Every time you use the Hugging Face platform, it automatically records your IP address, location associated with your session, device type and operating system, browser, and cookie-based preferences without requiring any action from you.
This analysis describes what Hugging Face's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision discloses automatic collection of IP addresses and session location data, which under GDPR and other frameworks qualify as personal data; this collection occurs passively for all users regardless of account status.
The policy states that Hugging Face automatically collects your IP address, approximate session location, device identifiers, operating system, browser type, and cookie data each time you use the Services, including when browsing without being logged in.
How other platforms handle this
We create aggregated or anonymized datasets or statistics based on usage and operational data related to your use of the Mistral AI Products (such as product usage events, performance metrics, billing metrics, and Feedback) (collectively, "Usage Data"). We may use the Usage Data for our business pur...
Customer grants Snowflake the right to host, copy, transmit, display, and otherwise use Customer Data and Customer Applications as reasonably necessary to provide the Services in accordance with this Agreement.
As between the parties, Luma owns and retains all right, title, and interest, including all related intellectual property and proprietary rights, in and to the Aggregated Data and Usage Data (including any improvements, modifications, and enhancements thereto), the know-how and analytical results ge...
Monitoring
Hugging Face has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"The Company automatically records information from your use of the Services such as: information about your Use of the Services, your session (date, location), your IP address, information from cookies, especially your login information, your preferences, information about your device: type, model, version, operating system, browser— Excerpt from Hugging Face's Hugging Face Privacy Policy
REGULATORY LANDSCAPE: IP addresses and device identifiers are classified as personal data under GDPR and many other privacy frameworks, triggering GDPR Article 13 disclosure obligations and lawful basis requirements. Session location data may also qualify as location data under applicable frameworks. The ePrivacy Directive engages for cookie-based collection in the EU context. GOVERNANCE EXPOSURE: Medium. The policy discloses automatic data collection but does not specify retention periods for session, IP, or device data, which is a GDPR Article 13(2)(a) disclosure requirement. The absence of retention period information limits users' ability to assess the scope of ongoing data processing. JURISDICTION FLAGS: EU/EEA users are protected by GDPR for IP and location data processing. California residents may have rights under CCPA/CPRA regarding identifiers and browsing information. Illinois users may have additional considerations depending on whether biometric data is incidentally collected. CONTRACT AND VENDOR IMPLICATIONS: Organizations integrating Hugging Face APIs or embedding Services in their own products should assess whether this automatic collection affects their own GDPR data processing obligations as joint or independent controllers. COMPLIANCE CONSIDERATIONS: Data mapping exercises for organizations using Hugging Face should account for the automatic collection of IP and device data as personal data. Consent management platforms should evaluate whether cookie consent flows are aligned with ePrivacy Directive requirements for EU users.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision discloses automatic collection of IP addresses and session location data, which under GDPR and other frameworks qualify as personal data; this collection occurs passively for all users regardless of account status.
The policy states that Hugging Face automatically collects your IP address, approximate session location, device identifiers, operating system, browser type, and cookie data each time you use the Services, including when browsing without being logged in.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Hugging Face.