Does Hugging Face require disclosure in my privacy policy?

Yes. If your website sends user data to Hugging Face's Inference API or any cloud-hosted Hugging Face models, you must disclose this data sharing in your privacy policy. Users have a right to know when their data is processed by third parties, particularly for AI model inference which may involve data retention or model training considerations.

What data does Hugging Face collect from my website?

Hugging Face collects input data sent to its hosted models (such as text prompts or images), the generated outputs from inference requests, and usage telemetry including model download and API call logs. If you use self-hosted or on-premise models, data remains local and is not sent to Hugging Face servers.

Do I need a cookie banner for Hugging Face?

No cookie consent banner is required specifically for Hugging Face, as the platform does not set tracking cookies. However, if your website uses cookies for other purposes, those must still be disclosed and consented to under GDPR or CCPA.

Who processes data sent to Hugging Face and where?

Hugging Face Inc., a United States-based company, acts as your data processor when you use their Inference API or cloud-hosted models. Data is transferred to and processed on Hugging Face's servers in the US. Under GDPR, you may need Standard Contractual Clauses or similar safeguards in place. See their privacy policy at https://huggingface.co/privacy for complete details.

AI & Machine Learning

Privacy policy clauses for Hugging Face

Hugging Face is a machine learning platform that hosts AI models and provides inference APIs for running these models. Websites use Hugging Face to power AI features like text generation, image analysis, or chatbots without building infrastructure from scratch.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Hugging Face collects

Your privacy policy must disclose each of the following data types when you use Hugging Face.

Input data sent to hosted models

Generated outputs from inference API

Model download and usage telemetry

When does Hugging Face trigger privacy obligations?

Installation triggers data-processing obligations immediately

The moment you integrate Hugging Face—whether via Inference API, model downloads, or hosted endpoints—you begin transmitting user input data to Hugging Face Inc.'s servers in the United States. This triggers:

GDPR (if users are in EU/EEA): You become a data controller under GDPR Article 4(7). Input prompts and generated outputs qualify as personal data if they identify or relate to individuals. Article 13 and Article 14 require you to provide privacy notices *before* collection. Article 6 requires lawful basis (typically consent or legitimate interest, though consent is safer for inference queries). Article 28 requires a Data Processing Agreement (DPA) with Hugging Face.

CCPA (if users are California residents): Hugging Face qualifies as a "service provider" under CCPA Section 1798.140(ag). You must disclose data sharing in your privacy policy and cannot opt out of service-provider relationships on behalf of users.

Privacy policy clauses for Hugging Face

What data Hugging Face collects

When does Hugging Face trigger privacy obligations?

Installation triggers data-processing obligations immediately

Where data goes

Common compliance pitfalls

Pitfall 1: Assuming self-hosted models don't need a DPA

Pitfall 2: Not disclosing Inference API as a third-country transfer

Pitfall 3: Misclassifying Inference API queries as non-personal data

Legal note

Sample privacy policy clause

What regulators look for

Enforcement priorities

Frequently asked questions

Does Hugging Face require disclosure in my privacy policy?

What data does Hugging Face collect from my website?

Do I need a cookie banner for Hugging Face?

Who processes data sent to Hugging Face and where?

Don't ship without Bandit.