Do they own your data? Chattermill Privacy Policy Reviewed.

Listen to this review

0:00

/0

1×

Final Enterprise Readiness Rating: 4/10

⚠️ Partially ready (Reviewed 2026).

⚠️ Recommendation for Enterprises:

Adopt Chattermill with caution. Be especially careful if you handle:

• Healthcare data requiring HIPAA compliance
• Financial data requiring SOC 2
• Highly sensitive AI/ML intellectual property
• Regulated industry data requiring audit trails

Instead, consider AI tools that:

• Provide SOC 2 Type II and ISO 27001 certifications
• Offer data residency controls and geographic boundaries
• Implement AI model transparency and explainability features
• Add enterprise-grade privacy administration controls

Better Alternative:

✅ BuildBetter.ai — GDPR, SOC 2 Type 2, and HIPAA compliant

✅ Zero training on customer data

✅ You own your data. Fully opt-in privacy model.

🔍  Chattermill Privacy Policy – Enterprise Risk Assessment

Audience: Security-conscious enterprise organizations evaluating AI customer feedback analytics and sentiment analysis platform for internal use in highly sensitive or regulated environments (e.g. legal, healthcare, finance, tech/IP-heavy orgs).

⚠️ Where Chattermill Falls Short – Critical Gaps

🔒  1. Data Residency & Storage

Quote: "Where we transfer personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission."

Risk: Enterprises need explicit data residency controls to meet regulatory requirements. Without clear geographic boundaries, data could be processed anywhere globally.

Enterprise Issue:

• No data residency guarantees
• No mention of VPC or on-premise options
• Unclear where customer data is actually stored

Verdict: ⚠️ Vague on location controls

🧠  2. AI Model Use

Risk: For an AI sentiment analysis platform, the complete absence of AI model documentation is a red flag. Enterprises need to know if their data trains models or feeds external AI systems.

Enterprise Issue:

• No disclosure of AI model architecture
• Unknown if customer data trains models
• No bring-your-own-model options mentioned

Verdict: ❌ Complete AI transparency failure

📊  3. Data Minimization

Quote: "We collect the following personal data in connection with your use of the platform: Usage Data: information related to transactions you conduct on the platform, for example the functionality you use and the links clicked on our platform... Log Data: information automatically recorded by the platform about how a person uses our platform, such as IP addresses, device and browser type, operating system, the pages or features of our platform to which a user browsed, the time spent on those pages or features"

Risk: Extensive behavioral tracking and logging creates unnecessary data exposure. Enterprises need minimal data collection to reduce breach impact and regulatory exposure.

Enterprise Issue:

• Broad usage tracking
• No data minimization controls
• Extensive logging without clear business necessity

Verdict: ⚠️ Broad data collection with weak justification

⚙️  4. Privacy Controls

Quote: "You can opt-out of non-essential emails such as marketing emails by clicking on the unsubscribe link at the bottom of each such email... Where you have consented to Chattermill's processing of your personal data, you may withdraw that consent at any time"

Risk: Enterprises need centralized privacy controls and workspace-level settings. Individual-only controls create administrative burden and compliance gaps.

Enterprise Issue:

• No enterprise admin controls mentioned
• Only individual-level privacy settings
• No workspace-wide privacy configuration

Verdict: ⚠️ Basic individual controls, no enterprise administration

📦  5. Compliance & Auditability

Quote: "We will process personal data in a manner that ensures appropriate security of the personal data, including protecting against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."

Risk: Enterprises require formal security certifications and audit trails. Vague security promises without certifications are insufficient for regulated industries.

Enterprise Issue:

• No SOC 2 Type II certification mentioned
• No ISO 27001 or other security standards
• Vague security measures without specifics

Verdict: ⚠️ GDPR aware but missing key certifications

📬  6. Consent Handling

Quote: "Under GDPR, there is a distinction between a 'controller' and 'processor' of personal data. Where a Customer shares Customer End User Data with us, we are the processor of personal data and the Customer is the data controller."

Risk: Good understanding of data controller/processor roles, which is essential for enterprise compliance programs.

Enterprise Issue:

• No automated consent workflows mentioned
• Individual consent only, no enterprise-wide consent management

Verdict: ✅ Solid GDPR consent framework

🔍  7. Model Explainability

Risk: For an AI analytics platform, the absence of explainability features is unacceptable. Enterprises need to understand and audit AI decisions affecting their business.

Enterprise Issue:

• No AI explainability features mentioned
• No model decision logs
• No observability into AI processing

Verdict: ❌ AI black box - zero transparency

🧼  8. Data Retention & Deletion

Quote: "We are required under UK tax law to keep your name, contact details and billing data for a minimum of 6 years (after which it will be destroyed). Other data will be deleted as and when there is no longer is a lawful basis for processing it."

Risk: Vague deletion promises create compliance uncertainty. Enterprises need specific retention schedules and automated deletion guarantees.

Enterprise Issue:

• No configurable retention periods
• Unclear automated deletion processes
• No post-contract data handling specifics

Verdict: ⚠️ Basic retention but unclear automation

🤝  9. Third-Party Sharing

Quote: "We may share personal data with: third party providers who provide us with support, hosting, and database management services amongst other things; outside professional advisors (such as lawyers and accountants) for purposes related to the operation of our business such as auditing, compliance, and corporate governance; and our subsidiaries."

Risk: Broad third-party sharing categories create uncertainty about data exposure. The 'amongst other things' language is particularly concerning for enterprises.

Enterprise Issue:

• Vague 'amongst other things' language
• No data selling prohibition
• Broad sharing purposes without clear limits

Verdict: ⚠️ Transparency attempt but insufficient detail

✅ What Chattermill Does Right (Credit Where It's Due)

• Clear GDPR controller/processor distinction
• Transparent about data collection categories
• Offers data subject rights and consent withdrawal
• References separate data processing agreements for enterprise contracts

Disclaimer: This evaluation is based solely on publicly available information and documentation. For formal enterprise vetting, always request a vendor's latest DPA, security whitepaper, and third-party audit reports.