# AI Stack GRC Compliance Report — 2 platforms - Generated: 2026-06-14T10:17:38.513Z - Source: AIRIN verified findings (gate-verified, verbatim-cited, SHA-256-anchored) > Automated assessment against a published rubric — not legal advice. ## Stack summary | Platform | Headline risk | Verified findings | Dealbreakers | |---|---|---|---| | Claude (Anthropic) | HIGH | 202 | none detected | | Microsoft Copilot | HIGH | 96 | none detected | --- # GRC Risk Assessment — Claude (Anthropic) - Platform: **Claude (Anthropic)** (anthropic-claude) - Headline risk rating: **HIGH** - Website: https://claude.ai - Generated: 2026-06-14T10:17:38.513Z - Findings (verified, published): **202** > Every assertion is anchored to a verbatim quote with a SHA-256 snapshot hash and a Wayback archive URL for independent verification. Informational only; not legal advice. ## Control crosswalk (NIST AI RMF 1.0 + ISO/IEC 42001) | Surface | Risk | Confidence | NIST AI RMF | ISO/IEC 42001 | |---|---|---|---|---| | training use | high | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | medium | medium | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | medium | low | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | medium | medium | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | medium | medium | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | prompt ownership | unknown | high | MAP-2.3 (input data rights) | ISO 42001 A.7.2 (data acquisition) | | prompt ownership | unknown | high | MAP-2.3 (input data rights) | ISO 42001 A.7.2 (data acquisition) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | commercial use | high | low | MANAGE-1.3 (use limitations) | ISO 42001 A.9.2 (intended use) | | commercial use | medium | high | MANAGE-1.3 (use limitations) | ISO 42001 A.9.2 (intended use) | | commercial use | ambiguous | low | MANAGE-1.3 (use limitations) | ISO 42001 A.9.2 (intended use) | | privacy data use | medium | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | medium | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | medium | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | medium | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | medium | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | medium | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | low | low | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | low | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | low | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | data retention | medium | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | medium | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | medium | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | ambiguous | medium | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | subprocessors data sharing | medium | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | medium | medium | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | medium | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | medium | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | medium | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | low | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | low | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | audit rights dpa residency | medium | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | low | medium | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | ambiguous | low | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | indemnity liability | high | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | governing law disputes | medium | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | moderation enforcement | high | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | high | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | high | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | medium | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | medium | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | medium | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | medium | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | medium | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | low | low | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | low | low | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | tier differences | medium | medium | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | ## Evidence (verbatim, with provenance) ### training use — risk high > We may use your Inputs and Outputs to train our models and improve our Services, unless you opt out through your account settings. Even if you opt-out, we will use Inputs and Outputs for model improvement when: (1) your conversations are flagged for safety review to improve our ability to detect harmful content, enforce our policies, or advance AI safety research, or (2) you've explicitly reported the materials to us (for example via our feedback mechanisms). - Interpretation (disclaimed): The clause grants Anthropic a broad default right to use inputs and outputs for model training, with an opt-out mechanism that is materially limited by two exceptions. The safety-review carve-out in particular is broad and discretionary, meaning a user's opt-out election may be overridden by Anthropic's internal content moderation decisions. - Tier: All - Location: § 2 - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=We%20may%20use%20your,via%20our%20feedback%20mechanisms). ### training use — risk medium > To improve the Services and conduct research (including model training). See our Non-User Privacy Policy for more details on the data used to train our models. Feedback Inputs and Outputs Data provided through the Development Partner Program Consent (when users submit Feedback) Legitimate interests It is in our legitimate interests and in the interest of Anthropic users to evaluate the use of the Services and adoption of new features to inform the development of future features and improve direction and development of the Services. - Interpretation (disclaimed): Using legitimate interests as a legal basis for model training is contested under EU/UK GDPR. Users have an objection right, but the policy does not proactively highlight this for the training purpose. The dual legal basis (consent + LI) creates ambiguity about when each applies. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=To%20improve%20the%20Services,development%20of%20the%20Services. ### training use — risk medium > Utilization of inputs and outputs to train an AI model (e.g., “model scraping” or “model distillation”) without prior authorization from Anthropic - Interpretation (disclaimed): The restriction is framed as a prohibited user behavior under the AUP, not as a bilateral obligation. The document is silent on Anthropic's own training-use rights over user-submitted content, which is a significant gap for risk assessment. Users who wish to fine-tune competing models using Claude outputs are expressly prohibited without authorization. - Tier: All - Location: Usage Policy › “Do Not Abuse our Platform” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Utilization%20of%20inputs%20and,prior%20authorization%20from%20Anthropic ### training use — risk medium > Data that our users or crowd workers provide, including Inputs and Outputs from our Services (unless users opt out) - Interpretation (disclaimed): This clause establishes that user-submitted inputs and outputs are a listed data source for model training by default, placing the onus on users to affirmatively opt out rather than opting in. - Tier: All - Location: Privacy Policy › “Publicly available information via the Internet” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Data%20that%20our%20users,(unless%20users%20opt%20out) ### training use — risk medium > We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services, conduct