Hugging Face Privacy Policy

This is Hugging Face's privacy policy, describing how the AI platform collects your email address, IP address, device information, browsing activity via cookies, payment details, and any content you post — including private content which the company can access without your consent for what it deems 'legitimate interests.' The most important thing to know is that if you disable cookies, you cannot use Hugging Face at all, meaning cookie-based data collection is effectively mandatory. If you are an EU or California resident, you have the right to request information about how your personal data is shared — contact privacy@huggingface.co to exercise those rights.

This document is Hugging Face, Inc.'s Privacy Policy (effective March 28, 2023), governing the collection, use, and sharing of Personal Information from all users of its AI/ML platform services, with legal basis grounded in user consent, contractual agreement, and GDPR-recognized legitimate interests. The policy imposes obligations on Hugging Face to limit data sale/rental of Personal Information and to notify users of policy changes with a 10-day advance posting period, while users implicitly consent to continued processing by continuing use after changes. A notable deviation from industry standard is the provision allowing the Company to access users' private content without consent for 'legitimate interests' including security and legal compliance, and the mandatory cookie acceptance policy which conditions all service access on cookie acceptance with no granular consent mechanism. The policy explicitly references GDPR (EU) 2016/679 as the primary regulatory framework and California's CCPA/CalOPPA (Civil Code §1798.83, A.B. 370), engaging FTC Act Section 5 jurisdiction for US users. Material compliance considerations include the inadequacy of a 10-day policy change notice period under GDPR consent requirements, the vague 'legitimate interests' basis for unconsented private data access, and the absence of explicit data retention periods, automated decision-making disclosures, or CCPA §1798.100 deletion rights procedures.