Mistral AI is permitted to use your business's data, including inputs and outputs, to train its AI models unless you have turned off this feature. If anyone clicks thumbs up or thumbs down on a response, that feedback and the associated conversation can also be used for training.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision authorizes Mistral AI to act as an independent Controller for AI training purposes, which is a distinct legal role from its Processor role, and means the data use is governed by Mistral AI's own purposes rather than solely by customer instructions. Business customers must actively opt out or select an opted-out-by-default product to prevent this processing.
End users' inputs, outputs, and feedback interactions may be used to train Mistral AI's models unless the business deploying the service has opted out. The provision states that in-app feedback features specifically trigger Controller-basis processing of the associated conversation content.
How other platforms handle this
We may use the content you provide to us, including prompts and generated images, to train and improve our AI models and services.
We may leverage OpenAI models independent of user selection for processing other tasks (e.g. for summarization). We may leverage Anthropic models independent of user selection for processing other tasks (e.g. for summarization). We may leverage these models independent of user selection for processi...
Users under 18 years old interact with an age-appropriate model specifically designed to reduce the likelihood of exposure to sensitive or suggestive content. Our under-18 model has additional and more conservative classifiers than the model for our adult users so we can enforce our content policies...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Mistral AI is authorized to process the Personal Data as Controller for the purposes of: Training its artificial intelligence models in accordance with its Privacy Policy, unless (a) Customer opted-out of training or (b) uses a Mistral AI Product that is opted-out by default and has not opted-in. Customer acknowledges that if Customer provides feedback to Mistral AI by using the in-app "thumbs up" or "thumbs down" features (the "Feedback"), Mistral will use such Feedback as well as the associated Input and Output, as Controller, to train its artificial intelligence models, conduct research or improve the Mistral AI Products.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 4(7) (controller definition), 6 (lawful basis), and 13-14 (transparency obligations). Where Mistral AI acts as Controller for training purposes, the legal basis for that processing is governed by Mistral AI's Privacy Policy rather than the customer's instructions, which may create a transparency gap if the customer's own end-user notices do not disclose this downstream Controller use. The CNIL (French data protection authority) and other EU supervisory authorities are the primary enforcement bodies. CCPA's service provider and third-party distinctions may also be implicated if Mistral AI's Controller-role processing is characterized as a sale or sharing of personal information under California law. (2) GOVERNANCE EXPOSURE: High. The dual Controller-Processor structure within a single data relationship is operationally complex and requires customers to ensure their data subject disclosures and privacy notices account for Mistral AI's independent Controller purposes. The feedback feature's explicit tie to training data use creates a specific disclosure obligation that many customers may not have anticipated in their notice-and-consent frameworks. (3) JURISDICTION FLAGS: EU/EEA customers face the highest exposure given GDPR's strict controller accountability requirements. California customers should assess whether Mistral AI's Controller-role processing constitutes sharing for cross-context behavioral advertising or another regulated purpose under CCPA. Customers in regulated sectors (healthcare, financial services) face additional exposure if personal data processed includes protected categories. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should treat this provision as a contract review trigger, confirming that the opt-out status is documented in writing and that the agreement reflects the customer's intended configuration. The provision shifts responsibility for lawful basis and transparency to the customer for any Controller-role processing Mistral AI conducts, which may require amendment of downstream customer agreements or data processing records. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit current product configurations to confirm training opt-out status, update data subject-facing privacy notices to disclose Mistral AI's Controller processing for model training and research, and document the legal basis under which end-user data may be transferred to Mistral AI for training purposes. Records of Processing Activities (RoPA) maintained under GDPR Article 30 should reflect this dual-role structure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
How 10 AI platforms describe the use of user data for model training, improvement, and development, based on archived governance provisions.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision authorizes Mistral AI to act as an independent Controller for AI training purposes, which is a distinct legal role from its Processor role, and means the data use is governed by Mistral AI's own purposes rather than solely by customer instructions. Business customers must actively opt out or select an opted-out-by-default product to prevent this processing.
End users' inputs, outputs, and feedback interactions may be used to train Mistral AI's models unless the business deploying the service has opted out. The provision states that in-app feedback features specifically trigger Controller-basis processing of the associated conversation content.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.