research, study user behavior, and train our AI models as permitted under applicable laws. For instance: When you submit Feedback, we disassociate Inputs and Outputs from your user ID to use them for training and improving our models. If our systems flag Inputs or Outputs for potentially violating our  Usage Policy , we disassociate the content from your user ID to train our trust and safety internal classification and generative models. However, we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary. - Interpretation (disclaimed): Under GDPR and similar laws, truly anonymous data falls outside data protection scope, but the explicit re-identification capability suggests the data may not qualify as fully anonymous, raising Art. 4(1) personal data concerns. The training use is based on legitimate interests, which users may object to. - Tier: All - Location: Privacy Policy › “Aggregated or De-Identified Information” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=We%20may%20process%20personal,responsible%20user%20if%20necessary. ### training use — risk unknown > When you access our website or Services, your personal data may be transferred to our servers in the US, or to other countries outside the European Economic Area ( “EEA” ) and the UK. This may be a direct provision of your personal data to us, or a transfer that we or a third party make. Where information is transferred outside the EEA or the UK, we ensure it benefits from an adequate level of data protection by relying on: Adequacy decisions.   These are decisions from the European Commission under Article 45 GDPR (or equivalent decisions under other laws) where they recognise that a country outside of the EEA offers an adequate level of data protection. We transfer your information as described in “Collection of Personal Data” to some countries with adequacy decisions, such as the countries listed  here ; or Standard contractual clauses.   The European Commission has approved contractual clauses under Article 46 GDPR that allows companies in the EEA to transfer data outside the EEA. These (and their approved equivalent for the UK and Switzerland) are called standard contractual clauses. We rely on standard contractual clauses to transfer information as described in “Collection of Personal Data” to certain affiliates and third parties in countries without an adequacy decision. In certain situations, we rely on derogations provided for under applicable data protection law to transfer information to a third country. - Interpretation (disclaimed): This segment permits Anthropic to process personal data in aggregated or de-identified form for research, analytics, and AI model training, and describes specific de-identification procedures for feedback and safety-flagged content, while noting the possibility of re-identification, establishing a qualified permission for de-identified training data use. - Tier: All - Location: § 5 (Data Transfers) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20When%20you%20access,to%20a%20third%20country. ### training use — risk unknown > When you use our Services, you acknowledge and agree: Outputs may not always be accurate and may contain material inaccuracies even if they appear accurate because of their level of detail or specificity. Actions may not be error free or operate as you intended. You should not rely on any Outputs or Actions without independently confirming their accuracy. The Services and any Outputs may not reflect correct, current, or complete information. Outputs may contain content that is inconsistent with Anthropic’s views. Our use of Materials.  We may use Materials to provide, maintain, and improve the Services and to develop other products and services, including training our models, unless you opt out of training through your account settings. Even if you opt out, we will use Materials for model training when: (1) you provide Feedback to us regarding any Materials, or (2) your Materials are flagged for safety review to improve our ability to detect harmful content, enforce our policies, or advance our safety research. - Interpretation (disclaimed): This segment disclaims accuracy of Outputs and Actions, warns users not to rely on them without independent verification, and grants Anthropic permission to use Materials to provide, maintain, and improve Services, which encompasses potential training use of user-submitted content. - Tier: All - Location: § 4 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=When%20you%20use%20our,advance%20our%20safety%20research. ### training use — risk unknown > Datasets that we obtain through commercial agreements with third party businesses Data that our users or crowd workers provide, including Inputs and Outputs from our Services (unless users opt out) - Interpretation (disclaimed): Discloses that user inputs and outputs are used for model training unless users opt out, and that commercially licensed third-party datasets are also used, establishing both the training use permission and the opt-out right as a restriction on default use. - Tier: All - Location: Privacy Policy › “Publicly available information via the Internet” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Datasets%20that%20we,(unless%20users%20opt%20out) ### training use — risk unknown > Datasets that we obtain through commercial agreements with third party businesses Data that our users or crowd workers provide, including Inputs and Outputs from our Services (unless users opt out) - Interpretation (disclaimed): This segment discloses that training data includes commercially licensed third-party datasets and user/crowd worker Inputs and Outputs, with a conditional exception allowing users to opt out, creating a default obligation to use user data for training unless opt-out is exercised. - Tier: All - Location: Privacy Policy › “Publicly available information via the Internet” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Datasets%20that%20we,(unless%20users%20opt%20out) ### training use — risk unknown > It is in our legitimate interests and in the interest of Anthropic users to evaluate the use of the Services and adoption of new features to inform the development of future features and improve direction and development of the Services. Our research also benefits the AI industry and society: it investigates the safety, inner workings, and societal impact of AI models so that artificial intelligence has a positive impact on society as it becomes increasingly advanced and capable. To improve the Services and conduct research (including model training). See our Non-User Privacy Policy for more details on the data used to train our models. Feedback - Interpretation (disclaimed): Explains Anthropic's legitimate interest justification for processing data to improve services and conduct research that includes model training, referencing the Non-User Privacy Policy and articulating the public-benefit rationale for AI safety research, thereby granting permission to use data for model training purposes. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,train%20our%20models.