Cohere states that your data may be stored and processed in Canada and the United States, which may have different privacy protections than your home country.
This analysis describes what Cohere's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision is particularly significant for EU and UK users because transfers of personal data from the EEA and UK to the United States require a lawful transfer mechanism under GDPR and UK GDPR, and the adequacy or sufficiency of those mechanisms is subject to ongoing regulatory scrutiny.
Interpretive note: The specific transfer mechanisms relied upon by Cohere for EU-to-US transfers are not detailed in the available document text; the description reflects the standard framework applicable to companies of this profile.
The updated policy removes explicit language describing data retention timelines and deletion request procedures that were previously available. The prior policy stated that Enterprise Users' inputs and outputs were retained for 30 days, that Trial Users and Researchers were not intended to process personal information, and that deletion requests would normally be responded to within one month (up to three months for complex requests). The updated policy now contains only a general reference to 'retention practices' without specifying these timelines, response windows, or user-type distinctions. Users cannot determine from the updated policy what retention periods apply to their account category or what timeline to expect for deletion requests.
View change record →If you are based in the EU, UK, or another jurisdiction with cross-border transfer restrictions, your personal data may be transferred to Canada and the United States under the transfer mechanisms Cohere relies upon, which may include Standard Contractual Clauses or adequacy decisions depending on the destination.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Cohere has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Your personal information may be transferred to and processed in countries other than your country of residence, including Canada and the United States, where our servers are located and our central database is operated. These countries may have data protection laws that are different from those in your country.— Excerpt from Cohere's Cohere Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (Articles 44-49) governing cross-border data transfers, and the equivalent provisions of UK GDPR. For transfers to Canada, the European Commission's adequacy decision for Canada under PIPEDA covers certain commercial transfers, though the scope of adequacy is limited. For transfers to the United States, the EU-US Data Privacy Framework may apply if Cohere is certified, or Standard Contractual Clauses may be relied upon. The relevant enforcement authorities are EU supervisory authorities for EEA users and the ICO for UK users. (2) GOVERNANCE EXPOSURE: High for EU and UK enterprise customers. The lawfulness of US transfers remains subject to challenge and the specific transfer mechanism Cohere relies upon is not detailed in the available policy text, creating a due diligence gap for organizations required to document transfer impact assessments under GDPR. (3) JURISDICTION FLAGS: EU and EEA users face the highest regulatory exposure under GDPR Chapter V. UK users face equivalent requirements under UK GDPR International Data Transfer Agreements. Canadian users are the intended recipients of an adequacy-covered transfer from the EU in many scenarios, though the reverse transfer from Canada to the US may require additional assessment. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers subject to GDPR should request Cohere's Standard Contractual Clauses or Data Privacy Framework certification status and conduct a transfer impact assessment for US-bound transfers. Procurement teams should ensure that data processing agreements include explicit transfer mechanism provisions and that those mechanisms remain current given the evolving regulatory environment. (5) COMPLIANCE CONSIDERATIONS: Data protection officers should document the transfer mechanisms Cohere relies upon in their records of processing activities and assess whether transfer impact assessments are required. Organizations with data localization requirements, including those in the financial services or public sector, should evaluate whether Cohere's cross-border transfer model is consistent with their specific obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision is particularly significant for EU and UK users because transfers of personal data from the EEA and UK to the United States require a lawful transfer mechanism under GDPR and UK GDPR, and the adequacy or sufficiency of those mechanisms is subject to ongoing regulatory scrutiny.
If you are based in the EU, UK, or another jurisdiction with cross-border transfer restrictions, your personal data may be transferred to Canada and the United States under the transfer mechanisms Cohere relies upon, which may include Standard Contractual Clauses or adequacy decisions depending on the destination.
ConductAtlas has identified this type of provision across 83 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cohere.