I think the privacy policies tend to be accurate in terms of describing what they are submitting/collecting from you. The reason there is simple -- anyone with the same tools we use for malware analysis can easily detect and catch red-handed deviations from that policy. It's very hard to hide what you are collecting and uploading for software you distribute to millions of users.All these privacy policies are well and good, but we will never know if they are following them. I assume I have very little privacy online and in most devices for that matter.
However, what they claim to do with it, that's purely based on trust and short of whistleblowers/disgruntled ex-employees, it's pretty hard to get the truth. For example, F-Secure claims that their automation strips your IP and identity from your automated submissions before any human can look at the information. That's not verifiable from the outside -- all you and I know is that the file left my computer tied to my IP address and exact timestamp. What they do with the info, as soon as it leaves your computer it's basically out of your control.