%20Feedback ### training use — risk unknown > For more information about how we collect and use personal data to develop our language models that power our Services, the steps we take to minimize the privacy impact on individuals through the training process, and your choices with respect to that information, please see our separate Non-User Privacy Policy . - Interpretation (disclaimed): Incorporates by reference the separate Non-User Privacy Policy for detailed information on how personal data is used to develop language models, steps taken to minimize privacy impact, and user choices regarding training data, making that document operative for training-related rights and obligations. - Tier: All - Location: Privacy Policy › “Data that we generate internally” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20For%20more%20information,Non-User%20Privacy%20Policy%20. ### training use — risk unknown > Anthropic obtains personal data from third party sources in order to train our models. Specifically, we train our models using data from the following sources: - Interpretation (disclaimed): States that Anthropic obtains personal data from third-party sources specifically for the purpose of training AI models, establishing the legal basis and scope of this data acquisition obligation. - Tier: All - Location: Privacy Policy › “Personal data we collect or receive to train our models” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20obtains%20personal,from%20the%20following%20sources%3A ### training use — risk unknown > For more information about how we collect and use personal data to develop our language models that power our Services, the steps we take to minimize the privacy impact on individuals through the training process, and your choices with respect to that information, please see our separate Non-User Privacy Policy . - Interpretation (disclaimed): This segment incorporates by reference the Non-User Privacy Policy for further detail on personal data used in language model development, the steps taken to minimize privacy impact, and user choices, making that separate document legally operative for training-related rights and obligations. - Tier: All - Location: Privacy Policy › “Data that we generate internally” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20For%20more%20information,Non-User%20Privacy%20Policy%20. ### training use — risk unknown > Anthropic obtains personal data from third party sources in order to train our models. Specifically, we train our models using data from the following sources: - Interpretation (disclaimed): This segment discloses that Anthropic obtains personal data from third-party sources for model training and introduces the enumeration of those sources, creating a transparency obligation regarding training data provenance. - Tier: All - Location: Privacy Policy › “Personal data we collect or receive to train our models” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20obtains%20personal,from%20the%20following%20sources%3A ### training use — risk unknown > It is in our legitimate interests and in the interest of Anthropic users to evaluate the use of the Services and adoption of new features to inform the development of future features and improve direction and development of the Services. Our research also benefits the AI industry and society: it investigates the safety, inner workings, and societal impact of AI models so that artificial intelligence has a positive impact on society as it becomes increasingly advanced and capable. To improve the Services and conduct research (including model training). See our Non-User Privacy Policy for more details on the data used to train our models. Feedback - Interpretation (disclaimed): Articulates the legitimate interest rationale for service improvement and research excluding model training, then transitions to a separate processing purpose that explicitly includes model training, referencing the Non-User Privacy Policy for further detail, thereby granting permission for AI model training using Inputs and Outputs. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,train%20our%20models.%20Feedback ### training use — risk unknown > We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services, conduct research, study user behavior, and train our AI models as permitted under applicable laws. For instance: When you submit Feedback, we disassociate Inputs and Outputs from your user ID to use them for training and improving our models. If our systems flag Inputs or Outputs for potentially violating our  Usage Policy , we disassociate the content from your user ID to train our trust and safety internal classification and generative models. However, we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary. To improve user experience, we may analyze and aggregate general user behavior and usage data. This information does not identify individual users. - Interpretation (disclaimed): Permits processing of personal data in aggregated or de-identified form for analytics, research, and AI model training, and describes the procedure of disassociating inputs/outputs from user IDs for training and safety purposes, while noting the possibility of re-identification under specific circumstances. - Tier: All - Location: Privacy Policy › “Aggregated or De-Identified Information” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20may%20process,not%20identify%20individual%20users. ### prompt ownership — risk unknown > Generally. You may be allowed to interact with our Services in a variety of formats (we call these “ Inputs ”). Our Services may generate responses (we call these “ Outputs ”), or enable the Services to take actions on your behalf, such as software manipulation, data processing, and system interactions (we call these "Actions" ), based on your Inputs. Inputs and Outputs collectively are “ Materials .” Rights and Responsibilities.  You are responsible for all Inputs you submit to our Services and all Actions. By submitting Inputs to our Services, you represent and warrant that you have all rights, licenses, and permissions that are necessary for us to process the Inputs under our Terms and to provide the Services to you, including for example, to integrate with third-party services, to share Materials with others at your direction, and to take Actions. You also represent and warrant that your submitting Inputs to us or directing Claude to take Actions will not violate our Terms, our  Acceptable Use Policy , or any laws or regulations applicable to those Inputs or Actions. As between you and Anthropic, and to the extent permitted by applicable law, you retain any right, title, and interest that you have in the Inputs you submit. Subject to your compliance with our Terms, we assign to you all of our right, title, and interest—if any—in Outputs. Reliance on Outputs and Actions.  Artificial intelligence and large language models are frontier technologies that are still improving in accuracy, reliability and safety. - Interpretation (disclaimed): This segment defines key terms—Inputs, Outputs, Actions, and Materials—and establishes that users are responsible for all Inputs and Actions and represent they have all rights necessary to submit Inputs, creating foundational definitions and ownership-related representations that govern user content rights. - Tier: All - Location: § 4 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Generally.%20You%20may,reliability%20and%20safety.