Do I need to disclose Mistral AI in my privacy policy?

Yes. Because Mistral AI processes user inputs and generates outputs on your behalf, it qualifies as a data processing service under GDPR Article 28. You must disclose this third-party processor, the data you share with it, and the legal basis for processing. Failing to disclose Mistral AI in your privacy policy creates a GDPR compliance gap even though Mistral AI itself is GDPR-compliant.

What data does Mistral AI collect when users interact with it?

Mistral AI collects user prompts and inputs submitted through your service, the generated text outputs it produces, and API usage metadata (timestamps, request frequency, token counts). Importantly, Mistral AI does not use API data to train or improve its models, meaning user data remains isolated for inference only.

Does using Mistral AI require a cookie consent banner?

No. Mistral AI does not use cookies. However, if your website uses cookies for other purposes (analytics, tracking, advertising), you still need a banner. The absence of Mistral AI cookies does not eliminate your obligation to disclose and obtain consent for any other tracking technologies on your site.

Who processes data when I use Mistral AI, and where does it go?

Mistral AI SAS, a company based in France (EU), acts as your data processor. Data is processed within the EU, ensuring GDPR compliance and avoiding international transfers to high-risk jurisdictions. You should execute a Data Processing Agreement (DPA) with Mistral AI if you process personal data through their API.

AI & Machine Learning

Privacy policy clauses for Mistral AI

Mistral AI is a European artificial intelligence service that generates text and code based on user prompts. Websites integrate Mistral AI to power chatbots, content generation, code assistance, and automated writing features while maintaining EU data residency and GDPR compliance.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Mistral AI collects

Your privacy policy must disclose each of the following data types when you use Mistral AI.

User prompts and inputs

Generated text outputs

API usage metadata

When does Mistral AI trigger privacy obligations?

Data flows that trigger obligations

The moment you integrate Mistral AI's API into your SaaS application or website, user prompts and generated outputs are transmitted to Mistral AI SAS servers in France. This triggers GDPR applicability immediately if any of your users are EU residents—regardless of where your company is incorporated. CCPA applies if you collect data from California residents.

Specific regulatory thresholds

GDPR (EU, EEA, UK): Applies to any personal data in user prompts. Even if a prompt appears generic (e.g., "write marketing copy"), it may contain IP addresses, account identifiers, or inferred personal data. Mistral AI is a data processor under GDPR Article 28. You (the SaaS operator) are the controller.

CCPA (California): Applies if you have California users and collect their prompts/outputs as "personal information" under CCPA Section 1798.100. Mistral AI becomes a "service provider" under CCPA Section 1798.140(ag).

Privacy policy clauses for Mistral AI

What data Mistral AI collects

When does Mistral AI trigger privacy obligations?

Data flows that trigger obligations

Specific regulatory thresholds

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: Missing the DPA requirement

Pitfall 2: Vague disclosure in privacy policies

Pitfall 3: Forgetting to document retention and deletion

Legal note

Sample privacy policy clause

What regulators look for

Primary audit focus areas

Frequently asked questions

Do I need to disclose Mistral AI in my privacy policy?

What data does Mistral AI collect when users interact with it?

Does using Mistral AI require a cookie consent banner?

Who processes data when I use Mistral AI, and where does it go?

Don't ship without Bandit.