Do I need to disclose Anthropic (Claude) in my privacy policy?

Yes. Because Claude processes user inputs and generates outputs, you must disclose this AI integration in your privacy policy. Users have a right to know their data is processed by an AI system. Under GDPR, you must also identify Anthropic PBC as a data processor and document a Data Processing Agreement before transferring any personal data to Claude's API.

What specific data does Anthropic (Claude) collect when users interact with it?

When users submit prompts or questions to Claude, Anthropic collects the user input text, conversation history and context, generated text outputs, and API usage metadata (such as timestamps and request frequency). By default, Anthropic does not use API data to train its models, but this should be explicitly confirmed in your Data Processing Agreement with Anthropic.

Does Anthropic (Claude) require a cookie consent banner?

No. Anthropic (Claude) does not use cookies. However, if your website uses cookies for other purposes (analytics, authentication, advertising), you still need a compliant consent banner. The Claude integration itself does not trigger additional cookie requirements, though API calls should be disclosed in your privacy policy.

Who processes data sent to Claude, and where is it transferred?

Anthropic PBC, headquartered in the United States, is the data processor. When users interact with Claude, their data is transferred to Anthropic's servers in the US. For GDPR compliance, you must establish a lawful transfer mechanism (such as Standard Contractual Clauses) and ensure Anthropic's privacy practices meet EU standards. Review Anthropic's privacy policy at https://www.anthropic.com/privacy and execute a Data Processing Agreement.

AI & Machine Learning

Privacy policy clauses for Anthropic (Claude)

Claude is an AI assistant developed by Anthropic that generates human-like text responses based on user inputs. Websites integrate Claude via API to power chatbots, content analysis, customer support automation, and other AI-driven features that enhance user experience and operational efficiency.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Anthropic (Claude) collects

Your privacy policy must disclose each of the following data types when you use Anthropic (Claude).

User prompts and inputs sent to API

Conversation history and context

Generated text outputs

API usage metadata

When does Anthropic (Claude) trigger privacy obligations?

What data flows start immediately

The moment you integrate Anthropic's Claude API into your product, user prompts and inputs flow to Anthropic's servers in the United States. This triggers obligations under GDPR (if your users include EU residents), CCPA (if you serve California residents), and sector-specific laws if you handle health data, payment information, or children's data.

Regulatory thresholds and jurisdiction

GDPR (Articles 6, 13, 14): If any user is in the EU, you must have a lawful basis for processing (typically consent under Article 6(1)(a)) and must provide transparency notices before or at collection (Article 13). Since Anthropic processes data in the US, you likely need Standard Contractual Clauses (SCCs) or another adequacy mechanism—a Data Processing Agreement (DPA) with Anthropic is mandatory.

Common compliance pitfalls

Pitfall 1: Missing or vague AI-powered features disclosure

The mistake: Updating your privacy policy to say "we use AI tools" without naming Anthropic Claude or explaining that user inputs leave your servers. Regulators (particularly EDPB and California AG) now scrutinize whether companies disclose *which* AI provider receives data and *where* processing occurs. Under GDPR Article 13(1)(c) and Article 14(1)(c), you must name the controller or processor; a generic "AI processing" statement fails this.

Why it happens with Claude: The integration is simple and transparent to end users (they type, Claude responds), so teams forget to surface the data transfer in legal docs.

Consequence: GDPR enforcement action for lack of transparency; CCPA violation notices for failure to disclose data collection; user complaints and reputational damage.

Pitfall 2: Assuming Anthropic's "no training on API data" clause eliminates DPA requirements

The mistake: Believing Anthropic's statement that Claude doesn't train on API data means you don't need a Data Processing Agreement. In reality, Anthropic still processes personal data (names, emails, context in prompts, usage metadata); the absence of model training doesn't exempt you from GDPR processor obligations or the requirement for a compliant DPA.

Why it happens: Founders read the reassuring privacy statement and assume compliance is automatic.

Consequence: Non-compliant data transfer to the US; fines under GDPR Chapter VII; Supervisory Authority intervention.

Pitfall 3: Sending sensitive data (health, payment, PII) to Claude without explicit user consent and legal basis

The mistake: Using Claude to analyze or summarize customer health records, payment disputes, or full names/emails without explicit opt-in consent and without updating your privacy policy. Claude's API is not a HIPAA Business Associate, and Anthropic does not claim HIPAA compliance. Sending health data to a non-HIPAA-compliant processor is a HIPAA violation; sending payment card data may violate PCI DSS.

Why it happens: Teams treat Claude as a generic text processor and don't categorize the data being sent.

Consequence: HIPAA penalties ($100–$50,000 per violation); PCI DSS failure; state attorneys general enforcement for data mishandling.

Privacy policy clauses for Anthropic (Claude)

What data Anthropic (Claude) collects

When does Anthropic (Claude) trigger privacy obligations?

What data flows start immediately

Regulatory thresholds and jurisdiction

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: Missing or vague AI-powered features disclosure

Pitfall 2: Assuming Anthropic's "no training on API data" clause eliminates DPA requirements

Pitfall 3: Sending sensitive data (health, payment, PII) to Claude without explicit user consent and legal basis

Legal note

Sample privacy policy clause

What regulators look for

Primary audit focus areas

Frequently asked questions

Do I need to disclose Anthropic (Claude) in my privacy policy?

What specific data does Anthropic (Claude) collect when users interact with it?

Does Anthropic (Claude) require a cookie consent banner?

Who processes data sent to Claude, and where is it transferred?

Don't ship without Bandit.