DentroChat logo
Try free

anthropic.com privacy policy — score 62/100 (medium risk)

Last analyzed

Run a new analysis on another policy

Anthropic · anthropic.com

Report details

medium risk

Anthropic uses your AI conversations to train its models by default, though you can opt out, and your data is routinely transferred outside the EEA to the US under standard contractual clauses.

Anthropic's privacy policy is transparent about its data practices but raises significant concerns regarding AI training defaults and user rights. While the policy is well-structured and clearly lists legal bases for processing, it defaults to using user Inputs and Outputs for model training, with an opt-out that is overridden if content is flagged for safety. The policy also preemptively warns that user rights regarding training data are 'limited' and 'complex' to action. Data transfers to the US rely on Standard Contractual Clauses, and the company admits it may re-identify de-identified data to enforce its Usage Policy.

Last analyzed
SourceURL
Length34,612 chars

Category Assessment

Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.

Data Minimizationfair

Collects a broad range of data including all Inputs/Outputs and technical metadata, but does allow deletion of individual conversations within 30 days.

Transparencygood

The policy is detailed and clearly structured, explicitly listing legal bases for each processing purpose in a dedicated table.

Third-party Sharingfair

Data is shared with affiliates, service providers, and business partners, but specific subprocessors are relegated to a separate list without direct links in the main policy.

International Transfersfair

Data is transferred to the US and other non-EEA countries relying primarily on SCCs, with an EU entity (Anthropic Ireland) established for EEA users.

AI/Model Trainingpoor

User conversations are used for AI training by default with an opt-out, but the opt-out is overridden if content is flagged for safety or submitted as feedback.

User Rightsfair

Standard GDPR rights are listed and an EU DPO is appointed, but the policy preemptively warns that rights are limited and actioning training data requests is 'complex'.

Key Findings

Notable clauses, issues, or positive practices discovered (critical first)

Critical

Default Training on User Data with Bypassed Opt-Out

Section 2 states that Inputs and Outputs are used for model training unless the user opts out. However, it explicitly carves out two exceptions where the opt-out does not apply: conversations flagged for safety review, and explicitly reported materials (feedback). This means users cannot fully prevent their data from being used to train models if their conversations trigger safety flags.

Critical

Re-identification of De-identified Data

Section 6 states that if Inputs or Outputs are flagged for potentially violating the Usage Policy, the content is disassociated from the user ID for training, but 'we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary.' This creates a significant loophole where data ostensibly stripped of identifiers for training can be linked back to the user.

Warning

Discouraging Language on User Rights

Section 4 warns that user rights are 'limited' and that actioning requests regarding the training dataset is 'complex'. It also states they may decline a request if they have a lawful reason. This preemptive discouragement could deter users from exercising their GDPR rights, particularly the right to erasure.

Warning

Vague Data Retention Periods

Section 6 states that personal data is retained 'for as long as reasonably necessary' for the purposes outlined. This lack of specific retention periods for different categories of data (e.g., Inputs/Outputs vs. Payment Information) conflicts with GDPR's storage limitation principle (Article 5(1)(e)).

Consumer Takeaway

Your conversations with Claude are used to train Anthropic's AI by default; you must actively opt out, and even then, flagged or reported conversations will still be used for training.

Compliance Posture

Anthropic demonstrates compliance awareness by establishing an Irish entity for EEA users, appointing a DPO, and clearly mapping legal bases. However, the broad exceptions to the training opt-out and the discouraging language around user rights may conflict with the GDPR principles of data minimization and the right to erasure.

EU Transfers

Data is transferred to the US and other non-EEA countries. Anthropic relies on Standard Contractual Clauses (SCCs) for these transfers, as the US lacks an adequacy decision. While SCCs are a valid mechanism, the policy lacks detail on supplementary measures implemented to protect data against US government surveillance, which is a requirement post-Schrems II.

Detected Signals

Specific data points and practices identified in the text

Data Collected
NameEmail addressPhone numberPayment informationInputs (Prompts)OutputsFeedbackCommunication contentsDevice typeOperating system informationBrowser informationWeb page referersMobile networkConnection informationISPTime zone settingIP addressDevice identifiersDevice locationBrowsing historySearch queriesLinks clickedPages viewedLog filesError information
Processing Purposes
Providing and maintaining products and servicesEnhancing platform functionality and user experienceCommunication and promoting servicesAccount administrationFacilitating paymentsPreventing and investigating fraud and abuseInvestigating and resolving disputesInvestigating and resolving security issuesDebugging and repairing errorsImproving services and conducting research (including model training)Enforcing Terms of Service and Usage Policy
Third-party Sharing
Affiliates and corporate partnersService providers and business partnersGovernmental regulatory authorities as required by lawThird parties in connection with claims, disputes, or litigationThird parties in corporate events (mergers, bankruptcy)
International Transfers
Transferred to servers in the USTransferred to other countries outside the EEA and UKRelies on adequacy decisions for some countriesRelies on Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decisionMay rely on derogations provided for under applicable data protection law
AI / Model Training
Inputs and Outputs are used for model training by defaultOpt-out is available through account settingsOpt-out is overridden for conversations flagged for safety reviewOpt-out is overridden for explicitly reported materials (Feedback)Feedback is disassociated from user ID for trainingFlagged content is disassociated from user ID for training trust and safety models

Evidence Snippets

Direct quotes from the policy supporting these findings

We may use your Inputs and Outputs to train our models and improve our Services, unless you opt out through your account settings.

Even if you opt-out, we will use Inputs and Outputs for model improvement when: (1) your conversations are flagged for safety review... or (2) you've explicitly reported the materials to us

However, we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary.

please be aware that these rights are limited, and that the process by which we may need to action your requests regarding our training dataset are complex.

Missing or Unclear

  • No specific retention periods for different categories of personal data
  • No mention of a Data Protection Impact Assessment (DPIA) for AI training
  • No detail on supplementary measures for US data transfers post-Schrems II
  • No information on the specific criteria for 'flagging for safety review'
  • No explanation of how deletion requests are handled for data already incorporated into trained models

Questions to Ask

  • What specific technical and organizational measures are in place to ensure that re-identified data used for Usage Policy enforcement is not then retained in a personally identifiable form in the training dataset?
  • Under what exact criteria are conversations 'flagged for safety review', and what is the volume/proportion of user conversations that fall into this opt-out exception?
  • Can you provide the specific retention schedules for Inputs/Outputs, Technical Information, and Feedback, rather than the generic 'as long as reasonably necessary'?
  • Has a Data Protection Impact Assessment (DPIA) been conducted regarding the processing of user Inputs/Outputs for model training, and if so, can its summary be shared?
  • How do you handle deletion requests under GDPR Article 17 for personal data that has already been incorporated into a trained model, given the technical complexity acknowledged in the policy?
This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe
Try free →