DentroChat logo
Kostenlos testen

anthropic.com privacy policy — score 62/100 (medium risk)

Zuletzt analysiert

Der Berichtsinhalt (Zusammenfassung, Befunde, Zitate) wurde auf Englisch erstellt und ist nicht lokalisiert.

Neue Analyse für eine andere Richtlinie starten

Anthropic · anthropic.com

Berichtsdetails

medium Risiko

Anthropic uses your AI conversations to train its models by default, though you can opt out, and your data is routinely transferred outside the EEA to the US under standard contractual clauses.

Anthropic's privacy policy is transparent about its data practices but raises significant concerns regarding AI training defaults and user rights. While the policy is well-structured and clearly lists legal bases for processing, it defaults to using user Inputs and Outputs for model training, with an opt-out that is overridden if content is flagged for safety. The policy also preemptively warns that user rights regarding training data are 'limited' and 'complex' to action. Data transfers to the US rely on Standard Contractual Clauses, and the company admits it may re-identify de-identified data to enforce its Usage Policy.

Zuletzt analysiert
QuelleURL
Länge34,612 Zeichen

Kategoriebewertung

Aufschlüsselung der Richtlinie nach zentralen Compliance-Bereichen. Gut = stark, mittel = gemischt, schlecht = bedenklich.

Data Minimizationfair

Collects a broad range of data including all Inputs/Outputs and technical metadata, but does allow deletion of individual conversations within 30 days.

Transparencygood

The policy is detailed and clearly structured, explicitly listing legal bases for each processing purpose in a dedicated table.

Third-party Sharingfair

Data is shared with affiliates, service providers, and business partners, but specific subprocessors are relegated to a separate list without direct links in the main policy.

International Transfersfair

Data is transferred to the US and other non-EEA countries relying primarily on SCCs, with an EU entity (Anthropic Ireland) established for EEA users.

AI/Model Trainingpoor

User conversations are used for AI training by default with an opt-out, but the opt-out is overridden if content is flagged for safety or submitted as feedback.

User Rightsfair

Standard GDPR rights are listed and an EU DPO is appointed, but the policy preemptively warns that rights are limited and actioning training data requests is 'complex'.

Wichtigste Befunde

Bemerkenswerte Klauseln, Probleme oder positive Praktiken (kritische zuerst)

Kritisch

Default Training on User Data with Bypassed Opt-Out

Section 2 states that Inputs and Outputs are used for model training unless the user opts out. However, it explicitly carves out two exceptions where the opt-out does not apply: conversations flagged for safety review, and explicitly reported materials (feedback). This means users cannot fully prevent their data from being used to train models if their conversations trigger safety flags.

Kritisch

Re-identification of De-identified Data

Section 6 states that if Inputs or Outputs are flagged for potentially violating the Usage Policy, the content is disassociated from the user ID for training, but 'we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary.' This creates a significant loophole where data ostensibly stripped of identifiers for training can be linked back to the user.

Warnung

Discouraging Language on User Rights

Section 4 warns that user rights are 'limited' and that actioning requests regarding the training dataset is 'complex'. It also states they may decline a request if they have a lawful reason. This preemptive discouragement could deter users from exercising their GDPR rights, particularly the right to erasure.

Warnung

Vague Data Retention Periods

Section 6 states that personal data is retained 'for as long as reasonably necessary' for the purposes outlined. This lack of specific retention periods for different categories of data (e.g., Inputs/Outputs vs. Payment Information) conflicts with GDPR's storage limitation principle (Article 5(1)(e)).

Fazit für Nutzer

Your conversations with Claude are used to train Anthropic's AI by default; you must actively opt out, and even then, flagged or reported conversations will still be used for training.

Compliance-Posture

Anthropic demonstrates compliance awareness by establishing an Irish entity for EEA users, appointing a DPO, and clearly mapping legal bases. However, the broad exceptions to the training opt-out and the discouraging language around user rights may conflict with the GDPR principles of data minimization and the right to erasure.

