See how OpenAI, Google, Anthropic, Microsoft, and 11 other AI companies write their privacy policies. Each example includes real language on training data, user prompts, and automated decisions — so you can build a compliant AI privacy policy for your own product.
Our generator creates AI-ready privacy policies covering training data, user prompts, automated decisions, and EU AI Act requirements. Free to start.
An AI privacy policy is a legal document that explains how an artificial intelligence product or service collects, processes, stores, and uses personal data — with specific attention to AI-unique data practices like model training, user prompt handling, automated decision-making, and AI-generated output ownership.
Unlike a standard privacy policy, an AI privacy policy must address questions that traditional data collection frameworks were never designed for: Is my conversation data used to train the AI? Who owns the content the AI generates? How does the AI make decisions about me? What happens to the prompts I submit? These questions are now at the center of regulations like the EU AI Act and GDPR Article 22.
As you'll see in the examples below, the best AI privacy policies go beyond standard data collection disclosures. Companies like OpenAI, Anthropic, and Microsoft are setting new standards for transparency about training data practices, model input/output handling, and the boundaries between consumer and enterprise data usage.
Users need to know if their inputs — conversations, code, images, documents — are used to train or improve AI models. The EU AI Act and GDPR require explicit disclosure of training data practices, including the right to opt out. Companies like OpenAI and Anthropic have set the standard with clear training data opt-out mechanisms.
AI products process uniquely sensitive inputs: personal conversations, proprietary code, confidential business documents, and creative works. Your privacy policy must explain how prompts are processed, whether they're stored, who can access them (including human reviewers), and how long they're retained after the interaction ends.
GDPR Article 22 grants individuals the right not to be subject to purely automated decisions with significant effects. If your AI makes hiring recommendations, credit assessments, content moderation decisions, or health evaluations, you must disclose the logic involved and provide a mechanism for human review.
The EU AI Act (2024) introduces mandatory transparency requirements for AI systems, including risk categorization, conformity assessments, and user-facing disclosures. Combined with GDPR's existing automated decision-making rules and the CCPA's profiling provisions, AI companies face a complex and evolving regulatory landscape that must be reflected in their privacy policies.
AI products introduce data practices that have no equivalent in traditional software. Here are the six key areas where AI privacy policies must go beyond standard disclosures.
AI models learn from data. Your policy must disclose what data sources are used for training (user inputs, public datasets, licensed content), whether user-generated data contributes to model improvement, and how users can opt out. OpenAI and Anthropic explicitly separate API data from consumer data for training purposes.
Every interaction with an AI system generates input data (prompts) and output data (responses). Your policy must explain how these are processed, whether they're logged or stored, retention periods, and whether human reviewers can access them. This is fundamentally different from traditional form submission data.
Who owns AI-generated content? Your policy should clarify intellectual property rights for AI outputs, whether outputs can be used commercially, and any licensing restrictions. Companies like Midjourney and Adobe Firefly take different approaches based on their training data provenance.
When AI makes or influences decisions about people — hiring, credit, content moderation, insurance — GDPR Article 22 and the EU AI Act require meaningful explanations of the logic involved, the significance of the decision, and the right to human review. This goes far beyond a standard 'how we use your data' section.
AI companies often retain data longer than traditional services because model training and safety evaluation require historical data. Your policy must specify separate retention periods for interaction data, training data, and safety/abuse prevention data. The distinction between 'deleted from your account' and 'removed from training data' matters.
Many products use third-party AI models (GPT-4, Claude, Gemini) under the hood. Your policy must disclose which AI providers process user data, what data is sent to them, and their data handling practices. Notion's transparency about third-party AI providers has become a trust-building best practice.
We analyzed the privacy policies of 15 industry-leading AI companies across large language models, generative AI, developer tools, enterprise platforms, and consumer AI. For each example, we highlight how they address AI-specific privacy concerns and why their approach works.
Large Language Models · AI training opt-out and conversation data transparency
"We may use Content you provide us to improve our Services, for example to train the models that power ChatGPT. We do not use Content that you provide to or receive from our API to develop or improve our Services. You can opt out of having your ChatGPT conversations used to train our models by adjusting your data controls in Settings."
Why it works:
OpenAI sets the gold standard for AI privacy policies by drawing a clear line between consumer ChatGPT data and API data. Their training opt-out mechanism is prominently placed, not buried in fine print. The 30-day deletion window for conversations and explicit API data exclusion give developers confidence to build on their platform.
Large Language Models · Layered AI data practices across product ecosystem
"When you use Gemini Apps, Google collects your conversations, related product usage information, info about your location, and your feedback. Google uses this data, consistent with our Privacy Policy, to provide, improve, and develop Google products and services and machine learning technologies, including Google's enterprise products."
