Back to Home

Our Methodology

Every app on WhatDoTheyCollect receives a privacy risk rating — Low, Medium, or High. This page explains exactly what those ratings mean, what factors we consider, and the limitations you should be aware of.

Risk Ratings Explained

Low Risk

Apps with a Low rating collect minimal personal data and handle it responsibly.

  • Collects only a small number of data types, typically limited to what is necessary to operate the service
  • Clear and reasonable data retention periods stated in the policy
  • Strong user controls — easy opt-out, data deletion, and access rights
  • No cross-site tracking or behavioural advertising
  • No concerning practices flagged (e.g. selling data, broad third-party sharing without consent)

Medium Risk

Apps with a Medium rating collect a moderate amount of personal data or have some practices that warrant attention.

  • Moderate range of data types collected, including some that go beyond core functionality
  • Some third-party sharing present (e.g. analytics providers, service integrations)
  • Limited user controls — opt-out options exist but may require effort
  • One or two minor concerning practices, but nothing egregious
  • Data retention may be vague or longer than necessary

High Risk

Apps with a High rating collect extensive personal data and/or engage in practices that significantly impact user privacy.

  • Extensive collection of personal, behavioural, or sensitive data types
  • Broad sharing with many third parties, including advertising networks
  • Unclear, indefinite, or very long data retention
  • Cross-site tracking, behavioural advertising, or data broker relationships
  • Multiple concerning practices present — e.g. selling data, fingerprinting, opaque policies

What We Analyze

Our analysis reads the full privacy policy for each app and extracts information across these dimensions:

Personal data types

What categories of data are collected (name, email, location, biometrics, etc.)

Tracking methods

Cookies, pixels, device fingerprinting, cross-site tracking

Third-party sharing

Which third parties receive your data and for what purpose

Data retention

How long data is kept and under what conditions it is deleted

User controls

Opt-out, data access, correction, and deletion mechanisms available

Concerning practices

Data selling, advertising networks, unclear language, or unusual permissions

How Our AI Analysis Works

Each privacy policy is processed through an automated pipeline powered by Google Gemini. Here is what happens step by step:

  1. 1

    Fetch the privacy policy

    We retrieve the official privacy policy directly from the app's domain.

  2. 2

    Extract structured data

    Gemini reads the full text and extracts data types collected, third parties mentioned, retention info, user controls, and any concerning language.

  3. 3

    Assign a risk level

    Based on the criteria above, the model assigns Low, Medium, or High — and outputs a plain-language summary.

  4. 4

    Human review (spot checks)

    We periodically review AI output for accuracy and update summaries when policies change.

Limitations & Disclaimers

AI can make mistakes. Gemini interprets natural language, and privacy policies often use ambiguous or legalistic wording. Extraction errors are possible. If you spot an inaccuracy, please let us know.

Policies change. Privacy policies are updated by companies at any time. Our data reflects the policy as it was at the time of analysis. Always check the current policy on the company's own website.

This is not legal advice. Our summaries and risk ratings are informational only. They do not constitute legal, regulatory, or compliance advice of any kind.

Risk is relative, not absolute. A "Low" rating means lower risk compared to common industry practice — it does not guarantee that an app is perfect or that data collection is negligible.

Always read the original. For decisions that matter, consult the company's actual privacy policy directly. We link to it from every domain page.