Does Vercel AI SDK require disclosure in my privacy policy?

Yes. Vercel AI SDK processes user prompts and other data, which must be disclosed under GDPR, CCPA, and similar regulations. You must inform users that their inputs are processed through AI services and identify which AI provider(s) you've configured. Transparency about data flow to third-party AI providers is legally required.

What specific data does Vercel AI SDK collect?

Vercel AI SDK collects user prompts submitted to the SDK, streamed AI responses from the configured provider, tool call inputs and outputs (if tools are enabled), and model usage telemetry. The SDK itself does not store this data—it routes it to your configured AI provider and processes the response. The data retained depends on each provider's retention policies.

Does Vercel AI SDK require a cookie consent banner?

No. Vercel AI SDK does not use cookies. However, if you route data to third-party AI providers (OpenAI, Anthropic, etc.), those providers may set cookies. Review each provider's privacy policy and implement consent banners if required by your jurisdiction or their terms.

Who processes my data and where is it transferred?

Vercel AI SDK itself is self-hosted and does not process data as a third party. However, the SDK routes all prompts, responses, and telemetry to your configured AI provider—such as OpenAI, Anthropic, Google, or others. Data transfers to whichever provider you've configured. You must execute Data Processing Agreements (DPAs) with each provider and comply with their data handling terms and location policies.

AI & Machine Learning

Privacy policy clauses for Vercel AI SDK

Vercel AI SDK is a unified software development kit that enables websites to stream AI-generated responses from multiple providers (OpenAI, Anthropic, Google, etc.). Websites use it to integrate conversational AI features, tool integrations, and real-time response streaming into their applications.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Vercel AI SDK collects

Your privacy policy must disclose each of the following data types when you use Vercel AI SDK.

User prompts routed to configured AI provider

Streamed AI responses

Tool call inputs and outputs

Model usage telemetry

When does Vercel AI SDK trigger privacy obligations?

Installation triggers immediate obligations

The moment you integrate Vercel AI SDK into your application, user prompts and AI-generated responses become data in transit to third-party AI providers (OpenAI, Anthropic, Google, etc.). This triggers GDPR Article 13/14 disclosure obligations in the EU and CCPA Section 1798.100 disclosure obligations in California immediately—before any user interaction occurs.

Which regulations apply and why

GDPR (EU/EEA): Applies if you have any EU users. Vercel AI SDK routes personal data (prompts may contain PII) to external processors. You must establish a Data Processing Agreement (DPA) with your chosen AI provider under GDPR Article 28. If your provider lacks an adequate DPA, you cannot legally use Vercel AI SDK without additional safeguards (e.g., Standard Contractual Clauses). This is non-optional.

Privacy policy clauses for Vercel AI SDK

What data Vercel AI SDK collects

When does Vercel AI SDK trigger privacy obligations?

Installation triggers immediate obligations

Which regulations apply and why

Common compliance pitfalls

Pitfall 1: Missing or inadequate Data Processing Agreement

Pitfall 2: Failing to disclose the specific AI provider in privacy notices

Pitfall 3: Not updating consent categories when adding Vercel AI SDK

Legal note

Sample privacy policy clause

What regulators look for

Enforcement priorities

Frequently asked questions

Does Vercel AI SDK require disclosure in my privacy policy?

What specific data does Vercel AI SDK collect?

Does Vercel AI SDK require a cookie consent banner?

Who processes my data and where is it transferred?

Don't ship without Bandit.