%20 ### prompt ownership — risk unknown > The Services are owned, operated, and provided by us and our affiliates, licensors, distributors, and service providers (collectively “ Providers ”). We and our Providers retain all of our respective rights, title, and interest, including intellectual property rights, in and to the Services. Other than the rights of access and use expressly granted in our Terms, our Terms do not grant you any right, title, or interest in or to our Services. - Interpretation (disclaimed): This segment establishes that Anthropic and its Providers retain all intellectual property rights in and to the Services, and restricts users from claiming any right, title, or interest beyond the express access rights granted, limiting user ownership claims over the Services. - Tier: All - Location: § 10 (Ownership of the Services) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20The%20Services%20are,or%20to%20our%20Services. ### output ownership — risk unknown > We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input (“ Feedback ”). If you rate an Output in response to an Input—for example, by using the thumbs up/thumbs down icon—we will store the related conversation as part of your Feedback. You have no obligation to give us Feedback, but if you do, you agree that we may use the Feedback however we choose without any obligation or other payment to you. - Interpretation (disclaimed): This segment defines Feedback, establishes that Anthropic will store rated conversations as Feedback, and grants Anthropic an unrestricted, royalty-free permission to use Feedback however it chooses with no obligation or payment to the user, effectively conveying broad rights over user-provided feedback content. - Tier: All - Location: § 5 (Feedback) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20We%20appreciate%20feedback%2C,other%20payment%20to%20you. ### commercial use — risk high > Human-in-the-loop: When using our products or services to provide advice, recommendations, or in subjective decision-making directly affecting individuals or consumers , a qualified professional in that field must review the content or decision prior to dissemination or finalization. You or your organization are responsible for the accuracy and appropriateness of that information. - Interpretation (disclaimed): This clause contractually assigns responsibility for output accuracy to the operator ('You or your organization are responsible'), which could be used against the operator in negligence or product liability claims by affected individuals. The human-in-the-loop requirement also increases operational overhead and may make certain automated workflows non-compliant. - Tier: All - Location: Usage Policy › “High-Risk Use Case Requirements” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Human-in-the-loop%3A%20When%20using%20our,appropriateness%20of%20that%20information. ### commercial use — risk medium > Disclosure: If model outputs are presented directly to individuals or consumers , you must disclose to them that you are using AI to help produce your advice, decisions, or recommendations. This disclosure must be provided at a minimum at the beginning of each session. - Interpretation (disclaimed): This contractual disclosure requirement mirrors and reinforces emerging regulatory obligations. Non-compliance risks breach of contract with Anthropic and potential regulatory liability under consumer protection or AI-specific disclosure laws. Operators must implement session-level disclosure mechanisms. - Tier: All - Location: Usage Policy › “High-Risk Use Case Requirements” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Disclosure%3A%20If%20model%20outputs,beginning%20of%20each%20session. ### commercial use — risk ambiguous > Anthropic may enter into contracts with certain governmental customers that tailor use restrictions to that customer’s public mission and legal authorities if, in Anthropic’s judgment, the contractual use restrictions and applicable safeguards are adequate to mitigate the potential harms addressed by this Usage Policy. - Interpretation (disclaimed): This clause gives Anthropic unilateral discretion ('in Anthropic's judgment') to waive or modify AUP restrictions for government customers via contract. Non-governmental commercial users have no equivalent mechanism disclosed here, creating a two-tiered enforcement regime with potential fairness and competitive concerns. - Tier: Enterprise - Location: Usage Policy › “Usage Policy \ Anthropic” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Anthropic%20may%20enter%20into,by%20this%20Usage%20Policy. ### privacy data use — risk medium > Inputs and Outputs:  You are able to interact with our Services in a variety of formats, including but not limited to chat, coding, and agentic sessions ( “Prompts”  or  "Inputs" ), which generate responses and actions ( “Outputs” ) based on your Inputs. This includes third-party applications you choose to integrate with our Services. If you include personal data or reference external content in your Inputs, we will collect that information and this information may be reproduced in your Outputs. - Interpretation (disclaimed): The clause confirms that any personal data embedded in user inputs is collected by Anthropic and may reappear in outputs, raising risks of inadvertent disclosure of third-party personal data and complicating deletion or access requests. - Tier: All - Location: Privacy Policy › “Personal data you provide to us directly” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Inputs%20and%20Outputs%3A%20You,reproduced%20in%20your%20Outputs. ### privacy data use — risk medium > Feedback on your use of our Services:  We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input (" Feedback "). If you rate an Output in response to an Input—for example, by using the thumbs up/thumbs down icon—we will store the entire related conversation as part of your Feedback. - Interpretation (disclaimed): The clause broadens the data collection consequence of a minimal user action (rating), resulting in full conversation retention. This expands the data footprint beyond what users would typically expect from a feedback mechanism. - Tier: All - Location: Privacy Policy › “Personal data you provide to us directly” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Feedback%20on%20your%20use,part%20of%20your%20Feedback. ### privacy data use — risk medium > Cookies & Similar Technologies.  We and our service providers use cookies, scripts, or similar technologies (“ Cookies ”) to manage the Services and to collect information about you and your use of the Services. These technologies help us to recognize you, customize or personalize your experience, market additional products or services to you, and analyze the use of our Services to make them safer and more useful to you. - Interpretation (disclaimed): The clause confirms use of cookies and similar technologies for behavioral targeting and marketing by Anthropic and its service providers, extending data collection beyond core service delivery. - Tier: All - Location: Privacy Policy › “Personal data we receive automatically from your use of the Services” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Cookies%20%26%20Similar%20Technologies.,more%20useful%20to%20you. ### privacy data use — risk medium > To improve the Services and conduct research, including training our models; and - Interpretation (disclaimed): This purpose statement in the lawful-use section anchors Anthropic's legal basis for using personal data in model training and research, reinforcing the training_use clauses. - Tier: All - Location: § 2 - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=To%20improve%20the%20Services,training%20our%20models%3B%20and ### privacy data use — risk medium > We will only collect, use and disclose your personal data with your consent, unless otherwise permitted or required by law. Your consent may be given expressly or implied, depending on the circumstances and the sensitivity of the information involved. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. - Interpretation (disclaimed): Allowing implied consent lowers the bar for obtaining user agreement to data processing. The caveat that withdrawal is subject to 'contractual restrictions' means ongoing contractual obligations may override a user's desire to stop data use. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Canada” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=We%20will%20only%20collect%2C,restrictions%20and%20reasonable%20notice. ### privacy data use — risk medium > in certain cases we may continue to process and retain data regardless of your request for deletion, objection, blocking or anonymisation, in order to comply with legal, contractual and regulatory obligations, safeguard and exercise rights, including in judicial, administrative and arbitration proceedings and in other cases provided for by law. - Interpretation (disclaimed): This override provision means user rights (deletion, objection, blocking) are not absolute; Anthropic retains broad discretion to continue processing. While legally standard, the breadth of exceptions ('other cases provided for by law') reduces practical enforceability of user rights. