ElevenLabs updated its privacy policy on May 21, 2026, making several modifications to how it describes legal bases for data processing and contact procedures for exercising data rights. The policy now references multiple legal bases for processing (contract performance, legal compliance, legitimate interests) instead of relying primarily on consent, and reorganized contact instructions to designate a Data Protection Office with specific email and mailing address. The policy also added Brazil-specific contact information naming Paulo Eduardo Lilia as the Data Protection Officer for Brazilian residents. These changes clarify ElevenLabs' organizational structure, formalize data protection contacts, and broaden the stated legal justifications for data processing.
The updated policy clarifies that ElevenLabs may process your personal data based on multiple legal grounds: contract performance, legal compliance, legitimate interests, and other applicable legal bases, rather than relying primarily on your consent. The policy also reorganizes contact procedures for exercising data rights, designating a formal Data Protection Office accessible by email at legal@elevenlabs.io and by mail at the stated address. For Brazilian residents, the policy names Paulo Eduardo Lilia as the designated Data Protection Officer. You can exercise data rights using the online form or by emailing the Data Protection Office with your request in the subject line.
The updated policy clarifies the legal grounds under which ElevenLabs processes personal data, moving beyond consent-based justification to cite contract performance, legal compliance, and legitimate interests. This formalization helps users and regulators understand when and why ElevenLabs may process data without requiring explicit affirmative consent, which is operationally significant under GDPR, CCPA, and LGPD frameworks.
→ Review the updated policy to understand the legal bases under which ElevenLabs processes your data.
→ If you wish to exercise your data rights (access, deletion, portability, or objection), submit a request via the online form or email legal@elevenlabs.io using the designated subject line format.
→ The updated terms will apply as written; ElevenLabs will process your data under the stated legal bases without requiring consent for all processing activities.
→ If you do not submit a data rights request, the terms do not obligate ElevenLabs to provide you access to or delete your personal data outside of legal obligations.
Policy now cites contract performance, legal compliance, and legitimate interests as bases for processing, replacing reliance on consent as primary justification.
Formalized contact mechanism through named Data Protection Office at legal@elevenlabs.io and physical mailing address for submitting data rights requests.
Added designation of Paulo Eduardo Lilia as DPO for Brazilian residents, signaling localized compliance governance.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
The policy revision clarifies ElevenLabs' legal bases for data processing and formalizes its data protection governance structure by establishing a named Data Protection Office. The change expands stated legal grounds for processing from consent-based framing to include contract performance, legal compliance, and legitimate interests, which aligns with standard GDPR and CCPA operational practice. The addition of Brazil-specific contact information suggests ElevenLabs operates a Brazil entity and may signal compliance with Brazilian data protection frameworks (LGPD). No immediate compliance action appears required; the changes primarily clarify existing operational and organizational structures.
GDPR (legal bases under Article 6), CCPA (processing justifications), LGPD (Brazil-specific governance and DPO designation)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002227.
Splits and clarifies GDPR/regional privacy rights into specific provisions with expanded geographic scope to include Switzerland and the United Kingdom, while reducing severity from medium to low.
Separates CCPA rights into a dedicated provision with more detailed enumeration of California resident rights, including non-discrimination rights not explicitly mentioned in the previous version.
Removal of explicit M&A and corporate transaction data transfer disclosure reduces transparency about data handling during business restructuring events.
This combined provision was split into separate GDPR and CCPA provisions in the current version, making the removal of this consolidated provision part of a restructuring rather than a true removal of rights.
This provision was renamed and refocused as 'Cross-Border Data Transfers' with materially different language that removes the explicit U.S.-centric framing and weakens consent language.
Added explicit consent requirement language and simplified the provision to focus on collection and training purposes without specifying particular use cases like text-to-speech or voice cloning.
Removed explicit language about sharing for business partners' own marketing purposes and added specific mention of advertising and analytics partners instead.
Removed explicit consent language and made the provision broader by removing specific reference to the United States as the primary destination and removing mention of server location.
Added specific tracking technologies (web beacons, pixel tags), added device information collection, specified uses for analytics and advertising, and removed user control language about browser settings and consent tools; severity increased from low to medium.
Simplified the retention policy to focus on fulfilling collection purposes and legal/accounting/reporting requirements, removing specific references to providing services, resolving disputes, and enforcing agreements.
Removed reference to parental consent in the condition for deletion and changed 'become aware' to 'learn,' weakening the notification standard.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorElevenLabs removed the phrase 'Contact Sales' from the initial paragraph of its Privacy Policy on June 26, 2026. This was …
The detected change involves removal of the phrase 'Contact Sales' from the navigation or header section of ElevenLabs' Usage Policy …
ElevenLabs removed a call-to-action button labeled 'Contact Sales' from its privacy policy document on June 26, 2026. The substantive text …
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 352+ platforms every Sunday.