AI Model Training on User Inputs

What it is

Cohere states that content you submit through its services may be used to train and improve its AI models, unless you are covered by a separate enterprise agreement with different terms.

Why it matters (compliance & governance perspective)

This provision determines whether the prompts, documents, and queries you submit to Cohere's AI services are retained and used to further develop Cohere's models, which has implications for confidentiality of submitted content and data minimization obligations.

Consumer impact (what this means for users)

Under the default terms, inputs submitted through standard service tiers may be used for AI model training, meaning content you provide to the service could influence future model outputs. Enterprise API customers may have contractual protections that limit or exclude this use.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 5, 6, and 9 regarding lawful basis and purpose limitation for processing personal data, particularly where user inputs contain personal data of third parties. The EU AI Act may also engage depending on the classification of the model and use case. Enforcement authority is the relevant EU supervisory authority for EEA-based users and the ICO for UK users. The provision may require evaluation under GDPR's purpose limitation and data minimization principles if the original collection basis does not explicitly cover model training. (2) GOVERNANCE EXPOSURE: High. The use of user-submitted content for AI model training is an area of active regulatory scrutiny in the EU and UK. Where inputs contain personal data of individuals who have not consented to training use, the lawful basis for this processing may be contested. The distinction between consumer and enterprise tiers creates differentiated risk exposure depending on the customer category. (3) JURISDICTION FLAGS: EU and EEA users face the highest exposure given GDPR's strict purpose limitation and lawful basis requirements. UK users face similar exposure under UK GDPR. California users may have rights under CCPA to opt out of certain uses of their personal information. The provision does not specify whether training use constitutes a sale or sharing under CCPA, which may require further evaluation. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers deploying Cohere's API should verify whether their commercial agreement explicitly limits or excludes training use of their submitted inputs. Procurement teams should treat the default policy terms as a baseline and negotiate explicit exclusions if confidentiality of submitted content is a business or regulatory requirement. The policy asserts differentiated treatment for enterprise customers but the specific contractual mechanism is not detailed in the privacy policy itself. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether their use case involves submission of personal data or confidential business information through the API and whether the default training terms are acceptable. Organizations subject to professional confidentiality obligations, such as legal, healthcare, or financial services firms, should evaluate whether use under default terms is consistent with those obligations and should seek enterprise agreements with explicit training exclusions if necessary.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Personal Data Collection Scope medium
• Third-Party Disclosure and Service Providers medium
• Cross-Border Data Transfers medium
• Data Subject Rights (GDPR and CCPA) medium
• Cookies and Tracking Technologies low
• Data Retention low

Related Analysis

• AI Training Data Provisions Across Major Platforms: A Provision-Level Comparison

  How 10 AI platforms describe the use of user data for model training, improvement, and development, based on archived governance provisions.