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=in%20certain%20cases%20we,provided%20for%20by%20law. ### privacy data use — risk low > Violate privacy rights as defined by applicable privacy laws, such as sharing personal information without consent or accessing private data unlawfully Misuse, collect, solicit, or gain access without permission to private information such as non-public contact details, health data, biometric or neural data (including facial recognition), or confidential or proprietary data - Interpretation (disclaimed): The clause imposes obligations on users not to misuse personal data through the platform but is silent on how Anthropic collects, stores, or shares user data. For a complete privacy risk assessment, a separate privacy policy would need to be reviewed. - Tier: All - Location: Usage Policy › “Do Not Compromise Privacy or Identity Rights” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Violate%20privacy%20rights%20as,confidential%20or%20proprietary%20data ### privacy data use — risk low > Automated decision-making : Anthropic does not engage in decision making based solely on automated processing or profiling in a manner which produces a legal effect (i.e., impacts your legal rights) or significantly affects you in a similar way (e.g., significantly affects your financial circumstances or ability to access essential goods or services). - Interpretation (disclaimed): The carve-out mirrors GDPR Art. 22 language (legal/similarly significant effects) but does not exclude all automated profiling. Automated moderation flagging of Inputs/Outputs is referenced elsewhere in the document and is not covered by this statement. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Automated%20decision-making%20%3A%20Anthropic,essential%20goods%20or%20services). ### privacy data use — risk low > Sale & targeted Anthropic marketing of its products and services . Anthropic does not “sell” your personal data as that term is defined by applicable laws and regulations. You can opt-out of sharing your personal data for targeted advertising to promote our products and services, and we will honor global privacy controls. - Interpretation (disclaimed): Under CCPA/CPRA, 'sharing' for cross-context behavioral advertising is distinct from 'selling' and triggers separate opt-out rights. Anthropic's denial of 'selling' does not preclude 'sharing' as defined under California law, which may still apply. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Sale%20%26%20targeted%20Anthropic,honor%20global%20privacy%20controls. ### privacy data use — risk unknown > We use your personal data for the following purposes: To provide, maintain and facilitate any products and services offered to you with respect to your Anthropic account, which are governed by our Terms of Service; To provide, maintain and facilitate optional services and features that enhance platform functionality and user experience; To communicate with you, including to send you information about our Services and events; To create and administer your Anthropic account; To facilitate payments for products and services provided by Anthropic; To prevent and investigate fraud, abuse, and violations of our  Usage Policy , unlawful or criminal activity, unauthorized access to or use of personal data or Anthropic systems and networks, to protect our rights and the rights of others, and to meet legal, governmental and institutional policy obligations; To investigate and resolve disputes; To investigate and resolve security issues; To debug and to identify and repair errors that impair existing functionality To improve the Services and conduct research, including training our models; and To enforce our  Terms of Service  and similar terms and agreements, including our  Usage Policy . We may use your Inputs and Outputs to train our models and improve our Services, unless you opt out through your account settings. Even if you opt-out, we will use Inputs and Outputs for model improvement when: (1) your conversations are flagged for safety review to improve our ability to detect harmful content, enforce our policies, or advance AI safety research, or (2) you've explicitly reported the materials to us (for example via our feedback mechanisms). Please see Section 10 below for details of our legal bases for processing your personal data. - Interpretation (disclaimed): Continues the enumeration of permitted uses of personal data including service improvement, legal compliance, and safety purposes, further defining the lawful bases for Anthropic's data processing activities. - Tier: All - Location: § 2 - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20use%20your,processing%20your%20personal%20data. ### privacy data use — risk unknown > We implement appropriate technical and organizational security measures designed to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. - Interpretation (disclaimed): This segment establishes Anthropic's procedure for updating the Privacy Policy, including obligation to notify users of material changes, update the effective date, and maintain a changelog in the Privacy Center, creating procedural obligations for policy amendment transparency. - Tier: All - Location: Privacy Policy › “Security Controls Relating to our Processing of Personal Data” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20implement%20appropriate,disclosure%2C%20alteration%2C%20or%20destruction. ### privacy data use — risk unknown > Consent (for example for precise device location or for health app integrations) - Interpretation (disclaimed): This segment defines Consent as a legal basis for processing personal data for optional services, providing examples such as precise device location and health app integrations that clarify the scope of consent-based processing. - Tier: All - Location: Privacy Policy › “Technical Information” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Consent%20(for%20example,for%20health%20app%20integrations) ### privacy data use — risk unknown > It is in our legitimate interests to promote our Services and to send direct marketing. To create and administer your Anthropic account Identity and Contact Data - Interpretation (disclaimed): This segment identifies the purpose of creating and administering user accounts, specifying Identity and Contact Data as a processed category and establishing Contract as the legal basis, creating an obligation to process data for account management. - Tier: All - Location: Privacy Policy › “Legitimate Interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > Entrusted Data Name, ID, phone number, email, address, and other information that you may provide to the domestic representative - Interpretation (disclaimed): Defines the categories of personal data (name, ID, phone number, email, address, and other provided information) that are entrusted to the domestic representative, establishing the scope of data subject to the transfer obligation. - Tier: All - Location: Privacy Policy › “Trustees and Contacts Bae, Kim & Lee LLC (02-3404-0001)” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Entrusted%20Data%20Name%2C,the%20domestic%20representative%20 ### privacy data use — risk unknown > This includes using our products or services to: Violate privacy rights as defined by applicable privacy laws, such as sharing personal information without consent or accessing private