DentroChat logo
Try free

cake.com privacy policy — score 62/100 (medium risk)

Last analyzed

Run a new analysis on another policy

CAKE.com Inc. · cake.com

Report details

medium risk

CAKE.com provides standard EU data rights and transfer safeguards but collects highly intrusive workplace surveillance data—like screenshots, background location, and app usage—on behalf of employers, who act as the data controllers for their employees.

The privacy policy covers CAKE.com's suite of productivity and tracking tools (Clockify, Pumble, Plaky). It distinguishes between Business Users (employers) and Authorized Users (employees). While it includes a robust section for EEA users detailing GDPR rights, legal bases, and Standard Contractual Clauses for international transfers, the core product features involve extensive employee monitoring. Authorized Users are largely dependent on their employers (the Business Users) for privacy notices, consent collection, and the exercise of data subject rights, creating a potential power imbalance and friction for individual privacy.

Last analyzed
SourceURL
Length27,650 chars

Category Assessment

Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.

Data Minimizationpoor

The policy describes collecting highly intrusive data for employee monitoring, including precise background location, desktop screenshots, and continuous app/website usage tracking, which goes well beyond what is strictly necessary for basic project management.

Transparencygood

The policy clearly delineates between Business Users and Authorized Users, lists specific data types collected per product feature, and provides a dedicated, detailed section for EEA individuals outlining legal bases and rights.

Third-party Sharingfair

Data is shared with a published list of subprocessors for legitimate operational purposes, but the policy also permits sharing for personalized advertising and broad sharing at the Business User's direction without explicit limitations.

International Transfersfair

While default processing occurs in the US, CAKE.com implements SCCs and the UK addendum for EU transfers, and offers an EEA data storage option for some services, though many subprocessors are US-based.

AI/Model Trainingfair

The policy is completely silent on the use of personal data for AI or model training, which leaves a gap regarding whether employee messages, files, or tracking data might be used to train algorithms.

User Rightsfair

Full GDPR rights are enumerated for EEA users, but Authorized Users are explicitly told to contact their Business User (employer) to exercise these rights, limiting their direct recourse against CAKE.com as the processor.

Key Findings

Notable clauses, issues, or positive practices discovered (critical first)

Critical

Invasive Employee Surveillance Features

The policy details the collection of precise location (even in the background), desktop screenshots at timed intervals, and auto-tracking of all applications and websites used. This level of surveillance poses a high risk to employee privacy and requires careful balancing under GDPR Article 5(1)(b) and (c).

Warning

Shift of GDPR Responsibility to Employers

CAKE.com explicitly states that Business Users are responsible for providing notices and collecting consents from Authorized Users, and that Authorized Users must contact their employer to exercise data subject rights. This shields CAKE.com but leaves employees dependent on their employer's compliance efforts.

Warning

Behavioral Advertising on Third-Party Platforms

The policy states they use information to 'Personalize the advertisements you see on third-party platforms and websites' and rely on legitimate interest for data analytics, which requires careful scrutiny under GDPR regarding whether tracking employees for ad personalization is truly a legitimate interest.

Info

Ambiguous Data Retention for Sensitive Categories

While the policy mentions that screenshots, GPS location, and auto-tracking info are 'automatically and routinely deleted after a designated time,' it fails to specify what that designated time is, leaving Authorized Users in the dark about how long their sensitive surveillance data persists.

Consumer Takeaway

If you are an employee using Clockify, your employer can track your location, take screenshots of your desktop, and monitor your app usage; you must ask your employer, not CAKE.com, to delete your data.

Compliance Posture

CAKE.com attempts to shield itself from GDPR liability regarding employees by positioning the employer as the data controller, but the invasive nature of the tracking tools (background location, screenshots) requires strict adherence to data minimization and purpose limitation principles by the employers, which CAKE.com only loosely enforces.

EU Transfers

Data is primarily processed in the US, but CAKE.com implements Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. They also offer an option for EEA-based data storage for some services, which is a positive step, though US subprocessors still handle support, payments, and analytics.

Detected Signals

Specific data points and practices identified in the text

Data Collected
NameAccount usernamePasswordEmailPhone numberPhotographBirthdayWork contact detailsJob titlePurchase historyPayment detailsTime entriesScreenshotsPrecise locationApp and website usageChat messagesFilesIP addressDevice identifiersCookies
Processing Purposes
Providing and maintaining servicesProcessing transactionsCustomer supportMarketing communicationsPersonalizing third-party advertisementsAnalytics and trend monitoringSecurity and fraud preventionCompliance with legal obligations
Third-party Sharing
Vendors and service providers (subprocessors)Law enforcement if required by lawProfessional advisors (lawyers)Merger or acquisition scenariosAffiliates and subsidiariesAt the direction of the Business User
International Transfers
Standard Contractual Clauses (SCCs)UK International Data Transfer AddendumOption for EEA data storage for some servicesPrimary processing in the United States
AI / Model Training
Policy is silent on AI/model training

Evidence Snippets

Direct quotes from the policy supporting these findings

Location Tracker tool information (Clockify only): in accordance with your device permissions, we may collect information about the precise location of your device... Locations are collected even if the mobile application works in the background.

CAKE.com does not directly control the processing of Authorized User personal information, but rather Business Users are responsible for providing their Authorized Users any required notices and collecting any necessary consents...

Personalize the advertisements you see on third-party platforms and websites (for more information, see the Advertising and Analytics section below)

Additionally, some information, including but not limited to screenshots, GPS location, auto-tracking, and audit-log information are automatically and routinely deleted after a designated time as part of our data retention policies.

Missing or Unclear

  • Specific retention periods for surveillance data (screenshots, location, auto-tracking)
  • Whether CAKE.com conducts Data Protection Impact Assessments (DPIAs) for its high-risk tracking features
  • Explicit details on the legal basis used for specific tracking features (e.g., is screenshotting based on legitimate interest or contract?)
  • Whether the EEA data storage option is the default for EEA customers or an opt-in feature

Questions to Ask

  • What is the exact 'designated time' after which screenshots, GPS location, and auto-tracking data are automatically deleted?
  • Does CAKE.com require Business Users to complete a Data Protection Impact Assessment (DPIA) before activating the Location Tracker, Screenshot, or Auto Tracker tools for Authorized Users?
  • How does CAKE.com justify the use of Authorized User data for 'personalizing advertisements' under the legitimate interest legal basis in the EEA?
  • Is the option to store and process data exclusively within the EEA enabled by default for Business Users and Authorized Users located in the EEA?
  • Does CAKE.com use any of the chat messages, files, or tracking data from Authorized Users to train AI models or improve algorithms?
This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe
Try free →