Mistral AI is permitted to use your business's data, including inputs and outputs, to train its AI models unless you have turned off this feature. If anyone clicks thumbs up or thumbs down on a response, that feedback and the associated conversation can also be used for training.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision authorizes Mistral AI to act as an independent Controller for AI training purposes, which is a distinct legal role from its Processor role, and means the data use is governed by Mistral AI's own purposes rather than solely by customer instructions. Business customers must actively opt out or select an opted-out-by-default product to prevent this processing.
End users' inputs, outputs, and feedback interactions may be used to train Mistral AI's models unless the business deploying the service has opted out. The provision states that in-app feedback features specifically trigger Controller-basis processing of the associated conversation content.
How other platforms handle this
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Mistral AI is authorized to process the Personal Data as Controller for the purposes of: Training its artificial intelligence models in accordance with its Privacy Policy, unless (a) Customer opted-out of training or (b) uses a Mistral AI Product that is opted-out by default and has not opted-in. Customer acknowledges that if Customer provides feedback to Mistral AI by using the in-app "thumbs up" or "thumbs down" features (the "Feedback"), Mistral will use such Feedback as well as the associated Input and Output, as Controller, to train its artificial intelligence models, conduct research or improve the Mistral AI Products.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 4(7) (controller definition), 6 (lawful basis), and 13-14 (transparency obligations). Where Mistral AI acts as Controller for training purposes, the legal basis for that processing is governed by Mistral AI's Privacy Policy rather than the customer's instructions, which may create a transparency gap if the customer's own end-user notices do not disclose this downstream Controller use. The CNIL (French data protection authority) and other EU supervisory authorities are the primary enforcement bodies. CCPA's service provider and third-party distinctions may also be implicated if Mistral AI's Controller-role processing is characterized as a sale or sharing of personal information under California law. (2) GOVERNANCE EXPOSURE: High. The dual Controller-Processor structure within a single data relationship is operationally complex and requires customers to ensure their data subject disclosures and privacy notices account for Mistral AI's independent Controller purposes. The feedback feature's explicit tie to training data use creates a specific disclosure obligation that many customers may not have anticipated in their notice-and-consent frameworks. (3) JURISDICTION FLAGS: EU/EEA customers face the highest exposure given GDPR's strict controller accountability requirements. California customers should assess whether Mistral AI's Controller-role processing constitutes sharing for cross-context behavioral advertising or another regulated purpose under CCPA. Customers in regulated sectors (healthcare, financial services) face additional exposure if personal data processed includes protected categories. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should treat this provision as a contract review trigger, confirming that the opt-out status is documented in writing and that the agreement reflects the customer's intended configuration. The provision shifts responsibility for lawful basis and transparency to the customer for any Controller-role processing Mistral AI conducts, which may require amendment of downstream customer agreements or data processing records. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit current product configurations to confirm training opt-out status, update data subject-facing privacy notices to disclose Mistral AI's Controller processing for model training and research, and document the legal basis under which end-user data may be transferred to Mistral AI for training purposes. Records of Processing Activities (RoPA) maintained under GDPR Article 30 should reflect this dual-role structure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision authorizes Mistral AI to act as an independent Controller for AI training purposes, which is a distinct legal role from its Processor role, and means the data use is governed by Mistral AI's own purposes rather than solely by customer instructions. Business customers must actively opt out or select an opted-out-by-default product to prevent this processing.
End users' inputs, outputs, and feedback interactions may be used to train Mistral AI's models unless the business deploying the service has opted out. The provision states that in-app feedback features specifically trigger Controller-basis processing of the associated conversation content.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.