Why it works:
Google's approach integrates AI-specific disclosures into their broader privacy framework while adding dedicated Gemini sections. They clearly explain how conversation data flows between Gemini and other Google services, and their human review process for AI improvement is transparently documented with specific retention timelines.
Large Language Models · Safety-first AI privacy with research transparency
"We may use inputs and outputs from free and Pro tier users of our consumer services to help train and improve our models, unless you opt out. We do not train on inputs or outputs from our commercial API or business products. We may also use data for safety purposes, including to prevent harmful, fraudulent, or illegal activity and to improve the safety of our AI systems."
Why it works:
Anthropic differentiates itself with a safety-oriented framing. Their policy explicitly addresses AI safety research data usage alongside privacy protections, acknowledging the tension between AI improvement and data minimization. The clear commercial API data exclusion mirrors industry best practice while their safety carve-out is transparently justified.
Enterprise AI · Enterprise AI data isolation and compliance
"For Microsoft 365 Copilot and Azure OpenAI Service, your prompts, responses, and data are not used to train foundation models. Your data stays within your Microsoft 365 tenant boundary and complies with your existing security, compliance, and privacy policies. Microsoft processes your data as a data processor, acting on your instructions."
Why it works:
Microsoft addresses the number-one enterprise AI concern: will my company's data train someone else's AI? Their policy explicitly guarantees tenant-level data isolation for business customers. The processor/controller distinction under GDPR is clearly articulated, making compliance teams confident in Copilot adoption.
Open-Source AI · Open-source model training with social media data
"We use information to develop, research, and improve our products and AI technologies. This includes using the information we have to train and improve AI technology, including AI models and features across our products. We will provide notice and an opportunity to object before using your information for these purposes where required by applicable law."
Why it works:
Meta's policy tackles the controversial question of social media data for AI training head-on. They disclose the use of public posts for Llama model training while providing opt-out mechanisms as required by GDPR. The distinction between data used for open-source model weights vs. Meta AI product features is an emerging transparency standard.
AI Image Generation · Creative AI prompt and output ownership
"We collect information that you provide when you use the Service, including text prompts you submit to generate images, the images generated in response to your prompts, and any other content you upload or create through the Service. We use this information to provide and improve our Services, including to train and enhance our AI models."
Why it works:
Midjourney addresses the unique privacy concerns of generative image AI: prompt logging, generated image storage, and the relationship between training data and outputs. Their policy clarifies that free-tier images are public by default while paid tiers offer privacy, creating a clear value proposition tied to data handling.
Open-Source Image AI · Open-source AI model training data transparency
"We collect and process information you provide directly to us, including text prompts, images you upload for modification, and parameters you set for image generation. For our hosted services, we may retain generated outputs to improve model performance. Our open-source models are trained on publicly available datasets, and we provide tools for creators to opt out of future training data."
Why it works:
Stability AI navigates the complex territory of open-source AI model privacy by distinguishing between hosted API data and downloadable model data. Their creator opt-out tool for training data addresses the contentious artist data question directly, and their dataset documentation sets a transparency standard for the open-source AI community.
AI Code Generation · Code AI training data transparency and IP protection
"For GitHub Copilot Business and Enterprise, we do not retain any code snippets, code context, or generated suggestions after providing real-time suggestions. We do not use your code or suggestions to train our models. For individual users, engagement data such as accepted or rejected suggestions may be retained to improve the service."
Why it works:
GitHub Copilot's policy directly addresses the developer community's top concern: intellectual property in code. The business/enterprise tier guarantee of zero code retention is unambiguous. Their tiered approach (individual vs. business) mirrors the OpenAI consumer/API split and has become the template for developer AI tools.
AI Writing Assistant · AI writing analysis without reading your content
"Grammarly does not sell your data or use your content to train third-party AI models. We analyze your text to provide writing suggestions, and this analysis happens in real time. For Grammarly Business customers, we process your data according to your organization's settings and do not use it to improve models for other customers."
Why it works:
Grammarly addresses a uniquely sensitive concern for writing AI: does the AI read and store everything I write? Their policy emphatically distinguishes between real-time analysis (processed and discarded) and stored data. The explicit promise not to sell data or train third-party models addresses the specific fear that personal writing could appear in AI outputs.
AI Workspace · Workspace AI data isolation and opt-in controls
"Notion AI features are powered by third-party AI providers. When you use Notion AI, your content is sent to our AI partners to generate responses. We do not use your workspace content to train AI models. Your data is processed in accordance with our Data Processing Addendum, and AI features can be enabled or disabled at the workspace level by administrators."
