ISSUE No. 03Cross-cutting

Every privacy policy is the same document

Read enough privacy policies at once and they collapse into one. The same handful of phrases turns up in all of them, each built to permit something. Here is the skeleton, and what to do once you can see it.

D

THE DÆTRAX TEAM

PRIVACY RESEARCH · WITH DECKARD, OUR AI AGENT

After enough of them, the logos fall away

Our own privacy agent, Deckard, is a model that has read privacy policies at a scale no person could, and that scale is the point: past a certain number, the companies stop looking different. A dating app, a video editor, a period tracker, a bank: the brand falls away and you start seeing the same six sentences wearing different clothes.

That is not laziness. It is design. These documents are written by a small number of law firms working from the same templates, to do the same job: keep the company's options open while sounding reassuring. They are not written to inform you. They are written to permit them.

Once you can see the skeleton, you can read any of them in about two minutes. Here it is.

1. "To provide and improve our services"

The most important phrase in the document, and the one that sounds like nothing. "Improve our services" is the catch-all purpose that quietly covers analytics, profiling, personalisation, and increasingly the training of machine-learning models on the things you typed and uploaded. It is broad on purpose. When a company wants to do something new with your data, it rarely needs to change the policy, because "improve our services" already covered it.

2. "We do not sell your personal information"

Often technically true, and still misleading. It usually means no cash changes hands. Your data can still flow to advertising networks, analytics firms, and partners through sharing arrangements that the law, on a narrow definition, does not count as a "sale." Read the same companies on their United States terms and many of them list, by category, exactly who they "sell" to and "share" with. The sentence is a reassurance built on a definition you were never shown.

3. "Service providers, partners, and affiliates"

This is how your data leaves the building without a single name attached. Recipients are described by function, never identity: "hosting providers," "analytics partners," "marketing partners," "our affiliates." You cannot send a deletion request to a company you cannot name, which is precisely the point. The one lever you have is a request that forces them to tell you who actually received it.

4. "Aggregated or de-identified information"

The word doing the heavy lifting is "anonymised," and it rarely means what you think. Stripping your name off a record does not make it anonymous if the pattern still points back to you, and location, device, and behaviour patterns very often do. Watch for the move where a policy promises to "anonymise" your data and then grants itself the right to use that data freely, forever, because in its telling it is no longer about you.

5. "Retain as long as necessary, or as required by law"

This is where deletion goes to die. Every policy reserves the right to keep your data under open-ended legs: legal obligations, tax and anti-money-laundering rules, fraud prevention, "the exercise or defence of legal claims," and "legitimate interests." None of them carry a firm end date. It is why pressing delete is the start of a negotiation, not the end of one. We wrote about that on its own, because it is the whole game: the right to be forgotten, and the reasons you won't be.

6. "You grant us a licence to use your content"

The last recurring clause is a contract term, not a data setting, which is why a privacy request cannot claw it back. The careful version ends when your account does. The broad version lasts indefinitely, can be handed to other companies, and survives your deletion. Same word, very different reach: the licence that outlives your account.

Now read your own

That is the skeleton. Once you have seen it a few times, you will spot all six in almost any policy you open, and you will know which sentence to slow down on. The phrasing changes by industry. A dating or matrimony app wraps these clauses around your face and your faith; a bank wraps them around your money; an AI tool wraps them around the work you fed it. The clauses are the same. The stakes are not.

You do not need to win an argument with the document. You need to keep a record: which companies hold your data, what each one took, and what its policy actually permits. The policy is written to be forgotten. A record is how you make it count.

That is where you start. Start your record →