When you upload data to Replicate to train AI models, that data is collected and may contain sensitive personal information about individuals.
This analysis describes what Replicate's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Training data uploaded to build AI models could contain highly sensitive information about real people, and the policy does not specify special handling, access controls, or retention limits for this category of data.
Users who upload training datasets to Replicate should be aware that this data, including any sensitive personal information it may contain, is collected under this policy without specific protections or retention boundaries articulated for that data type.
How other platforms handle this
Anthropic obtains personal data from third party sources in order to train our models. Specifically, we train our models using data from the following sources: Publicly available information via the Internet; Datasets that we obtain through commercial agreements with third party businesses; Data tha...
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
Monitoring
Replicate has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Any training data you upload to our Services to train models (collectively, "Training Data"). Note, Training Data may include any type of information, some of which could be deemed 'sensitive' under various privacy laws.— Excerpt from Replicate's Replicate Privacy Policy
REGULATORY LANDSCAPE: The collection of training data that may include sensitive personal information implicates CCPA/CPRA sensitive personal information provisions, GDPR special categories of data under Article 9, and potentially HIPAA if health-related data is included. The FTC has also signaled scrutiny of AI training data practices under Section 5 of the FTC Act. The relevant enforcement authorities include the FTC, California Privacy Protection Agency, and HHS OCR for health data. GOVERNANCE EXPOSURE: High. The policy's own language acknowledges that training data 'may include any type of information, some of which could be deemed sensitive,' yet imposes no documented controls, purpose limitations, or access restrictions specific to this data category. This creates significant exposure under GDPR Article 9 and CCPA/CPRA's sensitive data provisions if such data is processed without appropriate consent or legal basis. JURISDICTION FLAGS: EU and UK users uploading training data that includes special category data face heightened risk given the absence of GDPR Article 9 compliance language. California users should evaluate whether sensitive personal information uploaded as training data is being processed in accordance with CPRA's sensitive data use limitations. Healthcare or financial services companies uploading training data with client or patient records face sector-specific regulatory risk. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should require a Data Processing Agreement that specifically addresses training data handling, including sub-processor obligations, deletion procedures, and data breach notification timelines. The policy's broad acknowledgment of sensitive data without corresponding controls may not satisfy vendor assessment requirements under ISO 27701 or SOC 2 Type II frameworks. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether users uploading training data are adequately informed of the potential inclusion of third-party personal information and whether consent mechanisms or data minimization obligations have been satisfied before upload. A data mapping exercise should identify what training data categories are flowing to Replicate and whether any cross-border transfer mechanism is required.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Training data uploaded to build AI models could contain highly sensitive information about real people, and the policy does not specify special handling, access controls, or retention limits for this category of data.
Users who upload training datasets to Replicate should be aware that this data, including any sensitive personal information it may contain, is collected under this policy without specific protections or retention boundaries articulated for that data type.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Replicate.