What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This policy engages GDPR (European Parliament and Council Regulation 2016/679), enforced by EU Member State supervisory authorities; CCPA and CPRA, enforced by the California Privacy Protection Agency and California AG; Brazilian LGPD, enforced by the ANPD; Canadian PIPEDA and provincial equivalents; South Korean PIPA; and Washington State My Health MY Data Act for health data integrations. The opt-out carve-out permitting continued model training use of safety-flagged…

How does Anthropic's Anthropic Privacy Policy affect users?

Users of Claude.ai operate under terms authorizing Anthropic to collect and process chat messages, device data, IP addresses, and usage activity. The policy establishes an opt-out mechanism for model training use accessible through account settings, while carving out exceptions for safety-flagged conversations and explicitly submitted feedback. Users may also request data deletion, subject to the document's stated limitations.

How often is Anthropic's Anthropic Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Anthropic updates this document?

Yes. Monitor subscribers ($19/month) can add Anthropic to their watchlist and receive same-day email alerts whenever this document or any other Anthropic document changes.

CA-D-000012

Anthropic Privacy Policy

Anthropic

Last change detected June 9, 2026 Privacy policy

SHA-256: 2f972642c5e86a370de… 3 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Anthropic ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

4 Medium severity

6 Low severity

Summary

This document establishes Anthropic's data collection and use practices for Claude.ai and related consumer products. Anthropic collects chat messages (user inputs and Claude outputs), device identifiers, IP addresses, browsing activity within the service, and payment information, with authorization to use this data for AI model training unless the user elects the opt-out setting in account preferences. The policy specifies that conversations flagged for safety review or submitted as explicit feedback may be retained and used for model training independent of opt-out status.

Technical / Legal Breakdown

This Privacy Policy, effective January 12, 2026, governs Anthropic's collection, use, disclosure, and processing of personal data when Anthropic acts as a data controller across its consumer-facing Services (including Claude.ai) and Commercial Services (including Claude Team plan); it expressly excludes scenarios where Anthropic acts as a data processor on behalf of commercial customers. The policy states that Inputs (prompts), Outputs (AI responses), device identifiers, browsing activity, IP address-derived location data, and usage information are collected; the terms authorize use of Inputs and Outputs to train AI models unless users opt out, with a carve-out permitting training use even after opt-out when conversations are flagged for safety review or explicitly reported via feedback mechanisms. The opt-out carve-out for safety-flagged conversations is operationally distinct in that it permits continued model training use of user content without user consent in circumstances defined unilaterally by Anthropic, which may require evaluation under GDPR lawful basis requirements and CCPA-equivalent frameworks depending on jurisdiction. The policy engages GDPR (for EEA users), CCPA and California privacy statutes, Brazilian LGPD, Canadian PIPEDA or provincial equivalents, South Korean PIPA, and Washington State consumer health data law; regional supplemental disclosures are provided for Canada, Brazil, and the Republic of Korea, and a separate Consumer Health Data Privacy Policy applies to Washington State users who integrate third-party health applications.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

3 versions captured · Last updated: June 2026

June 9, 2026

low

What changed Anthropic updated its Privacy Policy on June 9, 2026, with an effective date of July 8, 2026. The revised policy narrows its scope to clarify that it applies when Anthropic acts as a data controller for consumer services (Claude.ai, Claude Team), but not when it processes data on behalf of enterprise customers whose own data governance controls how their data is handled. The policy also expands the definition of 'Inputs' to explicitly include content submitted through third-party integrations and connected services, and clarifies that personal data or external references in Inputs may be reproduced in Outputs.

Why this matters The updated policy clarifies that it applies when you use Anthropic's consumer services like Claude.ai or Claude Team, but does not govern your data when you access Anthropic products through your employer or an enterprise account. In that case, your employer's or enterprise customer's own data governance policies control how your data is handled. The policy also now explicitly states that personal data or external references included in your inputs to the service may be reproduced in the outputs generated in response.

View full change record →

Recent Provision Changes Jun 9, 2026

Added (4)

Training Data Collection from Third-Party Sources Including Internet Scraping Medium

New explicit disclosure of Anthropic's internet scraping and third-party data sourcing practices for model training, clarifying previously implicit data collection methods.

Age Restriction and Children's Data Low

New explicit commitment regarding children's data protection and age restrictions, formalized as a distinct policy provision.

