Hugging Face Privacy Policy

This document is the Hugging Face, Inc. Privacy Policy (effective March 28, 2023), governing the collection, use, and sharing of Personal Information from users of the Hugging Face platform and services, with stated legal bases including user consent, contractual agreement, and legitimate interests under GDPR. The policy states the Company collects email addresses, usernames, passwords, credit card information, IP addresses, session data, device identifiers, cookie data, and user-generated content; the terms authorize sharing this information with affiliates, third-party service providers, and in connection with mergers or acquisitions, and permit access to privately held user data without consent for security or legal compliance purposes. A notable provision states the Company may access private user content without consent for legitimate interests including security and regulatory compliance, which is a broad reservation that, as asserted, may interact with GDPR requirements for lawful basis specificity and proportionality under applicable law. The policy expressly references GDPR as an applicable framework and addresses California residents under California Civil Code Section 1798.83 and the Do Not Track disclosure requirement of A.B. 370; the policy does not articulate a comprehensive CCPA or CPRA compliance framework, which may create heightened exposure for California resident data processing, and the absence of explicit data retention periods or a detailed data subject rights request mechanism represents a material gap relative to GDPR Article 13 disclosure requirements.