Replicate · Replicate Privacy Policy

Training Data Collection Including Sensitive Information

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Replicate collects and stores any data you upload to train AI models, and acknowledges this data could include sensitive personal information — but doesn't specify what protections apply to it.

Consumer impact (what this means for users)

If you upload training data containing sensitive personal information (e.g., medical records, biometrics, financial data), that information is collected by Replicate with no disclosed special safeguards — exposing both you and any individuals in that dataset to privacy risk.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Email privacy@replicate.com requesting deletion of any training data you have uploaded. Specify the dataset or upload in question and request written confirmation of deletion.

Cross-platform context

See how other platforms handle Training Data Collection Including Sensitive Information and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Users may unknowingly upload personal or sensitive data about third parties, and the policy provides no detail on access controls, retention limits, or consent requirements for such data — creating privacy and legal risk for both users and individuals whose data is included.

View original clause language
Any training data you upload to our Services to train models (collectively, 'Training Data'). Note, Training Data may include any type of information, some of which could be deemed 'sensitive' under various privacy laws.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision implicates CPRA Cal. Civ. Code §1798.121 (sensitive personal information rights), GDPR Art. 9 (special categories of personal data requiring explicit consent or another Art. 9(2) basis), Illinois BIPA (740 ILCS 14) if biometric identifiers are included in training sets, HIPAA 45 CFR Part 164 if health information is processed, and FTC Act Section 5 for failure to implement reasonable security for sensitive data. Enforcement authorities include the California Privacy Protection Agency, EU supervisory authorities, Illinois AG, HHS OCR, and FTC. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC Act Section 5 applies to inadequate protection of sensitive personal data collected by AI platforms, including failure to disclose material security and processing practices.
    File a complaint →
  • State AG
    California CPPA and AG enforce CPRA sensitive personal information rights; Illinois AG enforces BIPA for biometric data in training sets.
    File a complaint →

Provision details

Document information
Document
Replicate Privacy Policy
Entity
Replicate
Document last updated
April 29, 2026
Tracking information
First tracked
April 30, 2026
Last verified
April 30, 2026
Record ID
CA-P-004178
Document ID
CA-D-00466
Evidence Provenance
Source URL
https://replicate.com/privacy
Wayback Machine
View archived versions →
SHA-256
9cdbb8a2de7e0e2f508eebe18a715d02c3e2562ab90aa0799793e7b33229af20
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Replicate | Document: Replicate Privacy Policy | Record: CA-P-004178
Captured: 2026-04-30 06:50:53 UTC | SHA-256: 9cdbb8a2de7e0e2f…
URL: https://conductatlas.com/platform/replicate/replicate-privacy-policy/training-data-collection-including-sensitive-information/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document