eustella.com privacy policy — score 62/100 (medium risk)

Last analyzed

Run a new analysis on another policy

AI Newsrooms Technology GmbH · eustella.com

Report details

medium risk

eustella makes strong privacy promises — no data selling, no third-party sharing, no AI training on your data, and all processing stays in the EU — but this is marketing copy, not a binding privacy policy, and critical details on data collection, retention, sub-processors, and user rights are absent from the provided text.

eustella positions itself as the sovereign European alternative to US-based AI assistants, with repeated and specific commitments to EU-only data processing, no model training on user data, and no data sharing. However, the analyzed text is a landing page and FAQ, not the actual privacy policy or terms of service. The linked legal documents (Privacy Policy, Sub-Processors, Service Terms, etc.) were not provided for review. This creates a significant gap between the strong marketing claims and the verifiable legal commitments. Key details — what data is collected, how long it is retained, which sub-processors are used, how user rights are exercised, and how agentic features handle sensitive data — remain opaque.

Last analyzed
SourceURL
Length25,188 chars

Category Assessment

Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.

Data Minimizationfair

The FAQ mentions features like 'private memory' and agentic tasks that inherently collect broad data, but no specifics on what data is collected or minimized.

Transparencyfair

Marketing claims are clear and specific, but the actual privacy policy was not provided; the landing page lacks detail on retention, categories of data, and processing purposes.

Third-party Sharinggood

Explicitly states data is never sold and never shared with third parties, though the sub-processor list (linked but not provided) could qualify this.

International Transfersgood

Repeatedly claims all data stays in EU data centres with no transfers to US, China, or third countries — a strong sovereign positioning if upheld in practice.

AI/Model Traininggood

Explicitly and repeatedly states user data is not used to train AI models, which is a clear opt-out-by-default position.

User Rightspoor

A deletion requests page exists, but no information on access, portability, rectification, objection, or how to exercise any GDPR rights beyond deletion.

Key Findings

Notable clauses, issues, or positive practices discovered (critical first)

Critical

Agentic features process highly sensitive data categories without disclosed safeguards

eustella offers agents for finance ('Start investing with €50,' 'Track my monthly spending,' 'Demystify my tax return,' 'Manage crypto-assets'), health ('Fix my sleep routine,' 'Build a skincare routine'), and legal matters ('Explain a legal contract'). These involve special category or highly sensitive data under GDPR, but no information is provided about enhanced protections, DPIAs, or specific safeguards for these processing activities.

Critical

No privacy policy content available for review

The site links to a Privacy Policy, Website Privacy Policy, Sub-Processors, Service Terms, and Trust Center, but none of these documents were provided. All privacy assessments are based solely on marketing claims and FAQ answers, not on binding legal text.

Warning

Strong no-training commitment but not in reviewed legal text

The FAQ states 'eustella does not use your data to train models' — a critical privacy commitment. However, this appears in marketing/FAQ copy, not in a reviewed privacy policy or terms of service. The binding legal commitment remains unverified.

Warning

No data sharing claim needs sub-processor qualification

The FAQ claims 'eustella does not share your data with third parties,' but the site links to a Sub-Processors page. Sub-processors are third parties that process data on behalf of the controller. The apparent contradiction between 'no sharing' and having sub-processors needs clarification — the sub-processor list was not provided for review.

Info

EU-only data processing claim is strong but unverified

The FAQ states 'All data is stored and processed exclusively in European data centres within the EU. No data is transferred to the US, China, or any other third country.' This is a strong sovereignty claim, but without reviewing the actual infrastructure details and sub-processor list, it cannot be verified — especially since cloud providers often have non-EU corporate parents subject to foreign jurisdiction.

Info

Open-weight models selected regardless of training origin

The FAQ states models are 'selected for being the strongest available, regardless of where they were trained.' This means the models themselves may have been trained on data processed outside the EU, even though inference runs in the EU. This is not a GDPR violation but is a nuance missing from the sovereignty narrative.

Consumer Takeaway

eustella's privacy story is compelling on the surface: EU-only hosting, no training on your data, no selling or sharing. But you should read the actual privacy policy and sub-processor list before trusting it with sensitive information, especially given the agentic features that act on your behalf across finance, travel, and personal planning.

Compliance Posture

The marketing language is strongly aligned with GDPR principles (data minimization, sovereignty, no secondary use), but without the actual privacy policy, DPA, and sub-processor documentation, compliance cannot be verified. The existence of dedicated pages for deletion requests, sub-processors, and a trust center is encouraging but insufficient without content review.

EU Transfers

eustella explicitly claims all data is stored and processed exclusively in EU data centres with no transfers to the US, China, or third countries. This is a strong claim that, if true, eliminates the need for Standard Contractual Clauses or other transfer safeguards. However, this claim is made in marketing copy, not in a reviewed legal document, and the sub-processor list (not provided) could reveal infrastructure providers with non-EU parent companies.

Detected Signals

Specific data points and practices identified in the text

Data Collected
Account registration dataChat messages and promptsDocuments and images uploaded for analysisAudio files for transcriptionPayment and billing dataPrivate memory dataAgent task data (finance, travel, legal, health)
Processing Purposes
AI assistant interactionsAgentic task execution on behalf of usersDocument and image analysisAudio transcriptionTopic monitoring and researchPrivate memory storage
Third-party Sharing
No data selling claimedNo third-party sharing claimedSub-processors exist (list not provided)No advertising or analytics sharing mentioned
International Transfers
All data stored and processed in EU data centresNo transfers to US, China, or third countries claimedNo mention of Standard Contractual ClausesNo mention of adequacy decisions needed
AI / Model Training
Explicit statement: data not used to train modelsNo opt-out needed (not used by default)Open-weight models used (not trained on user data)

Evidence Snippets

Direct quotes from the policy supporting these findings

eustella does not sell your data. eustella does not share your data with third parties. eustella does not use your data to train models.

All data is stored and processed exclusively in European data centres within the EU. No data is transferred to the US, China, or any other third country.

eustella runs on open-weight AI models — selected for being the strongest available, regardless of where they were trained — hosted entirely on European infrastructure.

eustella owns the entire stack, so your data never leaves the EU.

Your requests are never routed through closed US APIs like OpenAI, Google, or Anthropic.

Missing or Unclear

  • Actual privacy policy text not provided
  • Sub-processor list not provided
  • Data retention periods not specified
  • No details on cookie or tracking practices
  • No DPO contact information provided
  • No mention of DPIA for high-risk processing
  • No details on how user rights (access, portability, rectification, objection) can be exercised
  • No details on data breach notification procedures
  • No information on age restrictions or children's data
  • No details on payment data processing (Stripe, etc.)
  • No details on how 'private memory' feature stores and protects data
  • No details on 'Soul' feature data processing
  • No information on law enforcement access procedures

Questions to Ask

  • Which sub-processors process user data, and are any of them subsidiaries of non-EU companies subject to foreign jurisdiction (e.g., US cloud providers)?
  • What specific data categories are collected and retained from agentic features that handle financial, health, and legal queries?
  • Has a Data Protection Impact Assessment been conducted for the agentic features that process sensitive personal data?
  • What are the data retention periods for chat history, private memory, and agent task outputs?
  • How can users exercise their GDPR rights to access, rectify, port, and object to processing — beyond just deletion?
  • What safeguards prevent the open-weight models from logging or exfiltrating user prompts during inference on European infrastructure?
  • How is payment data processed — directly or via a payment provider, and under what terms?
  • What happens to user data if eustella is acquired by a non-EU entity?
This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe
Try free →