AI are justified by the EU‑US Data Privacy Framework, a mechanism currently facing legal challenges in the EU, creating uncertainty about the adequacy of protection for transferred data.

Info

Indefinite retention of anonymised analytics

Aggregated, anonymised analytics are retained indefinitely, which may be unnecessary and lacks a justification or a mechanism for users to request deletion, contrary to the principle of storage limitation.

Warning

Unclear use of user data for AI model training

The policy mentions processing through Google Vertex AI but does not disclose whether submitted content is used to train or improve AI models, nor does it offer an opt‑out, which is required for processing personal data for profiling or model training under GDPR Art. 22 and Recital 71.

Consumer Takeaway

Your personal data is mostly kept short‑term and only shared with a small set of partners, but some of those partners are in the US and the policy does not explain how you can object to certain processing.

Compliance Posture

The policy aligns with many GDPR requirements, especially around transparency, data subject rights, and security. Yet, the use of the EU‑US Data Privacy Framework and the lack of a detailed legitimate‑interest assessment could be problematic under EU law.

EU Transfers

The policy acknowledges transfers outside the EEA and relies on the EU‑US Data Privacy Framework, SCCs, and adequacy decisions. While these mechanisms are currently accepted, the EU‑US framework faces legal challenges, making the transfers a potential risk area.

Detected Signals

Specific data points and practices identified in the text

Data Collected

Email addressProfile imageOAuth provider user IDOrganization nameOrganization URL slugOrganization logoMember rolesInvitation email address and statusAPI key name and hashAPI usage timestampsSubscription planBilling periodCredit balancePayment processor identifiersAPI call logs (endpoint, status code, credits consumed)Submitted documents and images (processed transiently)IP addressBrowser typeOperating systemReferral URL

Processing Purposes

Account creation and managementAPI service deliveryBilling and subscription managementSecurity monitoring and fraud preventionPerformance and reliability monitoringService updates and security alertsCompliance with legal obligationsMarketing communications (with consent)

Third-party Sharing

Stripe, Inc. – payment processing (United States) – EU‑US Data Privacy FrameworkGoogle LLC (Vertex AI) – AI model inference (United States; processed in Netherlands) – EU‑US Data Privacy FrameworkHetzner Online GmbH – cloud infrastructure (Germany) – no transfer mechanism neededLettermint B.V. – transactional email (Netherlands) – no transfer mechanism neededOpenStatus SAS – uptime monitoring (France) – SCCs for non‑EEA monitoring regions

International Transfers

EU‑US Data Privacy Framework used for Stripe and Google Vertex AI transfersStandard Contractual Clauses used for OpenStatus SAS monitoring outside the EEAData processed in the Netherlands for Google Vertex AI, providing an EU location for the actual processing

AI / Model Training

Processing through Google Vertex AI is mentioned, but no explicit statement on whether user‑submitted content is used for model training.

Evidence Snippets

Direct quotes from the policy supporting these findings

Legitimate interests (Art. 6(1)(f)) — service improvement, security monitoring, fraud prevention

we rely on the EU-US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or adequacy decisions

Aggregated, anonymized analytics — retained indefinitely (non-identifiable)

Google LLC (Vertex AI) | AI model inference | United States; data processed in Netherlands (EU) | EU-US Data Privacy Framework

Missing or Unclear

No documented legitimate‑interest assessment or opt‑out mechanism.
No explicit statement on whether user data is used to train AI models.
No Data Protection Officer (DPO) contact or reference.
No detailed breach notification timeline beyond general security statements.
No mention of profiling or automated decision‑making beyond fraud detection.

Questions to Ask

Can you provide the legitimate‑interest assessment that justifies processing for service improvement and security monitoring?
What specific safeguards are in place given the EU‑US Data Privacy Framework’s current legal uncertainty?
Do you use content submitted to Google Vertex AI for training or improving AI models, and can users opt out of such use?
Why is anonymised analytics retained indefinitely, and can users request its deletion?
Is there a formal process for users to request deletion of API usage logs before the 90‑day retention period?

This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe

Try free →