eustella.com privacy policy — score 62/100 (medium risk)
Last analyzed
AI Newsrooms Technology GmbH · eustella.com
Report details
medium riskeustella makes strong privacy promises — no data selling, no third-party sharing, no AI training on your data, and all processing stays in the EU — but this is marketing copy, not a binding privacy policy, and critical details on data collection, retention, sub-processors, and user rights are absent from the provided text.
eustella positions itself as the sovereign European alternative to US-based AI assistants, with repeated and specific commitments to EU-only data processing, no model training on user data, and no data sharing. However, the analyzed text is a landing page and FAQ, not the actual privacy policy or terms of service. The linked legal documents (Privacy Policy, Sub-Processors, Service Terms, etc.) were not provided for review. This creates a significant gap between the strong marketing claims and the verifiable legal commitments. Key details — what data is collected, how long it is retained, which sub-processors are used, how user rights are exercised, and how agentic features handle sensitive data — remain opaque.
Category Assessment
Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.
The FAQ mentions features like 'private memory' and agentic tasks that inherently collect broad data, but no specifics on what data is collected or minimized.
Marketing claims are clear and specific, but the actual privacy policy was not provided; the landing page lacks detail on retention, categories of data, and processing purposes.
Explicitly states data is never sold and never shared with third parties, though the sub-processor list (linked but not provided) could qualify this.
Repeatedly claims all data stays in EU data centres with no transfers to US, China, or third countries — a strong sovereign positioning if upheld in practice.
Explicitly and repeatedly states user data is not used to train AI models, which is a clear opt-out-by-default position.
A deletion requests page exists, but no information on access, portability, rectification, objection, or how to exercise any GDPR rights beyond deletion.
Key Findings
Notable clauses, issues, or positive practices discovered (critical first)
Agentic features process highly sensitive data categories without disclosed safeguards
eustella offers agents for finance ('Start investing with €50,' 'Track my monthly spending,' 'Demystify my tax return,' 'Manage crypto-assets'), health ('Fix my sleep routine,' 'Build a skincare routine'), and legal matters ('Explain a legal contract'). These involve special category or highly sensitive data under GDPR, but no information is provided about enhanced protections, DPIAs, or specific safeguards for these processing activities.
No privacy policy content available for review
The site links to a Privacy Policy, Website Privacy Policy, Sub-Processors, Service Terms, and Trust Center, but none of these documents were provided. All privacy assessments are based solely on marketing claims and FAQ answers, not on binding legal text.
Strong no-training commitment but not in reviewed legal text
The FAQ states 'eustella does not use your data to train models' — a critical privacy commitment. However, this appears in marketing/FAQ copy, not in a reviewed privacy policy or terms of service. The binding legal commitment remains unverified.
No data sharing claim needs sub-processor qualification
The FAQ claims 'eustella does not share your data with third parties,' but the site links to a Sub-Processors page. Sub-processors are third parties that process data on behalf of the controller. The apparent contradiction between 'no sharing' and having sub-processors needs clarification — the sub-processor list was not provided for review.
EU-only data processing claim is strong but unverified
The FAQ states 'All data is stored and processed exclusively in European data centres within the EU. No data is transferred to the US, China, or any other third country.' This is a strong sovereignty claim, but without reviewing the actual infrastructure details and sub-processor list, it cannot be verified — especially since cloud providers often have non-EU corporate parents subject to foreign jurisdiction.
Open-weight models selected regardless of training origin
The FAQ states models are 'selected for being the strongest available, regardless of where they were trained.' This means the models themselves may have been trained on data processed outside the EU, even though inference runs in the EU. This is not a GDPR violation but is a nuance missing from the sovereignty narrative.
Consumer Takeaway
eustella's privacy story is compelling on the surface: EU-only hosting, no training on your data, no selling or sharing. But you should read the actual privacy policy and sub-processor list before trusting it with sensitive information, especially given the agentic features that act on your behalf across finance, travel, and personal planning.
Compliance Posture
The marketing language is strongly aligned with GDPR principles (data minimization, sovereignty, no secondary use), but without the actual privacy policy, DPA, and sub-processor documentation, compliance cannot be verified. The existence of dedicated pages for deletion requests, sub-processors, and a trust center is encouraging but insufficient without content review.
EU Transfers
eustella explicitly claims all data is stored and processed exclusively in EU data centres with no transfers to the US, China, or third countries. This is a strong claim that, if true, eliminates the need for Standard Contractual Clauses or other transfer safeguards. However, this claim is made in marketing copy, not in a reviewed legal document, and the sub-processor list (not provided) could reveal infrastructure providers with non-EU parent companies.
Detected Signals
Specific data points and practices identified in the text
Evidence Snippets
Direct quotes from the policy supporting these findings
eustella does not sell your data. eustella does not share your data with third parties. eustella does not use your data to train models.
All data is stored and processed exclusively in European data centres within the EU. No data is transferred to the US, China, or any other third country.
eustella runs on open-weight AI models — selected for being the strongest available, regardless of where they were trained — hosted entirely on European infrastructure.
eustella owns the entire stack, so your data never leaves the EU.
Your requests are never routed through closed US APIs like OpenAI, Google, or Anthropic.
Missing or Unclear
- Actual privacy policy text not provided
- Sub-processor list not provided
- Data retention periods not specified
- No details on cookie or tracking practices
- No DPO contact information provided
- No mention of DPIA for high-risk processing
- No details on how user rights (access, portability, rectification, objection) can be exercised
- No details on data breach notification procedures
- No information on age restrictions or children's data
- No details on payment data processing (Stripe, etc.)
- No details on how 'private memory' feature stores and protects data
- No details on 'Soul' feature data processing
- No information on law enforcement access procedures
Questions to Ask
- Which sub-processors process user data, and are any of them subsidiaries of non-EU companies subject to foreign jurisdiction (e.g., US cloud providers)?
- What specific data categories are collected and retained from agentic features that handle financial, health, and legal queries?
- Has a Data Protection Impact Assessment been conducted for the agentic features that process sensitive personal data?
- What are the data retention periods for chat history, private memory, and agent task outputs?
- How can users exercise their GDPR rights to access, rectify, port, and object to processing — beyond just deletion?
- What safeguards prevent the open-weight models from logging or exfiltrating user prompts during inference on European infrastructure?
- How is payment data processed — directly or via a payment provider, and under what terms?
- What happens to user data if eustella is acquired by a non-EU entity?
Share this analysis
Anyone with this link can view the result above.
Built by DentroChat
100% European AI chat for everyone
Chat with AI, work with files, generate images, and search the web. Data stays in Europe.