What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR for EEA and UK data subjects, PIPEDA for Canadian users given Cohere's Canadian incorporation, and the CCPA for California residents. The primary enforcement authorities are the relevant EU supervisory authorities under GDPR, the UK Information Commissioner's Office under UK GDPR, the Office of the Privacy Commissioner of Canada under PIPEDA, and the California Privacy Protection Agency and California Attorney General under CCPA. Th…

How does Cohere's Cohere Privacy Policy affect users?

The policy establishes that Cohere collects account registration data, usage data, API interaction data, and submitted content, with authorization to use certain inputs for model training and improvement based on service tier. Enterprise API customers operate under contractual terms that may limit training use, while standard service tiers permit broader use of submitted content. Users in specified jurisdictions may submit data access, deletion, or portability requests to privacy@cohere.com.

How often is Cohere's Cohere Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Cohere updates this document?

Yes. Monitor subscribers ($19/month) can add Cohere to their watchlist and receive same-day email alerts whenever this document or any other Cohere document changes.

CA-D-000440

Cohere Privacy Policy

Cohere

Last change detected May 2, 2026 Privacy policy

SHA-256: 870c6ae4fbd23c19db8… 2 versions captured 2 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Cohere ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

0 High severity

5 Medium severity

2 Low severity

Summary

This document establishes Cohere's privacy practices for personal information collected through its website, API, and AI language model services including Command and North. The policy authorizes Cohere to use inputs and prompts submitted through certain service tiers for AI model improvement, with different terms applicable to enterprise API customers under separate agreements. Users in the EU, UK, and California may exercise data access, deletion, or export rights by contacting privacy@cohere.com.

Technical / Legal Breakdown

This document is Cohere Inc.'s Privacy Policy governing the collection, use, and disclosure of personal information through the cohere.ai website and AI-powered services including its language model platform, operating under a consent and legitimate interests framework across multiple jurisdictions. The policy states that Cohere collects account registration data, usage data, API interaction data, device and browser identifiers, and communications content, and the terms authorize use of this data for service delivery, product improvement, model training on certain inputs, security, and marketing communications. The policy authorizes disclosure of personal information to service providers, business partners, and in the context of corporate transactions such as mergers or acquisitions, and the terms assert a broad right to use inputs submitted through the platform for improving Cohere's AI models subject to stated limitations for enterprise API customers. The policy engages GDPR and UK GDPR for EEA and UK users, PIPEDA and Canadian provincial privacy law for Canadian users, and CCPA for California residents, with jurisdiction-specific rights sections addressing data subject access, deletion, portability, and objection requests. Material compliance considerations include cross-border data transfers from the EEA to Canada and the United States, the applicability of GDPR to AI training data practices, and the need for enterprise customers to evaluate whether their use of Cohere's API requires a separate data processing agreement.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

2 versions captured · Last updated: May 2026

May 2, 2026

low

What changed Cohere updated its privacy policy on May 2, 2026 to add specific retention timelines and procedures for handling personal information. The revised policy now explicitly states that inputs and outputs on the Platform are retained for 30 days for Enterprise Users, clarifies that Trial Users and Researchers should not be providing personal information, and establishes a process for requesting deletion of inadvertently included personal data by emailing privacy@cohere.com with a typical one-month response time. The policy also added guidance for requests related to training data, directing users to a separate Model Training Privacy Notice and noting that Cohere does not intentionally collect personal information for training purposes.

Why this matters The updated policy establishes a concrete 30-day retention timeline for enterprise users' inputs and outputs on the Platform, whereas the previous version referenced retention practices without specific durations. The policy now provides an explicit process for requesting deletion of inadvertently included personal information by emailing privacy@cohere.com, with Cohere stating it normally responds within one month or up to three months for complex requests. You can request deletion of personal data by contacting privacy@cohere.com with details about the information and reasons it should not appear.

View full change record →

April 29, 2026

medium

What changed Cohere removed 16 sentences from its privacy policy that previously specified data retention practices for different user types and procedures for requesting deletion of personal information inadvertently included in platform inputs. The updated policy now provides only a general reference to retention practices without specifying the 30-day retention period for Enterprise Users, the non-processing of personal information for Trial and Researcher accounts, response timelines for deletion requests, or guidance on training data deletion. This creates operational ambiguity about what retention periods currently apply to different user categories and how deletion requests are handled.

Why this matters The updated policy removes explicit language describing data retention timelines and deletion request procedures that were previously available. The prior policy stated that Enterprise Users' inputs and outputs were retained for 30 days, that Trial Users and Researchers were not intended to process personal information, and that deletion requests would normally be responded to within one month (up to three months for complex requests). The updated policy now contains only a general reference to 'retention practices' without specifying these timelines, response windows, or user-type distinctions. Users cannot determine from the updated policy what retention periods apply to their account category or what timeline to expect for deletion requests.

View full change record →

Medium — 5 provisions

AI Model Training on User Inputs Compare →

Cohere states that content you submit through its services may be used to train and improve its AI models, unless you are covered by a separate enterprise agreement with different terms.

Added May 12, 2026 Standard Seen across 284 platforms
Personal Data Collection Scope Compare →

Cohere collects information you provide when signing up, using the service, or contacting support, including your name, email, organization, payment details, and the content of your interactions with the AI.

Added May 12, 2026 Standard Seen across 284 platforms
Third-Party Disclosure and Service Providers Compare →

Cohere states that it shares your personal information with companies it works with to operate its services, and also discloses that your data could be transferred to another company if Cohere is acquired or merges with another organization.

Added May 12, 2026 Standard Seen across 252 platforms
Cross-Border Data Transfers Compare →

Cohere states that your data may be stored and processed in Canada and the United States, which may have different privacy protections than your home country.

Added April 30, 2026 Standard Seen across 284 platforms
Data Subject Rights (GDPR and CCPA) Compare →

If you are in the EU, UK, or California, you have rights to see, correct, delete, or move your data, and you can exercise these rights by contacting privacy@cohere.com.

Added May 12, 2026 Standard Seen across 284 platforms

Low — 2 provisions

Cookies and Tracking Technologies Compare →

Cohere uses cookies to track how you use its website, including which pages you visit and how long you stay, and provides a cookie consent tool to manage your preferences.

Added April 30, 2026 Standard Seen across 284 platforms
Data Retention Compare →

Cohere keeps your personal data for as long as your account is active or as long as is needed to run its services and meet legal obligations, without specifying a fixed retention period.

Added April 30, 2026 Standard Seen across 284 platforms