Why it works:
Notion tackles the enterprise AI adoption blocker by making AI features opt-in at the workspace level. Their transparency about third-party AI providers (rather than hiding behind a generic 'our AI') builds trust. The explicit guarantee that workspace content does not train models addresses the primary concern for teams storing sensitive information.
Meeting AI · Meeting AI data practices and recording consent
"Zoom does not use any of your audio, video, chat, screen sharing, attachments, or other communications-like content (such as poll results, whiteboard, and reactions) to train Zoom or third-party artificial intelligence models. AI Companion features process meeting content in real time and do not retain meeting content after the meeting ends unless the host enables meeting summaries."
Why it works:
After the 2023 controversy about AI training on meeting data, Zoom rewrote their policy with one of the clearest AI data commitments in the industry. The blanket exclusion of communication content from AI training is stated upfront, not buried. Their host-controlled AI summary feature respects the meeting organizer's authority while protecting participant privacy.
Enterprise CRM AI · Enterprise AI data governance and trust layer
"Customer Data submitted to our services is not used by Salesforce to train or improve AI models used by other customers or shared AI models. Einstein AI processes your data within your Salesforce org boundary. The Einstein Trust Layer applies data masking, toxicity detection, and audit logging to all AI interactions, ensuring your sensitive data is protected before it reaches any large language model."
Why it works:
Salesforce pioneered the concept of an 'AI Trust Layer' that sits between customer data and AI models. Their policy documents specific technical protections (data masking, grounding, audit trails) rather than making vague promises. The org-level data boundary guarantee is critical for enterprises with complex compliance requirements across multiple business units.
Creative AI · Creative AI trained only on licensed and public domain content
"Adobe Firefly is trained on licensed content, such as Adobe Stock, and public domain content where the copyright has expired. We do not train Firefly generative AI models on customers' personal content stored in Creative Cloud. When you use Firefly, your text prompts and generated outputs may be used to improve our AI services, and you can manage these preferences in your account settings."
Why it works:
Adobe differentiates Firefly by guaranteeing its training data provenance: only licensed Adobe Stock and public domain content. This directly addresses the copyright litigation concerns plaguing other image AI companies. For enterprise customers, the explicit exclusion of Creative Cloud content from training data is a critical trust signal.
AI-Powered Music · Recommendation AI transparency and listening data
"We use your personal data, including your listening history, saved content, searches, and interactions, to provide personalized features powered by our AI and machine learning systems, including AI DJ, Discover Weekly, and personalized playlists. You can influence your recommendations through your listening activity, and we provide controls to manage your personalization preferences."
Why it works:
Spotify's AI privacy approach is notable for framing AI as a feature benefit rather than a data collection risk. Their policy explains how listening data powers the AI DJ and recommendation engines in practical terms users understand. The feedback loop (your actions influence your recommendations) creates transparency about the AI system's decision-making process.
Autonomous Driving AI · Autonomous driving data collection and vehicle telemetry
"Tesla vehicles collect data from cameras, sensors, and other components to operate and improve Autopilot, Full Self-Driving, and other features. This may include short video clips and images captured by external vehicle cameras, vehicle telemetry data, and information about how you use Autopilot features. We use this data to improve the safety and performance of our autonomous driving technology."
Why it works:
Tesla's policy navigates a uniquely high-stakes AI privacy scenario: cameras and sensors collecting data from public roads. Their disclosure of external camera data collection is critical given the physical-world implications. The safety framing for data collection (improving autonomous driving) provides strong justification while the telemetry opt-out acknowledges driver agency.
$500–$2,000+
per document
5–15 hours
of research & writing
Free
to get started
Get our comprehensive checklist covering EU AI Act, GDPR Article 22, CCPA profiling, and AI-specific disclosure requirements — so your AI product stays compliant.
Based on the patterns from the 15 AI companies above, here are six essential steps to writing an AI privacy policy that meets regulatory requirements and builds user trust.
Before writing anything, document every piece of data your AI system touches. This includes user inputs (prompts, uploads, voice), system-generated data (model outputs, embeddings, logs), training data sources, and data shared with third-party AI providers. Map the full lifecycle: input processing, model inference, output delivery, storage, training use, and deletion. Companies like Salesforce Einstein excel because they document their entire AI Trust Layer data flow.
Follow the OpenAI and Anthropic model: clearly distinguish how data is handled across different product tiers. Consumer/free-tier data often contributes to model training (with opt-out), while API and enterprise data typically does not. This tiered approach satisfies both individual user expectations and enterprise compliance requirements. Document each tier's data practices separately in your policy.