User Rights and Exercising Deletion, Access, and Correction Low

New detailed procedures for exercising privacy rights including appeal mechanisms and non-discrimination assurances, previously not explicitly documented.

No Sale of Personal Data and Targeted Advertising Limitation Low

New explicit commitment not to sell personal data and new opt-out mechanism for targeted advertising, addressing emerging privacy law requirements.

Removed (3)

Feedback Triggers Full Conversation Storage

This provision was retained but severity was downgraded from medium to low; the practice of storing full conversations via feedback mechanism remains but is now considered lower-severity.

Third-Party Service Integrations and Data Transfer

Removal of explicit third-party service integration disclosure may reduce transparency about data flows to external services.

Law Enforcement and Government Disclosure

Removal of explicit law enforcement disclosure provision reduces transparency about circumstances under which personal data may be shared with authorities.

Modified (4)

Model Training Opt-Out with Safety-Flagging Carve-Out

Severity downgraded from high to medium, and provision name changed to reflect 'carve-out' language instead of 'override,' though the substantive policy text remains identical.

Controller vs Processor Scope Limitation

Severity downgraded from high to medium, and provision name changed from 'Exclusion' to 'Limitation,' though the substantive policy text remains identical.

Conversation Deletion with 30-Day Back-End Retention

Severity downgraded from medium to low, and the provision was narrowed to focus only on conversation deletion (removing the general deletion rights language).

Corporate Transaction Data Transfer

Severity downgraded from medium to low, and provision name changed from 'Disclosure' to 'Transfer,' though the substantive policy text remains identical.

2 provisions unchanged.

View full change record →

Medium — 4 provisions

Model Training Opt-Out with Safety-Flagging Carve-Out Compare →

Anthropic may use your chat messages to train its AI, but you can turn this off in settings. However, even after opting out, if a conversation gets flagged for safety reasons or you reported it yourself, it can still be used for training.

Added May 12, 2026 Standard Seen across 284 platforms
Controller vs Processor Scope Limitation Compare →

If your employer or a third-party app gave you access to Claude, this privacy policy may not apply to you; instead, your employer's or that app's privacy policy governs how your data is handled.

Added May 10, 2026 Standard Seen across 284 platforms
Automatic Collection of Device and Location Data Compare →

When you use Claude, Anthropic automatically receives technical details about your device, your approximate location (derived from your IP address), advertising identifiers, and how you use the service.

Added May 12, 2026 Standard Seen across 284 platforms
Training Data Collection from Third-Party Sources Including Internet Scraping Compare →

Anthropic uses publicly available internet data, commercially licensed datasets, and user conversations to train its AI models. This means information about you that exists online could potentially be part of the training data even if you have never used Anthropic's products.

Added May 12, 2026 Standard Seen across 284 platforms

Low — 6 provisions

Feedback Triggers Full Conversation Storage Compare →

When you click the thumbs up or thumbs down button on a Claude response, Anthropic stores your entire conversation, not just the message you rated.

Added April 4, 2026 Standard Seen across 284 platforms
Conversation Deletion with 30-Day Back-End Retention Compare →

When you delete a conversation in Claude, it disappears from your view right away, but Anthropic's systems retain it for up to 30 more days before it is fully deleted.

Added May 12, 2026 Standard Seen across 284 platforms
Corporate Transaction Data Transfer Compare →

If Anthropic is sold, merges with another company, or goes through bankruptcy, your personal data may be transferred to the new owner or involved parties as part of that transaction.

Added May 12, 2026 Standard Seen across 284 platforms
Age Restriction and Children's Data Compare →

Anthropic's services are for users 18 and older. If a user under 18 provides personal data, Anthropic states it will delete that information once it becomes aware of it.

Added May 12, 2026 Standard Seen across 284 platforms
User Rights and Exercising Deletion, Access, and Correction Compare →

You can request access to, deletion of, or correction of your personal data by emailing privacy@anthropic.com. Anthropic will verify your identity before processing the request and states it will not penalize you for exercising these rights.

Added May 12, 2026 Standard Seen across 284 platforms
No Sale of Personal Data and Targeted Advertising Limitation Compare →

Anthropic states it does not sell your personal data as defined under privacy laws. You can opt out of having your data used to show you targeted ads for Anthropic's own products.

Added May 12, 2026 Standard Seen across 284 platforms