What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@huggingface.co', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': 'EU/EEA users can email privacy@huggingface.co to exercise GDPR rights including: right of access (Art. 15), right to erasure (Art. 17), or right to object to legitimate interests processing (Art. 21). State your specific right, your account username, and the processing you are objecting to.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'For US users, the FTC has jurisdiction under Section 5 if legitimate interests processing extends to uses that are materially inconsistent with the purposes disclosed at the time of collection.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this GDPR Legal Basis Disclosure clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

GDPR Legal Basis Disclosure — Hugging Face

Share 𝕏 Share in Share 🔒 PDF

What it is

Hugging Face processes your personal data under three legal bases: your consent when you create an account, contract performance if you use or pay for the service, and broadly defined 'legitimate interests' for everything else including business operations and scientific research.

Consumer impact (what this means for users)

Hugging Face may use your personal data for scientific research and business operations under a 'legitimate interests' basis, which does not require your consent and could include using your data or content in AI model training or commercial analytics.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

EU/EEA users can email privacy@huggingface.co to exercise GDPR rights including: right of access (Art. 15), right to erasure (Art. 17), or right to object to legitimate interests processing (Art. 21). State your specific right, your account username, and the processing you are objecting to.

Cross-platform context

See how other platforms handle GDPR Legal Basis Disclosure and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

The 'legitimate interests' basis is the most expansive and least protective of the three, and here it covers 'scientific research' and 'business operations' without clear limits — meaning your data could be used to train AI models or for commercial analysis without your specific consent.

View original clause language

Pursuant to applicable data protection laws, and especially the European Union's General Data Protection Regulation (EU) 2016/679 (the 'GDPR'), Hugging Face remains under an obligation to notify the Users about the legal basis on which their Personal Information is processed. [...] Apart from the above cases, Hugging Face will use the information collected from you to pursue legitimate interests such as legal or regulatory compliance, security control, business operations, scientific research, or any other interest reasonably held as legitimate.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision directly implicates GDPR Art. 6(1)(a) (consent), Art. 6(1)(b) (contractual necessity), and Art. 6(1)(f) (legitimate interests), along with GDPR Art. 13(1)(d) requiring disclosure of legitimate interests at point of collection. The EDPB Guidelines 06/2014 on legitimate interests and EDPB Guidelines 05/2020 on consent are directly applicable. Enforcement is by relevant EU Member State DPAs, with CNIL likely having primary jurisdiction given Hugging Face's French operations. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

For US users, the FTC has jurisdiction under Section 5 if legitimate interests processing extends to uses that are materially inconsistent with the purposes disclosed at the time of collection.
File a complaint →

Provision details

Document information

Document

Hugging Face Privacy Policy

Entity

Hugging Face

Document last updated

April 29, 2026

Tracking information

First tracked

April 28, 2026

Last verified

April 28, 2026

Record ID

CA-P-003744

Document ID

CA-D-00332

Evidence Provenance

Source URL

https://huggingface.co/privacy

Wayback Machine

View archived versions →

SHA-256

497c505a01512cafb742e94806b72cf15ec677bfabc6cb905f6ed30aa2fb9b85

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Hugging Face | Document: Hugging Face Privacy Policy | Record: CA-P-003744
Captured: 2026-04-28 05:39:29 UTC | SHA-256: 497c505a01512caf…
URL: https://conductatlas.com/platform/hugging-face/hugging-face-privacy-policy/gdpr-legal-basis-disclosure/
Accessed: May 2, 2026

Classification

Severity

Medium

GDPR Legal Basis Disclosure