Anthropic updated its Privacy Policy on June 9, 2026, with an effective date of July 8, 2026. The revised policy narrows its scope to clarify that it applies when Anthropic acts as a data controller for consumer services (Claude.ai, Claude Team), but not when it processes data on behalf of enterprise customers whose own data governance controls how their data is handled. The policy also expands the definition of 'Inputs' to explicitly include content submitted through third-party integrations and connected services, and clarifies that personal data or external references in Inputs may be reproduced in Outputs.
The updated policy clarifies that it applies when you use Anthropic's consumer services like Claude.ai or Claude Team, but does not govern your data when you access Anthropic products through your employer or an enterprise account. In that case, your employer's or enterprise customer's own data governance policies control how your data is handled. The policy also now explicitly states that personal data or external references included in your inputs to the service may be reproduced in the outputs generated in response.
The updated policy clarifies an important boundary: Anthropic's stated data practices apply only when you use consumer services directly, not when your organization provisions access through an enterprise account. This helps users and enterprise customers understand which governance framework applies to their data.
Policy explicitly states it does not apply to data Anthropic processes on behalf of business customers; their customer agreements govern.
Inputs now explicitly include content submitted through third-party applications, services, and integrations.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
The updated policy clarifies scope boundaries by distinguishing between consumer services (where Anthropic is the data controller) and enterprise/business offerings (where the customer is the controller). This does not create new obligations but rather clarifies the existing allocation of responsibility. Organizations providing Anthropic access to their employees should confirm their own data governance documentation references this allocation and that it is reflected in their privacy notices to end users. No new regulatory exposure is created by this clarification.
GDPR, CCPA, UK GDPR, regulations requiring clear allocation of data controller responsibility
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002757.
New explicit disclosure of Anthropic's internet scraping and third-party data sourcing practices for model training, clarifying previously implicit data collection methods.
New explicit commitment regarding children's data protection and age restrictions, formalized as a distinct policy provision.
New detailed procedures for exercising privacy rights including appeal mechanisms and non-discrimination assurances, previously not explicitly documented.
New explicit commitment not to sell personal data and new opt-out mechanism for targeted advertising, addressing emerging privacy law requirements.
This provision was retained but severity was downgraded from medium to low; the practice of storing full conversations via feedback mechanism remains but is now considered lower-severity.
Removal of explicit third-party service integration disclosure may reduce transparency about data flows to external services.
Removal of explicit law enforcement disclosure provision reduces transparency about circumstances under which personal data may be shared with authorities.
Severity downgraded from high to medium, and provision name changed to reflect 'carve-out' language instead of 'override,' though the substantive policy text remains identical.
Severity downgraded from high to medium, and provision name changed from 'Exclusion' to 'Limitation,' though the substantive policy text remains identical.
Severity downgraded from medium to low, and the provision was narrowed to focus only on conversation deletion (removing the general deletion rights language).
Severity downgraded from medium to low, and provision name changed from 'Disclosure' to 'Transfer,' though the substantive policy text remains identical.
2 provisions unchanged.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorAnthropic updated its Privacy Policy effective July 8, 2026 with revisions to the scope of coverage and data categories. The …
The Department of Defense designated Anthropic a supply chain risk after the company refused to remove two governance restrictions from …
Anthropic is more transparent than most AI companies about data retention. Here's exactly what happens when you delete your data, and how t…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.