DentroChat logo
Try free

qdrant.tech privacy policy — score 65/100 (medium risk)

Last analyzed

This report is more than 28 days old. It shows the last saved analysis for this policy — refresh to re-fetch the live page and update the score.

Report details

medium risk

Qdrant’s policy leans heavily on legitimate‑interest and US third‑party transfers, gives consent options for newsletters, but lacks clear limits on data collection and any mention of AI model training, making it only moderately privacy‑friendly.

The privacy policy provides the required legal bases and lists many processors, but it often relies on legitimate interest for core website functions, gives vague retention periods, and does not disclose whether user data is used to train AI models. International transfers are covered by SCCs and the EU‑US Data Privacy Framework, yet the reliance on US providers remains a risk. User rights are described, but practical mechanisms (e.g., easy withdrawal of consent, DPO contact process) are not detailed.

Last analyzed
SourceURL
Length120,000 chars

Category Assessment

Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.

Data Minimizationfair

The policy does not specify limits on the amount of data collected; it lists many data points (IP, browser details, usage logs) collected by default.

Transparencyfair

Legal bases are listed, but the description of processing purposes is generic and does not detail profiling or AI model training.

Third-party Sharingfair

Numerous third parties (HubSpot, Segment, Google Analytics, Mixpanel, Stripe, Netlify) are used, many based outside the EEA, with reliance on SCCs.

International Transfersfair

Transfers are covered by SCCs and the EU‑US Data Privacy Framework, but the policy lacks per‑processor risk assessments.

AI/Model Trainingpoor

No mention of whether personal data is used to train Qdrant’s AI models or how users can opt‑out.

User Rightsgood

Rights are enumerated (access, rectification, erasure, portability, objection) and contact details for the DPO are provided.

Key Findings

Notable clauses, issues, or positive practices discovered (critical first)

Critical

No disclosure of AI or model‑training usage

The policy never mentions whether personal data collected via the website or cloud service is used to train or improve Qdrant’s AI models, leaving a significant transparency gap.

Warning

Extensive reliance on legitimate interest for core website functions

The policy states that IP address, browser details, and other log data are processed on the basis of Art. 6(1)(f) GDPR as a legitimate interest, without offering a clear opt‑out mechanism for users.

Warning

Broad international data transfers to US providers

Multiple US‑based processors (HubSpot, Segment, Google Analytics, Mixpanel, OneTrust, Netlify) are used, with transfers justified by standard contractual clauses or the EU‑US Data Privacy Framework, but the policy does not disclose specific safeguards per processor.

Info

Vague data retention periods for many categories

While log files are deleted after 14 days and IPs after 90 days, other data (e.g., newsletter contacts, customer accounts) have no explicit retention schedule, relying on “as long as necessary” language.

Info

Consent management for newsletters is described, but the revocation process is unclear

The policy says consent can be revoked by clicking a link or emailing, but does not specify how quickly the revocation is processed or whether it automatically stops all marketing communications.

Consumer Takeaway

Your data may be shared with many US‑based services (e.g., HubSpot, Google Analytics, Mixpanel) under standard contractual clauses; you can object to direct marketing, but the policy does not clearly explain how your data might be used for AI training or profiling beyond marketing.

Compliance Posture

Mixed – the policy meets many formal GDPR requirements (legal bases, rights, DPO contact) but falls short on transparency about data minimisation, purpose limitation, and AI usage.

EU Transfers

Transfers to the US are justified by SCCs and the EU‑US Data Privacy Framework, but the policy does not provide detailed safeguards for each processor, nor does it offer an easy way for data subjects to object to such transfers.

Detected Signals

Specific data points and practices identified in the text

Data Collected
IP addressDate and time of requestTime zone difference to GMTContent of the request (specific page)Access status/HTTP status codeAmount of data transferredWebsite referrer URLBrowser operating system and versionLanguage and version of the browser softwareFirst and last nameE‑mail addressCustomer IDRegionCluster statusCloud providerAuthentication typePayment informationRAM usageDeployment type
Processing Purposes
Website stability and securityProviding and maintaining Qdrant Cloud ServiceCustomer support and contact form handlingMarketing newsletters and direct advertisingStatistical analysis and service improvementPayment processingEmployment recruitmentAnalytics and profiling for advertising
Third-party Sharing
HubSpot (USA, EU processing)Segment (USA)Google Analytics (USA)Google Tag Manager (USA)Mixpanel (USA)OneTrust (USA)Netlify (USA)Stripe (USA and EU)Auth0 (USA, SCCs and EU‑US Data Privacy Framework)Mailjet (EU)HeyData (EU)
International Transfers
Standard contractual clauses for Netlify, Segment, OneTrust, Stripe, Auth0EU‑US Data Privacy Framework for HubSpot, Stripe, Auth0

Evidence Snippets

Direct quotes from the policy supporting these findings

During the informative use of the website, ... we collect the personal data that the browser transmits to our server ... This is our legitimate interest, so that the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

We use HubSpot to manage leads ... The provider processes usage data ... in the EU. The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR.

We use Google Analytics for analytics. ... The legal basis for the processing is Art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent.

Data subjects have the following rights ... Right of access, Right to correction or deletion, Right to limit processing, Right to object ...

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred ... is guaranteed by standard data protection clauses (Art. 46 para. 2 lit. c GDPR).

Missing or Unclear

  • Explicit statement on whether personal data is used for AI model training or improvement
  • Detailed retention periods for non‑log data (e.g., newsletter contacts, customer accounts)
  • Clear opt‑out mechanism for legitimate‑interest processing of website logs
  • Information on profiling beyond direct marketing

Questions to Ask

  • Do you use any of the collected personal data (including log data) to train or improve Qdrant’s AI models, and if so, can users opt‑out?
  • What specific safeguards (technical or contractual) are in place for each US‑based processor beyond the generic SCCs?
  • How is consent for analytics (Google Analytics, Mixpanel, etc.) obtained and recorded, and can users withdraw it easily?
  • Can you provide a detailed retention schedule for each data category (e.g., newsletter subscribers, customer accounts, payment data)?
  • Is there a mechanism for users to object to the legitimate‑interest processing of website logs, and how is that request handled?
This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe
Try free →