data unlawfully Misuse, collect, solicit, or gain access without permission to private information such as non-public contact details, health data, biometric or neural data (including facial recognition), or confidential or proprietary data Impersonate a human by presenting results as human-generated, or using results in a manner intended to convince a natural person that they are communicating with a natural person when they are not - Interpretation (disclaimed): This segment specifies prohibited privacy-related activities including violating privacy laws, misusing private information such as health data or biometric data, and impersonating a human to deceive natural persons about the nature of AI-generated communications. - Tier: All - Location: Usage Policy › “Do Not Compromise Privacy or Identity Rights” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,when%20they%20are%20not ### privacy data use — risk unknown > This includes using our products or services to: Violate privacy rights as defined by applicable privacy laws, such as sharing personal information without consent or accessing private data unlawfully Misuse, collect, solicit, or gain access without permission to private information such as non-public contact details, health data, biometric or neural data (including facial recognition), or confidential or proprietary data Impersonate a human by presenting results as human-generated, or using results in a manner intended to convince a natural person that they are communicating with a natural person when they are not - Interpretation (disclaimed): This segment enumerates specific prohibited privacy-related activities, including violating applicable privacy laws, misusing or collecting private information (health, biometric, neural data) without permission, and impersonating humans by presenting AI-generated results as human-generated, establishing specific data-use and identity restrictions. - Tier: All - Location: Usage Policy › “Do Not Compromise Privacy or Identity Rights” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,when%20they%20are%20not ### privacy data use — risk unknown > Please read our Privacy Policy , which describes how we collect and use personal information. - Interpretation (disclaimed): This segment incorporates the Privacy Policy by reference, directing users to a separate document that governs how personal information is collected and used, creating a legally binding cross-reference to data handling obligations. - Tier: All - Location: Terms of Service › “Consumer Terms of Service \ Anthropic” - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Please%20read%20our,and%20use%20personal%20information. ### privacy data use — risk unknown > Anthropic is an AI safety and research company working to build reliable, interpretable, and steerable AI systems. This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website and other places where Anthropic acts as a  data controller —for example, when you interact with Claude.ai or other products as a consumer for personal use (" Services ") or when Anthropic operates and provides our commercial customers and their end users with access to our commercial products, such as the Claude Team plan (“ Commercial Services ”). This Privacy Policy does not apply where Anthropic acts as a  data processor  and processes personal data on behalf of commercial customers using Anthropic’s Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the back-end with Claude. In those cases, the commercial customer is the controller, and you can review their policies for more information about how they handle your personal data. Please see our Non-User Privacy Policy for information on how our large language models are ‘trained’ and how personal data obtained from third party sources, including where others may submit personal data when using our services, may be used when developing or delivering our products and services. This Privacy Policy also describes your privacy rights. More information about your rights, and how to exercise them, is set out in Section 4 (“Rights and Choices”). - Interpretation (disclaimed): This segment defines the scope of the Privacy Policy, identifying Anthropic as data controller and defining the categories of covered services (consumer Services and Commercial Services), establishing foundational definitions that govern all subsequent data processing obligations. - Tier: All - Location: Privacy Policy › “Privacy Policy \ Anthropic” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20is%20an,(%E2%80%9CRights%20and%20Choices%E2%80%9D).%20 ### privacy data use — risk unknown > Identity and Contact Data:  Anthropic collects identifiers, including your name, email address, and phone number when you sign up for an Anthropic account, or to receive information on our Services. We may also collect or generate indirect identifiers (e.g., “USER12345”). Payment Information:  We shall collect your payment information if you choose to purchase access to Anthropic’s products and services. Inputs and Outputs:  You are able to interact with our Services in a variety of formats, including but not limited to chat, coding, and agentic sessions ( “Prompts”  or  "Inputs" ), which generate responses and actions ( “Outputs” ) based on your Inputs. This includes third-party applications you choose to integrate with our Services. If you include personal data or reference external content in your Inputs, we will collect that information and this information may be reproduced in your Outputs. Feedback on your use of our Services:  We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input (" Feedback "). If you rate an Output in response to an Input—for example, by using the thumbs up/thumbs down icon—we will store the entire related conversation as part of your Feedback. You can learn more about how we use Feedback here . Communication Information:  If you communicate with us, including via our chatbot on our Help site, we collect your name, contact information, and the contents of any messages you send. - Interpretation (disclaimed): This segment defines specific categories of personal data collected directly from users, including identity/contact data, payment information, and Inputs/Outputs (Prompts), establishing the legal definition of 'Prompts' and 'Inputs' as terms used throughout the policy and governing what data Anthropic collects and may process. - Tier: All - Location: Privacy Policy › “Personal data you provide to us directly” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Identity%20and%20Contact,any%20messages%20you%20send. ### privacy data use — risk unknown > When you use the Services, we also receive certain technical data automatically (described below, collectively “ Technical Information ”). This includes: Device and Connection Information.  Consistent with your device or browser permissions, your device or browser automatically sends us information about when and how you install, access, or use our Services. This includes information such as your device type, operating system information, browser information and web page referers, mobile network, connection information, mobile operator or internet service provider (ISP), time zone setting, IP address (including information about the location of the device derived from your IP address), identifiers (including device or advertising identifiers, probabilistic identifiers, and other unique personal or online identifiers), and device location. Usage Information.  We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services. Log and Troubleshooting Information.  