anthropic.com privacy policy — score 62/100 (medium risk)

Última análise 4 June 2026

O conteúdo do relatório (resumo, conclusões, citações) foi gerado em inglês e não está localizado.

Executar uma nova análise noutra política

62pontuação de privacidade

Anthropic · anthropic.com

Detalhes do relatório

medium risco

Anthropic uses your AI conversations to train its models by default, though you can opt out, and your data is routinely transferred outside the EEA to the US under standard contractual clauses.

Anthropic's privacy policy is transparent about its data practices but raises significant concerns regarding AI training defaults and user rights. While the policy is well-structured and clearly lists legal bases for processing, it defaults to using user Inputs and Outputs for model training, with an opt-out that is overridden if content is flagged for safety. The policy also preemptively warns that user rights regarding training data are 'limited' and 'complex' to action. Data transfers to the US rely on Standard Contractual Clauses, and the company admits it may re-identify de-identified data to enforce its Usage Policy.

Última análise4 June 2026

FonteURL

Comprimento34,612 caracteres

Avaliação por categoria

Repartição da política pelas principais áreas de conformidade. Bom = sólido, razoável = misto, fraco = preocupante.

Data Minimizationfair

Collects a broad range of data including all Inputs/Outputs and technical metadata, but does allow deletion of individual conversations within 30 days.

Transparencygood

The policy is detailed and clearly structured, explicitly listing legal bases for each processing purpose in a dedicated table.

Third-party Sharingfair

Data is shared with affiliates, service providers, and business partners, but specific subprocessors are relegated to a separate list without direct links in the main policy.

International Transfersfair

Data is transferred to the US and other non-EEA countries relying primarily on SCCs, with an EU entity (Anthropic Ireland) established for EEA users.

AI/Model Trainingpoor

User conversations are used for AI training by default with an opt-out, but the opt-out is overridden if content is flagged for safety or submitted as feedback.

User Rightsfair

Standard GDPR rights are listed and an EU DPO is appointed, but the policy preemptively warns that rights are limited and actioning training data requests is 'complex'.

Conclusões principais

Cláusulas relevantes, problemas ou boas práticas identificadas (críticas primeiro)

Crítico

Default Training on User Data with Bypassed Opt-Out

Section 2 states that Inputs and Outputs are used for model training unless the user opts out. However, it explicitly carves out two exceptions where the opt-out does not apply: conversations flagged for safety review, and explicitly reported materials (feedback). This means users cannot fully prevent their data from being used to train models if their conversations trigger safety flags.

Crítico

Re-identification of De-identified Data

Section 6 states that if Inputs or Outputs are flagged for potentially violating the Usage Policy, the content is disassociated from the user ID for training, but 'we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary.' This creates a significant loophole where data ostensibly stripped of identifiers for training can be linked back to the user.

Aviso

Discouraging Language on User Rights

Section 4 warns that user rights are 'limited' and that actioning requests regarding the training dataset is 'complex'. It also states they may decline a request if they have a lawful reason. This preemptive discouragement could deter users from exercising their GDPR rights, particularly the right to erasure.

Aviso

Vague Data Retention Periods

Section 6 states that personal data is retained 'for as long as reasonably necessary' for the purposes outlined. This lack of specific retention periods for different categories of data (e.g., Inputs/Outputs vs. Payment Information) conflicts with GDPR's storage limitation principle (Article 5(1)(e)).

Resumo para o utilizador

Your conversations with Claude are used to train Anthropic's AI by default; you must actively opt out, and even then, flagged or reported conversations will still be used for training.

Postura de conformidade

Anthropic demonstrates compliance awareness by establishing an Irish entity for EEA users, appointing a DPO, and clearly mapping legal bases. However, the broad exceptions to the training opt-out and the discouraging language around user rights may conflict with the GDPR principles of data minimization and the right to erasure.

