Do I need to disclose Weaviate in my privacy policy?

Yes. Weaviate processes data on your behalf, making Weaviate B.V. a data processor under GDPR Article 28 and similar regulations. You must disclose its use, what data is transferred to it, and the lawful basis for processing. Failure to do so violates GDPR Article 13/14 transparency obligations and may expose you to regulatory fines.

What data does Weaviate collect and store?

Weaviate stores vector embeddings (numerical representations of text or documents), associated metadata and object properties, and search queries submitted by users. If your source documents contain personal data (names, email addresses, etc.), those details may be encoded within the vectors or stored as metadata, making Weaviate a processor of personal data under GDPR.

Does Weaviate require a cookie consent banner?

Weaviate itself does not use cookies and requires no cookie banner. However, if you embed Weaviate in a website that uses cookies for analytics or tracking, you must obtain consent for those separate tools. Disclose Weaviate's vector storage and processing separately from cookie notices.

Who is the data processor and where is data transferred?

Weaviate B.V., based in the Netherlands (EU), acts as your data processor. If you use Weaviate Cloud, data transfers occur within the EU, ensuring GDPR adequacy. If self-hosting, data stays on your infrastructure. Always specify the deployment model and include Weaviate B.V.'s privacy policy URL (https://weaviate.io/privacy) in your privacy notice.

AI & Machine Learning

Privacy policy clauses for Weaviate

Weaviate is an open-source vector database that stores and searches AI-generated vector embeddings alongside metadata. Websites use it to enable semantic search, recommendation systems, and AI-powered features by converting text and data into machine-readable vectors for fast retrieval.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Weaviate collects

Your privacy policy must disclose each of the following data types when you use Weaviate.

Vector embeddings and associated objects

Metadata and properties stored with vectors

Search queries

When does Weaviate trigger privacy obligations?

Installation & Data Flow

The moment you deploy Weaviate—whether self-hosted or via Weaviate Cloud—you begin ingesting and storing vector embeddings. These embeddings are mathematical representations of text, images, or other content. The critical compliance trigger: if your source documents contain personal data (names, emails, user IDs, behavioral patterns), those embeddings encode that personal data, even though it is compressed and non-human-readable. This activates GDPR Articles 4(1) (definition of personal data) and 5(1)(a) (lawful processing basis) immediately.

Jurisdiction & Regulation

GDPR applies if: You process data of EU residents, regardless of where Weaviate runs. Weaviate B.V. is EU-based (Netherlands), so if you use Weaviate Cloud, Weaviate is your processor under GDPR Article 28, requiring a Data Processing Addendum (DPA).

CCPA applies if:

Privacy policy clauses for Weaviate

What data Weaviate collects

When does Weaviate trigger privacy obligations?

Installation & Data Flow

Jurisdiction & Regulation

First Concrete Step

Where data goes

Common compliance pitfalls

Pitfall 1: Treating Embeddings as "Anonymized"

Pitfall 2: Omitting Weaviate from Privacy Notices & Missing DPA Requirements

Pitfall 3: Ignoring Retention & Deletion Obligations

Legal note

Sample privacy policy clause

What regulators look for

Primary Audit Focus

CCPA Enforcer Priorities

Frequently asked questions

Do I need to disclose Weaviate in my privacy policy?

What data does Weaviate collect and store?

Does Weaviate require a cookie consent banner?

Who is the data processor and where is data transferred?

Don't ship without Bandit.