Be transparent about whether user data trains your models. Specify what data is used (inputs, outputs, feedback), how it's anonymized or aggregated, how users can opt out, and what happens to data already used in training. Adobe Firefly's approach of disclosing licensed-only training data and GitHub Copilot's public code opt-out are strong models to follow.
If your AI makes or influences decisions about people, GDPR Article 22 and the EU AI Act require specific disclosures. Explain the types of automated decisions, the logic involved in meaningful (not technical) terms, the significance and consequences for users, and how to request human review. This is mandatory for high-risk AI systems under the EU AI Act.
If your product uses third-party AI models (OpenAI, Anthropic, Google), disclose this clearly. Follow Notion's approach: name the providers, explain what data is sent to them, describe their data handling commitments, and link to their privacy policies. Users have a right to know when their data leaves your infrastructure for AI processing.
Provide clear, accessible controls for users to manage their AI data. At minimum: opt out of AI training data usage, delete conversation and interaction history, disable AI features entirely, and download their AI interaction data. Link these controls directly from your privacy policy, as Google does with their Activity Controls. Make opt-out as easy as opt-in.
AI privacy requirements come from multiple overlapping regulations. Here are the key frameworks your AI privacy policy must address.
An AI privacy policy must include several additional disclosures beyond a standard privacy policy: how user inputs (prompts, conversations, uploads) are processed and stored, whether user data is used to train or fine-tune AI models, automated decision-making transparency (required under GDPR Article 22), data sharing with third-party AI model providers, AI-generated output ownership and licensing, model input/output retention periods, and opt-out mechanisms for AI training data usage. These AI-specific sections address unique risks that traditional data collection frameworks were not designed for.
Not necessarily, but your existing privacy policy must be updated to address AI-specific data practices. Many companies like Google and Microsoft add dedicated AI sections within their main privacy policy. However, if your AI product collects substantially different data types (like conversation logs, image prompts, or code snippets), a dedicated AI privacy addendum or AI-specific section can provide better clarity. The EU AI Act and GDPR both require that AI-specific processing activities be transparently disclosed.
Under GDPR, users generally have the right to object to processing for AI training purposes, especially when the legal basis is legitimate interest. The CCPA also provides opt-out rights for certain data uses. Leading AI companies like OpenAI, Anthropic, and Google already offer opt-out mechanisms. For enterprise and API customers, most providers guarantee that customer data will not be used for model training by default. Providing a clear, accessible opt-out mechanism is quickly becoming an industry standard and regulatory expectation.
The EU AI Act, which entered into force in 2024 with provisions taking effect through 2026, introduces specific transparency requirements for AI systems. High-risk AI systems must disclose their intended purpose, accuracy levels, and known limitations. General-purpose AI models must provide training data documentation and copyright compliance measures. AI systems that interact with humans must disclose that the user is interacting with AI. These requirements layer on top of GDPR obligations and must be reflected in your privacy policy and AI-specific disclosures.
AI chatbot conversations are considered personal data under GDPR and CCPA when they contain identifiable information. Companies must disclose: how long conversations are retained, whether conversations are used for model training, who can access conversation data (human reviewers, third parties), and how users can delete their conversation history. OpenAI retains ChatGPT conversations for 30 days after deletion, while enterprise API data is not retained. Your privacy policy must specify these retention and usage practices clearly.
Yes. Under GDPR's transparency principle and the EU AI Act's disclosure requirements, you must inform users when their data is processed by third-party AI systems. This includes disclosing which third-party AI providers process user data, what data is sent to these providers, the data processing agreements in place, and how the third-party provider handles data retention and training. Companies like Notion transparently disclose their use of third-party AI providers, which has become a trust-building best practice.
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that significantly affect them. Your AI privacy policy must: identify any automated decisions your AI makes, explain the logic involved in meaningful terms, describe the significance and potential consequences for users, and outline how users can request human review of automated decisions. This applies to AI-powered hiring tools, credit scoring, content moderation, insurance pricing, and similar high-impact applications.
AI privacy policies should be reviewed more frequently than standard privacy policies due to the rapid pace of AI regulation and technology changes. Review quarterly at minimum, and update immediately when: you integrate new AI models or providers, you change how user data is used for AI training, new AI regulations take effect (EU AI Act provisions are phased through 2026), you add new AI features that process user data differently, or your AI vendor changes their data practices. Under GDPR, material changes require user notification.
Generate an AI-ready privacy policy in minutes
Download a free, editable privacy policy template
15 general privacy policy examples from top companies
Real AI disclaimer examples for your product
Understanding the EU's AI regulation framework
The EU's data protection regulation explained
Join thousands of AI companies using PolicyForge to create compliant privacy policies covering training data, automated decisions, and EU AI Act requirements. No legal expertise required.
No credit card required. Takes less than 5 minutes.