Ainode Privacy Glossary · Auditor: Tomás Maria Vaz de Noronha
Any movement of personal data outside the EU/EEA. Uploading heart-rate data from your smart ring to a US server: transfer. Streaming audio from your AI earbuds to a Chinese voice-recognition cloud: transfer. Even backing up a fitness app to a non-EU iCloud or Google Drive: transfer. The transfer happens at the moment the data crosses the border, not at the moment of analysis.
GDPR Articles 45 (adequacy decisions), 46 (appropriate safeguards — SCCs, BCRs, codes of conduct), and 49 (specific situations / derogations). Most consumer wearables rely implicitly on either an adequacy decision (the destination is on the EU's adequate list) or SCCs (typically tucked away in a vendor privacy policy). Article 49 derogations — explicit consent, contractual necessity — apply in narrower cases.
A privacy policy can claim "we comply with GDPR" or "we use SCCs" without proof. A forensic packet capture shows where the data actually goes. Ainode's 3-pass methodology resolves every destination IP to its hosting country and reports the flow openly. See /methodology for the process and /reviews for examples.