Privacy Policy Analyzer

Paste a legal page URL or text and get a detailed compliance-style report on data collection, sharing, model training signals, and possible EU transfer risks.

Informational tool only. This is not legal advice.

65/ 100

Analysis Report

medium risk

GetYourGuide discloses many data uses and third‑party transfers, but over‑collects data and lacks clear limits on AI training and profiling.

The policy is detailed and provides many GDPR‑required rights, but it collects a wide range of data, relies heavily on legitimate interest, transfers personal data to numerous non‑EEA processors, and does not clearly state whether AI providers use the data for model training or profiling.

SourcePasted text

Length65,713 chars

Enginellm

Category Assessment

Breakdown of the policy across key compliance areas

dataMinimizationfair

Collects extensive device, click‑stream and behavioural data beyond what is strictly needed for booking.

transparencygood

Provides detailed sections, lists most processors and legal bases, but some AI and profiling purposes are vague.

thirdPartySharingfair

Shares data with dozens of processors worldwide; disclosures are present but the breadth is high.

internationalTransfersfair

Relies on SCCs and the EU‑U.S. Data Privacy Framework for many transfers, but the number of jurisdictions is large.

aiModelTrainingpoor

Uses AI services (Zowie, Automaited, OpenAI) without stating whether personal data is used for model training or offering an opt‑out.

userRightsgood

Clearly enumerates GDPR rights, contact details and mechanisms for exercising them.

Key Findings

Notable clauses, issues, or positive practices discovered

Warning

Broad automated data collection on legitimate interest basis

The policy automatically collects URL, latency, device info, clicks, pages shown and IP address for security and fraud prevention, citing Art. 6(1)(f) GDPR.

Warning

Extensive third‑party processor ecosystem with cross‑border transfers

Numerous processors (Zendesk, Zowie, Automaited, AWS, Twilio, Transcom, Cohere, Teleperformance, etc.) process data outside the EEA, relying on SCCs or the EU‑U.S. Data Privacy Framework.

Critical

AI services used without clear data‑training safeguards

AI tools (Zowie, Automaited, OpenAI) are employed for customer‑service assistance, but the policy does not state whether personal data is used to train models or how users can opt‑out.

Warning

Profiling for personalised recommendations and marketing on legitimate interest

Wishlists and personalised ads are processed on the basis of legitimate interest (Art. 6(1)(f)), yet no explicit assessment of proportionality or opt‑out for profiling is provided.

Info

Retention periods are often unspecified

Only IP addresses have a 30‑day deletion rule; most other data categories lack clear retention timelines.

Consumer Takeaway

Your data is shared with many partners worldwide and may be used for profiling and AI services without a clear opt‑out.

Compliance Posture

Mixed – strong on user rights and transparency of third‑party names, weaker on data minimisation, profiling safeguards and AI usage.

EU Transfers

Transfers to the US, UK, Israel, Canada, Hong Kong, Australia, Japan and other jurisdictions rely on SCCs or the EU‑U.S. Data Privacy Framework, but the sheer volume of transfers raises proportionality concerns.

Detected Signals

Specific data points and practices identified in the text

Data Collected

URL of the accessed pageLatency of the network connectionDate and timeDevice information (OS, browser, app version, language, crashes)Clicks and pages shownIP addressFull nameEmail addressPasswordAuthentication token (when using Facebook/Google/Apple)Wishlist itemsReview content, rating, photos, age range, country, first nameCustomer service enquiry content (name, email, booking number, etc.)Phone numberBilling addressPassport number (when required)Payment confirmation data (partial card numbers, transaction IDs)Social media handles and profile data (when interacting via social channels)Cookies, SDK identifiers, device IDs

Processing Purposes

Platform operation and securityFraud preventionAccount creation and managementPersonalised recommendations and targeted advertisingCustomer reviews and ratingsCustomer service handlingService improvement and analyticsMarketing newslettersBooking fulfilmentPayment processingInsurance underwritingResearch surveys and panelsHeat‑mapping and UI optimisationSocial‑media activity analysisCRM and contextual advertisingWebsite content personalization

Third-party Sharing

Activity Providers (independent controllers)Customer‑service processors (Transcom, Cohere, Teleperformance, Zendesk, Zowie, Automaited, Sprout Social)Hosting (AWS – EU servers, but also US transfers)Email (Twilio/Sendgrid – US)Fraud‑prevention tools (Sift Science – US, Ethoca – Canada)Marketing platforms (Google, Meta, TikTok, Criteo, Microsoft, Snap, etc.)Analytics and research partners (Hotjar, Looker, Chattermill, Simplesat, Respondent, Userlytics, Lookback)Payment processors (Adyen, Primer, PayPal, Stripe, Checkout.com, Klarna, Chargebacks911)Legal, audit, tax and accounting service providers

International Transfers

USA (Zendesk, Twilio, AWS, Datadog, Sift Science, Meta, Google, etc.)UK (Primer, Chattermill, Looker, etc.)Israel (Cheq)Canada (Ethoca)Hong Kong (Simplesat)Australia (Rakuten Marketing)Japan (LinkShare)Other non‑EEA jurisdictions via SCCs or the EU‑U.S. Data Privacy Framework

AI / Model Training

Use of AI services Zowie, Automaited and OpenAI for customer‑service assistanceNo explicit statement that personal data is excluded from model training

Evidence Snippets

Direct quotes from the policy supporting these findings

When you visit the GetYourGuide Platform, GetYourGuide automatically collects the following information... IP address ... stored encrypted and is deleted after a period of 30 days.

We also work with specialized customer service providers such as Transcom WorldWide AB (“Transcom”), Cohere Outsourcing Philippines (“Cohere”), and Teleperformance SE (“Teleperformance”)... may process Personal Data in countries outside the European Economic Area.

We additionally use the services of Sprout Social, Inc. (“Sprout Social”)... may process your social media handle, username, profile picture... in the USA.

We use the services of Zowie and aiConomix GmbH (“Automaited”) that offer AI technology that assists in managing and responding to customer queries.

You have the option to create wish lists... we use this information to provide you with personalized recommendations and targeted advertisements. This is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR).

Missing or Unclear

Specific data retention periods for most categories (except IP address).
Explicit lawful basis for profiling beyond legitimate interest assessment.
Clear statement on whether AI providers use personal data for model training or how users can opt‑out.
Details of DPIA or privacy impact assessment for high‑risk processing (e.g., profiling, AI).

Questions to Ask

Do Zowie, Automaited and OpenAI use the personal data they process for training their models, and can users opt‑out?
What specific retention periods apply to each data category (e.g., wishlists, reviews, payment data)?
Has a Data Protection Impact Assessment been conducted for the extensive profiling and AI‑driven services?
How does GetYourGuide ensure that legitimate‑interest assessments for wishlists and personalised ads meet the GDPR balancing test?
What mechanisms are in place to guarantee that data subject requests are honoured across all third‑party processors, especially those outside the EEA?

This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe

Try free →