I know that Cliqz initially sourced clickstream data from companies outside the EU (in particular Isreal) to build its search index on. Most of this data was not acquired with the informed consent of the users, who were "donating" it unwittingly through browser extensions they had installed. I think this eventually led Cliqz to build its own extensions and acquire Ghostery, which had amassed an enormous stockpile of personal data (related to cookies in particular) using a similar scheme. So I'd say a little skepticism is warranted, even though it's possible that Cliqz really turned the boat around later in terms of respecting user privacy.