Do I need to disclose Cohere in my privacy policy?

Yes. Cohere processes user text inputs and generates embeddings, making it a data processor under GDPR, CCPA, and PIPEDA. You must disclose that user content is sent to Cohere's API for processing, explain the purpose, and link to Cohere's privacy policy at https://cohere.com/privacy. Failure to disclose third-party AI processing creates legal liability.

What specific data does Cohere collect when I use it?

Cohere collects user text inputs and queries submitted to its API, embeddings generated from that content, classification labels and results, and API usage metadata (timestamps, request volume, endpoints used). Importantly, Cohere does not train its models on customer API data—your inputs remain separate from its public models.

Does Cohere require a cookie consent banner?

No. Cohere does not set cookies on user browsers. However, you must still obtain consent before sending user data to Cohere's API under GDPR and similar laws. Consent should cover the fact that content will be processed by third-party AI, not just cookie placement.

Who is the data processor and where does my data go?

Cohere Inc., a Canada-based company, is your data processor. User data is transmitted to Cohere's servers in Canada. If you serve EU residents, you must execute a Data Processing Agreement (DPA) with Cohere that includes Standard Contractual Clauses (SCCs) to comply with GDPR. PIPEDA applies to Canadian data transfers.

AI & Machine Learning

Privacy policy clauses for Cohere

Cohere is an enterprise AI platform that generates text, creates embeddings, and classifies content using machine learning models. Websites integrate Cohere via API to automate content creation, semantic search, and data categorization without building custom models.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Cohere collects

Your privacy policy must disclose each of the following data types when you use Cohere.

User text inputs and queries

Embeddings of user content

Classification labels and results

API usage metadata

When does Cohere trigger privacy obligations?

Installation triggers immediate obligations

The moment you integrate Cohere's API into your product, user text inputs (queries, prompts, content to be classified or embedded) flow to Cohere's servers in Canada. This triggers three regulatory obligations simultaneously:

GDPR (if any users are EU residents): Cohere processes personal data on your behalf. GDPR Article 28 requires a Data Processing Agreement (DPA) before data transfer begins. Cohere's Canada location does not automatically guarantee adequacy; you must document the legal mechanism (Standard Contractual Clauses or equivalent) governing transatlantic/transpacific flows. This is not optional.

PIPEDA (if you or your users are in Canada):

Privacy policy clauses for Cohere

What data Cohere collects

When does Cohere trigger privacy obligations?

Installation triggers immediate obligations

Where data goes

Common compliance pitfalls

Pitfall 1: Conflating "no training on API data" with "no privacy risk"

Pitfall 2: Not disclosing Cohere by name in privacy notices

Pitfall 3: Forgetting to update your Data Processing Addendum (DPA) if you change Cohere's use case

Legal note

Sample privacy policy clause

What regulators look for

What auditors flag first

Frequently asked questions

Do I need to disclose Cohere in my privacy policy?

What specific data does Cohere collect when I use it?

Does Cohere require a cookie consent banner?

Who is the data processor and where does my data go?

Don't ship without Bandit.