We collect information about how our Services are performing when you use them. This information includes log files. If you or your device experiences an error, we may collect information about the error, the time the error occurred, the feature being used, the state of the application when the error occurred, and any communications or content provided at the time the error occurred. - Interpretation (disclaimed): This segment defines 'Technical Information' and enumerates the categories of device and connection data automatically collected from users, establishing the legal scope of automatically collected personal data subject to processing obligations. - Tier: All - Location: Privacy Policy › “Personal data we receive automatically from your use of the Services” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20When%20you%20use,the%20error%20occurred.%20 ### privacy data use — risk unknown > We collect the following categories of personal data: - Interpretation (disclaimed): This segment introduces the enumeration of personal data categories collected by Anthropic, framing the definitional scope of what constitutes collected personal data under the policy. - Tier: All - Location: § 1 (Collection of Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20collect%20the,categories%20of%20personal%20data%3A ### privacy data use — risk unknown > To facilitate payments for products and services provided by Anthropic Identity and Contact Data - Interpretation (disclaimed): This segment specifies that Identity and Contact Data is processed under the contract legal basis for the purpose of facilitating payments, establishing an obligation to process this data category in connection with payment transactions for Anthropic products and services. - Tier: All - Location: Privacy Policy › “Contract” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20facilitate%20payments,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > Depending on where you live and the laws that apply in your country of residence, you may enjoy certain rights regarding your personal data, as described further below. However, please be aware that these rights are limited, and that the process by which we may need to action your requests regarding our training dataset are complex. We may also decline a request if we have a lawful reason for doing so. That said, we strive to prioritize the protection of personal data, and comply with all applicable privacy laws. To exercise your rights, you or an authorized agent may submit a request by emailing us at  privacy@anthropic.com . After we receive your request, we may verify it by requesting information sufficient to confirm your identity. You may also have the right to appeal requests that we deny by emailing  privacy@anthropic.com . Anthropic will not discriminate based on the exercising of privacy rights you may have. Set out below is a summary of the rights which you may enjoy, depending on the laws that apply in your country of residence. Right to know:  the right to know what personal data Anthropic processes about you, including the categories of personal data, the categories of sources from which it is collected, the business or commercial purposes for collection, and the categories of third parties to whom we disclose it. Access & data portability: the right to request a copy of the personal data Anthropic processes about you, subject to certain exceptions and conditions. - Interpretation (disclaimed): Establishes that users have legally recognized rights regarding their personal data subject to applicable law, while noting limitations on those rights particularly with respect to training datasets, and provides a procedure for submitting rights requests via email. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Depending%20on%20where,exceptions%20and%20conditions.%20 ### privacy data use — risk unknown > When you use the Services, we also receive certain technical data automatically (described below, collectively “ Technical Information ”). This includes: Device and Connection Information.  Consistent with your device or browser permissions, your device or browser automatically sends us information about when and how you install, access, or use our Services. This includes information such as your device type, operating system information, browser information and web page referers, mobile network, connection information, mobile operator or internet service provider (ISP), time zone setting, IP address (including information about the location of the device derived from your IP address), identifiers (including device or advertising identifiers, probabilistic identifiers, and other unique personal or online identifiers), and device location. Usage Information.  We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services. Log and Troubleshooting Information.  We collect information about how our Services are performing when you use them. This information includes log files. If you or your device experiences an error, we may collect information about the error, the time the error occurred, the feature being used, the state of the application when the error occurred, and any communications or content provided at the time the error occurred. - Interpretation (disclaimed): Describes automatic collection of device and connection information from users, constituting an obligation to disclose and a procedural description of data collection practices for device, browser, IP, and usage data. - Tier: All - Location: Privacy Policy › “Personal data we receive automatically from your use of the Services” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20When%20you%20use,the%20error%20occurred.%20 ### privacy data use — risk unknown > If you live in the European Economic Area (EEA), UK or Switzerland (the “European Region”), the data controller responsible for your personal data is Anthropic Ireland, Limited. If you live outside the European Region, the data controller responsible for your personal data is Anthropic PBC. If you have any questions about this Privacy Policy, or have any questions, complaints or requests regarding your personal data, you can contact us as described below: Anthropic PBC with a registered address at 548 Market St, PMB 90375, San Francisco, CA 94104 (United States). Anthropic Ireland, Limited with a registered address at 6th Floor, South Bank House, Barrow Street. Dublin 4, D04 TR29 (Ireland). You can email us at  privacy@anthropic.com  and contact our Data Protection Officer at  dpo@anthropic.com . Please note that under many countries' laws, you have the right to lodge a complaint with the supervisory authority in the place in which you live or work. A full list of EU supervisory authorities’ contact details is available  here . If you live or work in the UK, you have the right to lodge a complaint with the  UK Information Commissioner’s Office . If you live in Brazil, you have the right to lodge a complaint with the  Brazilian Data Protection Authority (ANPD) .If you live in Australia, you have the right to lodge a complaint with the Office of the Australian Information Commissioner . - Interpretation (disclaimed): This segment defines the data controllers responsible for personal data depending on the user's geographic region, establishing the legal entities with obligations under applicable privacy law and providing contact information for privacy-related inquiries. - Tier: All - Location: § 9 (Contact Information) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20If%20you%20live,Australian%20Information%20Commissioner%20. ### privacy data use — risk unknown > To facilitate payments for products and services provided by Anthropic Identity and Contact Data - Interpretation (disclaimed): This segment identifies payment facilitation as a processing purpose, specifying Identity and Contact Data as a processed category and establishing Contract as the legal basis, creating an obligation to process such data for payment transactions. - Tier: All - Location: Privacy Policy › “Contract” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20facilitate%20payments,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > It is in our legitimate interests to maintain continuous functioning of our services and rapid correction of problems to ensure a positive user experience that encourages engagement. To improve the Services and conduct research (excluding model training) Identity and Contact Data - Interpretation (disclaimed): Grants Anthropic permission to process Identity, Contact, Technical, and Feedback data to improve services and conduct research (excluding model training), justified by legitimate interests in service evaluation and AI safety research benefiting users and society. