Anthropic · Anthropic Privacy Policy

Controller/Processor Scope Exclusion

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

If you use Claude through your employer or through a third-party app that runs on Claude's technology, this privacy policy does not protect you — your employer or that app's company is responsible for your data privacy, not Anthropic.

Consumer impact (what this means for users)

If you access Claude via an employer account, a third-party app, or any API-powered product, Anthropic's privacy rights and protections described in this policy — including deletion rights, opt-out of training, and data access — do not apply to your data; you must look to your employer or the third-party operator for those protections.

Cross-platform context

See how other platforms handle Controller/Processor Scope Exclusion and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Many users accessing Claude through third-party integrations or employer deployments may wrongly assume Anthropic's privacy protections apply to them, when in fact their data practices are governed by their employer or the third-party operator, who may have significantly weaker protections.

View original clause language
This Privacy Policy does not apply where Anthropic acts as a data processor and processes personal data on behalf of commercial customers using Anthropic's Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the back-end with Claude. In those cases, the commercial customer is the controller, and you can review their policies for more information about how they handle your personal data.

Institutional analysis (Compliance & legal intelligence)

1. REGULATORY FRAMEWORK: The controller/processor distinction is defined under GDPR Art. 4(7)-(8) and operationalized through Art. 28 (data processing agreements). CCPA §1798.140(ag) similarly distinguishes service providers from businesses. This exclusion means that commercial customers deploying Claude have independent data controller obligations under GDPR Art. 13/14 (transparency), Art. 28 (processor contracts), and Art. 32 (security). Failure to execute a compliant DPA with Anthropic before deploying Claude constitutes a standalone GDPR Art. 28 violation. 2.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has authority over deceptive practices where consumers may be misled about which entity is responsible for their data when using AI services through third-party deployments.
    File a complaint →

Provision details

Document information
Document
Anthropic Privacy Policy
Entity
Anthropic
Document last updated
April 29, 2026
Tracking information
First tracked
March 6, 2026
Last verified
April 28, 2026
Record ID
CA-P-003863
Document ID
CA-D-00012
Evidence Provenance
Source URL
https://www.anthropic.com/legal/privacy
Wayback Machine
View archived versions →
SHA-256
55f589f5c2a5a187a9d045dc6c7e4954a2dbf9ac00fb6e3ea782dbcf9ad69387
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Anthropic | Document: Anthropic Privacy Policy | Record: CA-P-003863
Captured: 2026-03-06 20:00:36 UTC | SHA-256: 55f589f5c2a5a187…
URL: https://conductatlas.com/platform/anthropic/anthropic-privacy-policy/controllerprocessor-scope-exclusion/
Accessed: April 29, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document