Privacy Policy Analyzer

Paste a legal page URL or text and get a detailed compliance-style report on data collection, sharing, model training signals, and possible EU transfer risks.

Informational tool only. This is not legal advice.

87/ 100

Analysis Report

low risk

eustella publishes a strongly EU-aligned privacy policy that explicitly bans AI training on user data and keeps all processing in the EU, but it is undermined by an internal contradiction over mandatory account fields and the unexplained absence of a Data Protection Officer.

eustella's policy is a privacy-first document that explicitly prohibits using customer data for AI model training, pledges to keep all data within the EU, and relies on EU-hosted infrastructure and sub-processors. It provides clear legal bases under GDPR, detailed retention schedules, and granular user controls over personalisation. However, the policy contradicts itself on whether date of birth is required at sign-up, does not name its payment processor, and omits any mention of a Data Protection Officer despite the scale and sensitivity of processing.

SourceURL

Length24,460 chars

Enginellm

Category Assessment

Breakdown of the policy across key compliance areas

Data Minimizationfair

The policy avoids sensitive data by design and does not use data for advertising, but it mandates date of birth for age verification while admitting such verification is technically impossible, and it contradicts itself on whether DOB is a required account field versus only name, email, and password.

Transparencygood

The document is written in plain language with specific GDPR legal bases, retention periods, and sub-processor disclosures, though it is undermined by the conflicting account-creation requirements and the failure to name the payment provider.

Third-party Sharinggood

Sharing is kept to a minimum with EU-based infrastructure providers, an EU-hosted analytics processor (PostHog), and professional advisors, but the unnamed payment processor and lack of detail on open-source LLM provenance leave small gaps.

International Transfersgood

The policy contains an explicit, repeated commitment that no personal data leaves the EU, including self-hosted open-source LLMs on EU infrastructure, which removes the need for SCCs or adequacy decisions.

AI/Model Traininggood

eustella makes a clear, prominent commitment that it does not use conversations, files, preferences, or connected-service data to train, fine-tune, or improve any AI models, eliminating the need for an opt-out toggle.

User Rightsgood

GDPR rights are comprehensively listed with specific exercise methods (email and in-app), a one-month response timeline, and the correct Austrian supervisory authority, though the absence of DPO contact details is notable.

Key Findings

Notable clauses, issues, or positive practices discovered

Warning

Contradictory mandatory account fields

Section 2 states that account creation requires only name, email address, and password, while Section 12 states that users cannot create an account without providing name, email address, and date of birth. This inconsistency makes it impossible to know what data is actually required at sign-up.

Warning

Missing Data Protection Officer

Despite being an EU controller processing personal data at scale—including systematic monitoring via PostHog, content moderation with human review, and potential special category data—the policy does not mention the appointment or contact details of a Data Protection Officer as required by Article 37 GDPR.

Warning

Unverifiable age verification collects excessive data

Section 12 acknowledges that 'no currently available technical means can fully verify a person's age without disproportionately intruding on their privacy,' yet it still mandates collection of date of birth from all users and prohibits false entries. This creates a tension between the stated futility of verification and the data collected.

Info

Human review of conversation content

Section 7 discloses that 'a limited number of trained safety staff may review the flagged content,' but it does not quantify the number of staff, the scope of their access, or the specific internal access controls beyond 'strict confidentiality obligations,' leaving some uncertainty about insider risk.

Info

Unnamed payment provider

Section 8 states that payment is processed by 'our payment provider' without naming the entity or confirming its location, reducing transparency about who processes financial data and under what jurisdiction.

Consumer Takeaway

eustella is a comparatively privacy-safe AI assistant because it promises not to train models on your chats and keeps everything in the EU, but you should ask why a date of birth is mandatory and whether a DPO exists before sharing sensitive information.

Compliance Posture

strong

EU Transfers

no-transfer

Detected Signals

Specific data points and practices identified in the text

Data Collected

NameEmail addressPasswordProfile information from Google or AppleConversation inputs and outputsUploaded files, images, or documentsData from connected third-party services (e.g., Google Calendar, Google Drive)IP addressDevice typeOperating systemBrowser typeLanguage settingsGeneral location (country or city level derived from IP)Usage data and feature interaction dataPersonalisation preferencesDate of birth

Processing Purposes

Providing and operating the serviceContent moderation and safetyImproving services via aggregated and anonymised dataProduct analyticsService-related communicationsMarketing communications (with consent)Legal complianceProtecting legal rights

Third-party Sharing

Infrastructure and hosting providers (EU-based)PostHog analytics (EU-hosted, Frankfurt)Payment provider (unnamed)Legal and regulatory authoritiesProfessional advisors (legal, tax, audit)

International Transfers

No transfers outside the EU are performedAll infrastructure, processing, and storage is within the EUThird-party services connected by users (e.g., Google) remain subject to their own policies

AI / Model Training

Explicitly states user data is NOT used for AI model trainingConversations, files, preferences, and connected service data are excluded from trainingNo opt-out is necessary because training is prohibited by policy

Evidence Snippets

Direct quotes from the policy supporting these findings

When you create an account, we collect your name, email address, and password.

You cannot create an account without providing your name, email address, and date of birth.

We do not train AI models on your data. We do not use your conversations, your files, your preferences, or any data from your connected third-party services to train, fine-tune, or improve AI models.

We do not transfer your data outside the European Union. All of our infrastructure, data processing, and storage takes place within the EU.

Where a flag is raised, a limited number of trained safety staff may review the flagged content.

Missing or Unclear

No mention of a Data Protection Officer (DPO) or their contact details
No cookie policy or consent mechanism described despite analytics usage
Identity and location of the payment processor not disclosed
Specific names of open-source LLMs used not provided
No mention of Data Protection Impact Assessment (DPIA) or records of processing activities

Questions to Ask

Section 2 lists name, email, and password as required for account creation, while Section 12 adds date of birth; which fields are actually mandatory and why the discrepancy?
Is a Data Protection Officer appointed under Article 37 GDPR, and if so, why are their contact details not provided in the policy?
Which specific payment provider is used, and can you confirm it is also EU-based and bound by a data processing agreement?
Do the original developers or communities behind the open-source LLMs receive any telemetry, error reports, or model improvement signals derived from eustella's usage?
Given the admission that age cannot be technically verified without disproportionate intrusion, what is the legal basis and necessity for mandating date of birth collection under Article 5(1)(c) GDPR?

This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe

Try free →