Transferências UE

Data is transferred to the US and other non-EEA countries. Anthropic relies on Standard Contractual Clauses (SCCs) for these transfers, as the US lacks an adequacy decision. While SCCs are a valid mechanism, the policy lacks detail on supplementary measures implemented to protect data against US government surveillance, which is a requirement post-Schrems II.

Sinais detetados

Dados e práticas específicas identificadas no texto

Dados recolhidos

NameEmail addressPhone numberPayment informationInputs (Prompts)OutputsFeedbackCommunication contentsDevice typeOperating system informationBrowser informationWeb page referersMobile networkConnection informationISPTime zone settingIP addressDevice identifiersDevice locationBrowsing historySearch queriesLinks clickedPages viewedLog filesError information

Finalidades do tratamento

Providing and maintaining products and servicesEnhancing platform functionality and user experienceCommunication and promoting servicesAccount administrationFacilitating paymentsPreventing and investigating fraud and abuseInvestigating and resolving disputesInvestigating and resolving security issuesDebugging and repairing errorsImproving services and conducting research (including model training)Enforcing Terms of Service and Usage Policy

Partilha com terceiros

Affiliates and corporate partnersService providers and business partnersGovernmental regulatory authorities as required by lawThird parties in connection with claims, disputes, or litigationThird parties in corporate events (mergers, bankruptcy)

Transferências internacionais

Transferred to servers in the USTransferred to other countries outside the EEA and UKRelies on adequacy decisions for some countriesRelies on Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decisionMay rely on derogations provided for under applicable data protection law

IA / Treino de modelos

Inputs and Outputs are used for model training by defaultOpt-out is available through account settingsOpt-out is overridden for conversations flagged for safety reviewOpt-out is overridden for explicitly reported materials (Feedback)Feedback is disassociated from user ID for trainingFlagged content is disassociated from user ID for training trust and safety models

Fragmentos de evidência

Citações diretas da política que suportam estas conclusões

We may use your Inputs and Outputs to train our models and improve our Services, unless you opt out through your account settings.

Even if you opt-out, we will use Inputs and Outputs for model improvement when: (1) your conversations are flagged for safety review... or (2) you've explicitly reported the materials to us

However, we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary.

please be aware that these rights are limited, and that the process by which we may need to action your requests regarding our training dataset are complex.

Em falta ou pouco claro

No specific retention periods for different categories of personal data
No mention of a Data Protection Impact Assessment (DPIA) for AI training
No detail on supplementary measures for US data transfers post-Schrems II
No information on the specific criteria for 'flagging for safety review'
No explanation of how deletion requests are handled for data already incorporated into trained models

Perguntas a fazer

What specific technical and organizational measures are in place to ensure that re-identified data used for Usage Policy enforcement is not then retained in a personally identifiable form in the training dataset?
Under what exact criteria are conversations 'flagged for safety review', and what is the volume/proportion of user conversations that fall into this opt-out exception?
Can you provide the specific retention schedules for Inputs/Outputs, Technical Information, and Feedback, rather than the generic 'as long as reasonably necessary'?
Has a Data Protection Impact Assessment (DPIA) been conducted regarding the processing of user Inputs/Outputs for model training, and if so, can its summary be shared?
How do you handle deletion requests under GDPR Article 17 for personal data that has already been incorporated into a trained model, given the technical complexity acknowledged in the policy?

Esta análise é gerada por IA e não constitui aconselhamento jurídico. Consulte sempre um profissional jurídico qualificado para decisões de conformidade com o RGPD.

Partilhar esta análise

Qualquer pessoa com esta ligação pode ver o resultado acima.

Criado pela DentroChat

Chat de IA 100% europeu para todos

Converse com IA, trabalhe com ficheiros, gere imagens e pesquise na web. Os dados permanecem na Europa.

Infraestrutura alojada na UETexto, ficheiros, imagens e pesquisa webModos Rápido, Reflexão e CriativoPrivacidade em primeiro lugarNenhum dado sai da Europa

Experimentar grátis →