Replicate · Replicate Privacy Policy · View original document ↗

Training Data Collection

High severity High confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Replicate Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

When you upload data to Replicate to train AI models, that data is collected and may contain sensitive personal information about individuals.

This analysis describes what Replicate's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Training data uploaded to build AI models could contain highly sensitive information about real people, and the policy does not specify special handling, access controls, or retention limits for this category of data.

Consumer impact (what this means for users)

Users who upload training datasets to Replicate should be aware that this data, including any sensitive personal information it may contain, is collected under this policy without specific protections or retention boundaries articulated for that data type.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Email privacy@replicate.com to request deletion of training data you have uploaded to Replicate's services. Specify the data you wish to have deleted and request confirmation of deletion.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Strava Medium

We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...

eBay Medium

We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.

See all platforms with this clause type →

Monitoring

Replicate has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Any training data you upload to our Services to train models (collectively, "Training Data"). Note, Training Data may include any type of information, some of which could be deemed 'sensitive' under various privacy laws.

— Excerpt from Replicate's Replicate Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: The collection of training data that may include sensitive personal information implicates CCPA/CPRA sensitive personal information provisions, GDPR special categories of data under Article 9, and potentially HIPAA if health-related data is included. The FTC has also signaled scrutiny of AI training data practices under Section 5 of the FTC Act. The relevant enforcement authorities include the FTC, California Privacy Protection Agency, and HHS OCR for health data. GOVERNANCE EXPOSURE: High. The policy's own language acknowledges that training data 'may include any type of information, some of which could be deemed sensitive,' yet imposes no documented controls, purpose limitations, or access restrictions specific to this data category. This creates significant exposure under GDPR Article 9 and CCPA/CPRA's sensitive data provisions if such data is processed without appropriate consent or legal basis. JURISDICTION FLAGS: EU and UK users uploading training data that includes special category data face heightened risk given the absence of GDPR Article 9 compliance language. California users should evaluate whether sensitive personal information uploaded as training data is being processed in accordance with CPRA's sensitive data use limitations. Healthcare or financial services companies uploading training data with client or patient records face sector-specific regulatory risk. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should require a Data Processing Agreement that specifically addresses training data handling, including sub-processor obligations, deletion procedures, and data breach notification timelines. The policy's broad acknowledgment of sensitive data without corresponding controls may not satisfy vendor assessment requirements under ISO 27701 or SOC 2 Type II frameworks. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether users uploading training data are adequately informed of the potential inclusion of third-party personal information and whether consent mechanisms or data minimization obligations have been satisfied before upload. A data mapping exercise should identify what training data categories are flowing to Replicate and whether any cross-border transfer mechanism is required.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has enforcement authority over unfair or deceptive data practices, including handling of sensitive personal information in AI training contexts under Section 5 of the FTC Act.
    File a complaint →

Applicable regulations

EU AI Act
European Union
CCPA/CPRA
California, USA
Colorado AI Act
US-CO
Connecticut Data Privacy Act Amendments
US-CT
EU AI Act - High Risk Provisions
EU
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
Replicate Privacy Policy
Entity
Replicate
Document last updated
May 5, 2026
Tracking information
First tracked
April 30, 2026
Last verified
May 10, 2026
Record ID
CA-P-009464
Document ID
CA-D-00466
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
9cdbb8a2de7e0e2f508eebe18a715d02c3e2562ab90aa0799793e7b33229af20
Analysis generated
April 30, 2026 06:50 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Replicate
Document: Replicate Privacy Policy
Record ID: CA-P-009464
Captured: 2026-04-30 06:50:53 UTC
SHA-256: 9cdbb8a2de7e0e2f…
URL: https://conductatlas.com/platform/replicate/replicate-privacy-policy/training-data-collection/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Replicate's Training Data Collection clause do?

Training data uploaded to build AI models could contain highly sensitive information about real people, and the policy does not specify special handling, access controls, or retention limits for this category of data.

How does this clause affect you?

Users who upload training datasets to Replicate should be aware that this data, including any sensitive personal information it may contain, is collected under this policy without specific protections or retention boundaries articulated for that data type.

Is ConductAtlas affiliated with Replicate?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Replicate.