What are the institutional and regulatory implications of this document?

(1) REGULATORY EXPOSURE: This document engages CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.) — enforced by the California Privacy Protection Agency (CPPA) and California AG — through its disclosure of consumer rights and 'processor'/'service provider' designations. It also implicates Virginia CDPA, Colorado CPA, Connecticut CTDPA, and other enacted U.S. state privacy laws. GDPR (EU) 2016/679 and UK GDPR are implicated for any EU or UK resident users, but the policy does not specify lawful proces…

How does Replicate's Replicate Privacy Policy affect users?

Replicate collects a broad range of personal data including account information, payment details, GitHub credentials, website analytics, and any training data users upload — which may itself contain sensitive personal information about third parties. The policy confirms Replicate may share personal data with corporate affiliates, vendors, and prospective business purchasers in the event of a business transition, without requiring user consent in those scenarios. You can request access, correcti…

How often is Replicate's Replicate Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Replicate updates this document?

Yes. Watcher subscribers ($9.99/month) can add Replicate to their watchlist and receive same-day email alerts whenever this document or any other Replicate document changes.

Replicate Privacy Policy — Replicate

8 Total

1 High severity

7 Medium severity

0 Low severity

Summary

This is Replicate's privacy policy, explaining what personal data the AI platform company collects from users — including account details, payment information, GitHub credentials, and any training data you upload to build AI models. The most important thing to know is that any training data you upload — which could include sensitive personal information — is collected and stored by Replicate, with limited specificity about how it is protected or who can access it. To protect yourself, review what data you upload as training data, and contact privacy@replicate.com to request deletion or access to your personal information.

Technical Summary

This Privacy Policy governs Replicate, LLC's collection, use, disclosure, and retention of personal information across its website (replicate.com) and related AI platform services, without citing a specific statutory legal basis (e.g., GDPR Art. 6 or CCPA §1798.100) within the document itself. The most significant obligations created include Replicate's commitment to honor user rights to access, deletion, and correction of personal data upon request to privacy@replicate.com, and its self-designation as a 'processor' or 'service provider' under U.S. state privacy law frameworks when handling customer personal information. Notable and potentially unusual provisions include the explicit acknowledgment that Training Data uploaded by users 'may include any type of information, some of which could be deemed sensitive under various privacy laws,' without detailing any specific safeguards, access controls, or consent mechanisms for such sensitive data — creating meaningful compliance and reputational risk. The policy engages CCPA/CPRA (California), and potentially other U.S. state privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA), as well as GDPR and UK GDPR for any EU/UK users, and COPPA for its under-16 exclusion; however, the absence of a dedicated GDPR section, Data Protection Officer identification, legal basis specification, or cross-border transfer mechanisms represents a material gap for EU/UK regulatory compliance. The policy's change notification mechanism — placing only an effective date at the top with no proactive user notice obligation — is also below the standard expected under several state privacy laws and the GDPR.

Evidence Provenance

Captured April 29, 2026 08:16 UTC

Document ID CA-D-000466

Version ID CA-V-001039

Source URL https://replicate.com/privacy

Wayback Machine View archived versions →

SHA-256 1707766d45e2786929826c5f6bb1f454c3d2496d6c614babeab5c35585493295

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

April 29, 2026 — Initial capture

Initial snapshot — monitoring begins

1707766d…

View full version history (0 captures) →

High Severity — 1 provision

Training Data Collection Including Sensitive Information

Replicate collects and stores any data you upload to train AI models, and acknowledges this data could include sensitive personal information — but doesn't specify what protections apply to it.

Added April 30, 2026

Medium Severity — 7 provisions

Business Transition Data Sharing

If Replicate is sold or merges with another company, your personal data — including training data — can be transferred to the new owner, who may use it for similar purposes without requiring your consent.

Added April 30, 2026
No-Sale / Service Provider Designation

Replicate says it does not sell your personal data under U.S. state privacy laws, and when it handles customer data, it acts as a processor or service provider rather than the data controller.

Added April 30, 2026
Policy Change Without Proactive Notice

Replicate can change its privacy policy at any time and is only required to update the date at the top — it does not commit to notifying you directly about changes.

Added April 30, 2026
Data Retention Policy

Replicate keeps your personal data for as long as it needs to run its services, and may keep it longer for legal or business reasons — with backup copies potentially remaining even after a deletion request.

Added April 30, 2026
Children's Privacy Exclusion Without Verification

Replicate says it doesn't collect data from children under 16, but relies entirely on the honor system — it has no age verification mechanism in place.

Added April 30, 2026
Third-Party Data Enrichment

Replicate may purchase or obtain additional personal information about you from third-party data brokers or enrichment services, beyond what you directly provide.

Added April 30, 2026
Security Disclaimer and Limitation

Replicate says it uses reasonable security measures but makes no guarantee that your data is safe, and explicitly disclaims liability for security failures it couldn't anticipate.

Added April 30, 2026

Cross-platform context

See how other platforms handle Training Data Collection Including Sensitive Information and similar clauses.

Compare across platforms →