Do I need to disclose Replicate in my privacy policy?

Yes. Because Replicate processes user data as a third-party service provider, you must disclose it in your privacy policy under data sharing or third-party processor sections. This is required under GDPR (Article 28) and CCPA regulations. Users have a right to know when their data is sent to external AI services.

What data does Replicate collect and process?

Replicate collects input data you send to its models (text, images, audio), the model's prediction outputs, and API usage metadata for billing purposes. Inputs are processed on Replicate's infrastructure to generate predictions. Prediction data is stored temporarily during processing. The specific retention depends on which model you run.

Do I need a cookie banner for Replicate?

No. Replicate does not use cookies according to available documentation. However, you should still disclose Replicate's data processing in your main privacy policy. If your website uses cookies for other purposes, those require separate consent management.

Who processes my data and where is it stored?

Replicate Inc., a United States-based company, is the data processor. User inputs and model outputs are processed on Replicate's cloud infrastructure located in the US. If you have EU users, you should ensure a legal basis exists (like Standard Contractual Clauses) for transferring data to the US, as required under GDPR.

AI & Machine Learning

Privacy policy clauses for Replicate

Replicate is a cloud platform that runs open-source AI models to generate predictions from user inputs. Websites use Replicate to power AI features like image generation, text processing, and audio analysis without maintaining their own infrastructure.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Replicate collects

Your privacy policy must disclose each of the following data types when you use Replicate.

Input data (text, images, audio) sent to models

Model prediction outputs

API usage and billing metadata

When does Replicate trigger privacy obligations?

Installation triggers immediate obligations

The moment you integrate Replicate into your product, you begin transmitting user-generated content (text, images, audio) to Replicate Inc.'s U.S. servers for model inference. This data flow—not the integration itself—activates privacy obligations.

### GDPR (if you have EU users)

You become a data controller under GDPR Article 4(7) the instant user inputs are sent to Replicate's infrastructure. Replicate is your processor (Article 28). This triggers:

–Article 13/14 transparency: You must disclose in your privacy policy that inputs are sent to a U.S. processor, identify Replicate by name, and explain the purpose (model inference).
–

Privacy policy clauses for Replicate

What data Replicate collects

When does Replicate trigger privacy obligations?

Installation triggers immediate obligations

Where data goes

Common compliance pitfalls

Pitfall 1: Forgetting to name Replicate in your privacy policy

Pitfall 2: Miscategorizing Replicate inputs as non-personal data

Pitfall 3: Neglecting cross-border transfer safeguards

Legal note

Sample privacy policy clause

What regulators look for

DPA priorities when auditing Replicate use

Frequently asked questions

Do I need to disclose Replicate in my privacy policy?

What data does Replicate collect and process?

Do I need a cookie banner for Replicate?

Who processes my data and where is it stored?

Don't ship without Bandit.