langdock.com privacy policy — score 78/100 (low risk)

Last analyzed 4 June 2026

78privacy score

Langdock GmbH · langdock.com

Report details

low risk

Langdock is a privacy-conscious EU-based AI platform that explicitly bans using your content to train AI models and keeps data in the EU, though it relies on some US sub-processors and has vague retention periods in places.

Langdock GmbH's privacy policy is well-structured and GDPR-aligned, with strong commitments on AI training and EU data residency. Key strengths include a clear processor role for workspace content, an explicit no-AI-training pledge, and appointed DPO. Weaknesses include reliance on US providers (Microsoft, Google) with only generic safeguard references, vague retention periods for several categories, and a sub-processor list that is referenced but not included in the policy text itself.

Last analyzed4 June 2026

SourceURL

Length24,859 chars

Category Assessment

Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.

Data Minimizationgood

Each processing purpose lists specific data categories; telemetry is explicitly anonymized and aggregated, and payment data is offloaded to Stripe.

Transparencygood

Legal basis is cited for every processing activity with clear purpose descriptions; however, the sub-processor list is externalized to the Trust Center and not embedded in the policy.

Third-party Sharingfair

Key sub-processors like Microsoft, Google, and Stripe are named, but the full list is only available via an external link; a merger/acquisition data sharing clause is broad.

International Transfersfair

Commits to EU-based processing as a rule, but allows third-country transfers 'in rare cases' with standard safeguards; the use of US cloud providers creates an inherent transfer risk not fully quantified.

AI/Model Traininggood

Explicitly states 'Your data is not used for training AI models' and that content is processed solely to provide contracted services under the DPA.

User Rightsgood

All standard GDPR rights are listed with clear descriptions, contact email, and the specific supervisory authority (Berlin DPA) is named.

Key Findings

Notable clauses, issues, or positive practices discovered (critical first)

Warning

Sub-processor list externalized and not in policy text

The policy references a sub-processor list in the Trust Center but does not include it inline. Users must navigate externally to see who processes their data. The named providers (Microsoft, Google, Stripe) are US-based, implying international transfers that are not individually detailed.

Warning

Vague retention periods for several data categories

While some retention periods are specific (30 days post-contract for user accounts, 10 years for billing, 6 months for job applications), others rely on vague language like 'after the expiration of the statutory retention periods for business communications' without specifying the duration.

Warning

Merger and acquisition data sharing clause is broad

Section 3(b) allows data sharing with prospective or actual acquirers and their advisors in M&A scenarios, subject only to confidentiality obligations and necessity. No specific safeguards like prior notification or consent are mentioned.

Info

Explicit no-AI-training commitment

Section 2(g) states unambiguously that user content (chats, projects) is not used for training AI models. This is a strong privacy-positive commitment that addresses a key concern for AI platforms.

Info

Legitimate interest used for product emails to existing users

Section 2(e) uses legitimate interest (Art. 6(1)(f) GDPR + Section 7(3) UWG) to send product update emails to registered users unless they object. This is a soft opt-out approach rather than explicit consent, which is permissible under German law but less privacy-protective than opt-in.

Info

Telemetry data claims of non-personal nature are unverified

Section 2(g) claims telemetry data 'does not allow any conclusions to be drawn about individual persons' and 'never contains personal data,' but aggregated usage statistics and error messages tied to sessions could potentially be re-identifying, especially for small workspaces.

Info

Automated decision-making with human review safeguard

Section 5 acknowledges that bot/spam detection may constitute Art. 22 GDPR automated decisions with significant effect, but provides a clear human review mechanism via support@langdock.com. This is a well-handled disclosure.

Consumer Takeaway

Your chat and workflow content on Langdock is NOT used to train AI models, and your employer (not Langdock) controls that data. However, some of your account and billing data flows to US-based sub-processors like Microsoft and Google.

Compliance Posture

Strong GDPR compliance posture with DPO appointed, ISO 27001 and SOC 2 Type II certifications, and clear legal basis citations for every processing activity. Minor gaps in sub-processor transparency and retention specificity.

EU Transfers

Data is generally processed in the EU, but transfers to third countries can occur 'in rare cases' using SCCs, adequacy decisions, or the EU-U.S. Data Privacy Framework. The use of Microsoft and Google as sub-processors likely involves some US transfers, which is not fully detailed.

Detected Signals

Specific data points and practices identified in the text

Data Collected

First and last nameEmail addressMobile phone numberCompany nameJob titleProfile pictureIP addressAuthentication data (SSO)Address dataPayment data (via Stripe)Billing and subscription dataServer log filesCommunication contentApplication documentsBank details (partner program)

Processing Purposes

Website operation and securityUser account management and authenticationFraud and misuse preventionCustomer support and inquiry handlingBilling and payment processingNewsletter and product communicationsPhone/video/webinar communicationsPlatform telemetry and error detectionPartner program administrationSocial media communicationsJob application processingAutomated bot/spam detection

Third-party Sharing

Sub-processors listed externally in Trust CenterMicrosoft (cloud/infrastructure)Google (email/communication)Stripe (payment processing)External advisors (lawyers, tax advisors)Prospective/actual acquirers in M&A scenariosGovernment/law enforcement when legally required

International Transfers

EU-based processing as defaultThird-country transfers in rare casesSafeguards: adequacy decisions, EU-U.S. Data Privacy Framework, standard contractual clausesUS-based sub-processors (Microsoft, Google, Stripe) likely receive data

AI / Model Training

Explicit statement: user content is NOT used for AI model trainingContent processed solely for providing contracted servicesProhibited from other use under DPA

Evidence Snippets

Direct quotes from the policy supporting these findings

Your data is not used for training AI models.

As a general rule, we process personal data on servers within the European Union. In rare cases, particularly when services are not available in the EU or when you are located outside the EU and contact us, data may be transferred to 'third countries' outside the EU or the European Economic Area.

We delete your user account and associated data upon request or no later than within 30 days after termination of the contractual relationship, unless statutory retention obligations apply.

The processors used in the Langdock platform can be found in our list of sub-processors in our Trust Center.

In the context of a merger, acquisition, or sale, data may also be shared with the prospective or actual acquirer and their advisors. Such disclosure occurs only to the extent necessary and subject to confidentiality obligations.

Missing or Unclear

Full sub-processor list with transfer mechanisms for each
Specific retention periods for support communications and social media data
Details on which third-country transfers actually occur and with which providers
Cookie categories and specific cookies used
Data breach notification procedures
DPIA (Data Protection Impact Assessment) references
Specific details on encryption standards used

Questions to Ask

Which sub-processors process data outside the EU, and what specific transfer mechanisms (SCCs, DPF certification) are in place for each?
What are the exact retention periods for support communications, social media messages, and telemetry data?
How is telemetry data anonymized, and has a re-identification risk assessment been conducted, especially for small workspaces?
In the event of an M&A transaction, will data subjects be notified before their data is shared with the acquirer?
What specific cookies and tracking technologies are currently deployed on the website beyond technically necessary ones?
How quickly does Langdock respond to data subject rights requests (access, deletion, portability), and is there an automated self-service mechanism?

This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe

Try free →