EU-Übermittlungen

Data is transferred to the US and other non-EEA countries. Anthropic relies on Standard Contractual Clauses (SCCs) for these transfers, as the US lacks an adequacy decision. While SCCs are a valid mechanism, the policy lacks detail on supplementary measures implemented to protect data against US government surveillance, which is a requirement post-Schrems II.

Erkannte Signale

Konkrete Datenpunkte und Praktiken im Text identifiziert

Erhobene Daten
NameEmail addressPhone numberPayment informationInputs (Prompts)OutputsFeedbackCommunication contentsDevice typeOperating system informationBrowser informationWeb page referersMobile networkConnection informationISPTime zone settingIP addressDevice identifiersDevice locationBrowsing historySearch queriesLinks clickedPages viewedLog filesError information
Verarbeitungszwecke
Providing and maintaining products and servicesEnhancing platform functionality and user experienceCommunication and promoting servicesAccount administrationFacilitating paymentsPreventing and investigating fraud and abuseInvestigating and resolving disputesInvestigating and resolving security issuesDebugging and repairing errorsImproving services and conducting research (including model training)Enforcing Terms of Service and Usage Policy
Weitergabe an Dritte
Affiliates and corporate partnersService providers and business partnersGovernmental regulatory authorities as required by lawThird parties in connection with claims, disputes, or litigationThird parties in corporate events (mergers, bankruptcy)
Internationale Übermittlungen
Transferred to servers in the USTransferred to other countries outside the EEA and UKRelies on adequacy decisions for some countriesRelies on Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decisionMay rely on derogations provided for under applicable data protection law
KI / Modelltraining
Inputs and Outputs are used for model training by defaultOpt-out is available through account settingsOpt-out is overridden for conversations flagged for safety reviewOpt-out is overridden for explicitly reported materials (Feedback)Feedback is disassociated from user ID for trainingFlagged content is disassociated from user ID for training trust and safety models

Textbelege

Direkte Zitate aus der Richtlinie, die diese Befunde stützen

We may use your Inputs and Outputs to train our models and improve our Services, unless you opt out through your account settings.

Even if you opt-out, we will use Inputs and Outputs for model improvement when: (1) your conversations are flagged for safety review... or (2) you've explicitly reported the materials to us

However, we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary.

please be aware that these rights are limited, and that the process by which we may need to action your requests regarding our training dataset are complex.

Fehlend oder unklar

  • No specific retention periods for different categories of personal data
  • No mention of a Data Protection Impact Assessment (DPIA) for AI training
  • No detail on supplementary measures for US data transfers post-Schrems II
  • No information on the specific criteria for 'flagging for safety review'
  • No explanation of how deletion requests are handled for data already incorporated into trained models

Fragen zum Nachfragen

  • What specific technical and organizational measures are in place to ensure that re-identified data used for Usage Policy enforcement is not then retained in a personally identifiable form in the training dataset?
  • Under what exact criteria are conversations 'flagged for safety review', and what is the volume/proportion of user conversations that fall into this opt-out exception?
  • Can you provide the specific retention schedules for Inputs/Outputs, Technical Information, and Feedback, rather than the generic 'as long as reasonably necessary'?
  • Has a Data Protection Impact Assessment (DPIA) been conducted regarding the processing of user Inputs/Outputs for model training, and if so, can its summary be shared?
  • How do you handle deletion requests under GDPR Article 17 for personal data that has already been incorporated into a trained model, given the technical complexity acknowledged in the policy?
Diese Analyse wird von KI erstellt und ist keine Rechtsberatung. Konsultiere für Compliance-Entscheidungen immer eine qualifizierte Rechtsfachkraft.

Diese Analyse teilen

Jeder mit diesem Link kann das Ergebnis oben einsehen.

Entwickelt von DentroChat

100 % europäischer KI-Chat für alle

Chatte mit KI, arbeite mit Dateien, generiere Bilder und suche im Web. Daten bleiben in Europa.

In der EU gehostete InfrastrukturText, Dateien, Bilder & WebsucheSchnell-, Denk- und Kreativ-ModusDatenschutz zuerstKeine Daten verlassen Europa
Kostenlos testen →