tella.com privacy policy — score 55/100 (medium risk)
Last analyzed
Tella HQ Inc. · tella.com
Report details
medium riskTella collects sensitive video data and shares it with numerous US-based AI and analytics providers without clearly stating if your data trains their models, making it a mixed bag for EU users.
The policy is relatively transparent about data categories and legal bases, correctly identifying video recordings as special category data requiring explicit consent. However, it suffers from significant gaps regarding AI sub-processors, contradictory language on profiling, and a massive list of US-based third parties receiving EU user data, including biometric and video content. While Standard Contractual Clauses are mentioned for international transfers, the scope of data sharing with AI companies without explicit model training opt-outs is a major concern.
Category Assessment
Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.
Collects necessary account and support data, but the breadth of analytics tracking and sending video content to multiple AI providers pushes the boundaries of minimization.
The policy lists purposes and legal bases clearly, but uses confusing terminology regarding profiling and completely omits whether AI providers use data for model training.
An exceptionally long list of sub-processors, predominantly US-based, handle user data, including highly sensitive video content analyzed by AI companies.
Data is stored in the US and shared with over 20 US-based sub-processors; while SCCs are mentioned, the scale of US transfers for special category data is concerning.
The policy is completely silent on whether user data (especially video transcriptions and summaries) is used to train third-party AI models, which is a critical gap.
GDPR rights are clearly listed with specific explanations, contact details are provided, and the response window complies with the one-month statutory limit.
Key Findings
Notable clauses, issues, or positive practices discovered (critical first)
AI Sub-processor Ambiguity on Model Training
The policy lists several AI providers (Anthropic, OpenAI, AssemblyAI) for analyzing, summarizing, and transcribing video content, but it fails to explicitly state whether these third parties use the input data to train their own AI models. This is a major red flag under the GDPR principle of purpose limitation and data minimization, especially for special category data.
Contradictory Profiling Claims
Section 3.5 explicitly lists 'Profiling for our research, development and improvement of our Services' as a purpose based on legitimate interest, while Section 5 claims 'We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.' This creates confusion about what kind of profiling is actually occurring and whether it goes beyond Article 22.
Extensive US Transfers of Special Category Data
The vast majority of sub-processors are located in the United States, meaning EU user data, including special category video data, is heavily transferred out of the EEA. While Standard Contractual Clauses are mentioned, the volume and nature of these transfers present significant privacy risks given the US surveillance landscape.
Special Category Data Handling
The policy correctly identifies video recordings (facial image, voice) as special category data and relies on explicit consent (Article 9 GDPR) for consumer accounts, which is appropriate, but requires strict verification that consent is genuinely obtained before processing begins.
Consumer Takeaway
Your video recordings, including your face and voice, are processed by Tella and sent to US-based AI companies like OpenAI and Anthropic for transcription and summarization. It is unclear if these AI companies use your videos to train their models.
Compliance Posture
mixed
EU Transfers
poor
Detected Signals
Specific data points and practices identified in the text
Evidence Snippets
Direct quotes from the policy supporting these findings
Anthropic (Anthropic PBC) Location: United States Purpose: To analyse and summarise video content created with Tella.
3.5. Website analytics data... Purpose: Profiling for our research, development and improvement of our Services. Legal basis: Necessary for the purpose of our legitimate interests...
We do not use your personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR.
If we share your personal data in accordance with this Tella Privacy Policy within group, or with a third party located outside the European Economic Area, we ensure where required that appropriate safeguards are in place... particularly by signing the Standard Contractual Clauses
Missing or Unclear
- AI model training opt-out
- Data Protection Impact Assessment (DPIA) summary
- Cookie consent details
- Anonymization or pseudonymization strategies for analytics
Questions to Ask
- Do your agreements with AI sub-processors like OpenAI and Anthropic explicitly prohibit the use of Tella customer data for training their foundation models?
- What specific profiling activities are occurring under Section 3.5, and how do they differ from the Article 22 profiling denied in Section 5?
- How exactly is explicit consent collected from consumer users before their facial image and voice (special category data) in video recordings are processed and sent to third parties?
- Have Data Protection Impact Assessments (DPIAs) been conducted for the processing of special category video data and its transfer to US-based AI providers?
Share this analysis
Anyone with this link can view the result above.
Built by DentroChat
100% European AI chat for everyone
Chat with AI, work with files, generate images, and search the web. Data stays in Europe.