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > To provide, maintain and facilitate any products and services offered to you with respect to your Anthropic account, which are governed by our Terms of Service Identity and Contact Data - Interpretation (disclaimed): This segment identifies the purpose of processing personal data (providing and maintaining services governed by Terms of Service) and the associated data categories, establishing the legal basis for processing as contract performance. - Tier: All - Location: Privacy Policy › “Purpose Type of Data Legal Basis” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20provide%2C%20maintain,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > Anthropic will disclose personal data to the following categories of third parties for the purposes explained in this Policy: Affiliates & corporate partners.  Anthropic discloses the categories of personal data described above between and among its affiliates and related entities. Service providers & business partners.  Anthropic may disclose the categories of personal data described above with service providers and business partners for a variety of business purposes, including website and data hosting, ensuring compliance with industry standards, research, auditing, data processing, and providing you with the services. Anthropic may also disclose personal data in the following circumstances: As part of a significant corporate event.  If Anthropic is involved in a merger, corporate transaction, bankruptcy, or other situation involving the transfer of business assets, Anthropic will disclose your personal data as part of these corporate transactions. Third-Party Websites and Services:  Our Services may involve integrations with, or may direct you to, websites, apps, and services managed by third parties. By interacting with these third parties, you are providing information directly to the third party and not Anthropic and subject to the third party’s privacy policy.If you access third-party services, such as social media sites or other sites linked through the Services (e.g., if you follow a link to our Twitter account), these third-party services will be able to collect personal data about you, including information about your activity on the Services. - Interpretation (disclaimed): This segment introduces the section on individual rights and choices regarding personal data, acknowledging that rights are limited and subject to applicable law, and describing the process for submitting data subject requests, establishing the procedural framework for exercising data subject rights. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20will%20disclose,on%20the%20Services.%20 ### privacy data use — risk unknown > We implement appropriate technical and organizational security measures designed to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. - Interpretation (disclaimed): Establishes Anthropic's obligation to implement appropriate technical and organizational security measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. - Tier: All - Location: Privacy Policy › “Security Controls Relating to our Processing of Personal Data” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20implement%20appropriate,disclosure%2C%20alteration%2C%20or%20destruction. ### privacy data use — risk unknown > It is in our legitimate interests to fully understand and make reasonable efforts to resolve customer complaints in order to improve user satisfaction. We also have a legal obligation in some cases. - Interpretation (disclaimed): This segment articulates the legitimate interest rationale for processing personal data to investigate and resolve customer complaints, as well as the legal obligation basis in certain cases, justifying the dual legal bases for dispute-related processing. - Tier: All - Location: Privacy Policy › “Legal obligation” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,in%20some%20cases.%20 ### privacy data use — risk unknown > It is in our and our users' legitimate interests to expand our product features and deliver additional services that enhance platform functionality and user experience. To communicate with you and to promote our Services Identity and Contact Data - Interpretation (disclaimed): This segment articulates the legitimate interest rationale for processing personal data to expand product features and deliver additional services, justifying the lawful basis and establishing the processing purpose for optional features. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > It is in our legitimate interests to promote our Services and to send direct marketing. To create and administer your Anthropic account Identity and Contact Data - Interpretation (disclaimed): This segment identifies Identity and Contact Data as processed under the contract legal basis for creating and administering user accounts, establishing an obligation to process this data category in connection with account management under the Terms of Service. - Tier: All - Location: Privacy Policy › “Legitimate Interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > It is in our legitimate interests to maintain continuous functioning of our services and rapid correction of problems to ensure a positive user experience that encourages engagement. To improve the Services and conduct research (excluding model training) Identity and Contact Data - Interpretation (disclaimed): Permits Anthropic to process Identity, Contact, and Technical data to improve Services and conduct research (excluding model training), grounded in legitimate interests, and identifies the categories of data used for this purpose. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > To provide, maintain and facilitate optional services and features that enhance platform functionality and user experience Identity and Contact Data - Interpretation (disclaimed): This segment identifies the purpose of processing personal data for optional services and features, specifying Identity and Contact Data as a processed category and establishing the applicable legal bases including consent and legitimate interests. - Tier: All - Location: Privacy Policy › “Contract” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20provide%2C%20maintain,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > Anthropic is an AI safety and research company working to build reliable, interpretable, and steerable AI systems. This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website and other places where Anthropic acts as a  data controller —for example, when you interact with Claude.ai or other products as a consumer for personal use (" Services ") or when Anthropic operates and provides our commercial customers and their end users with access to our commercial products, such as the Claude Team plan (“ Commercial Services ”). This Privacy Policy does not apply where Anthropic acts as a  data processor  and processes personal data on behalf of commercial customers using Anthropic’s Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the back-end with Claude. In those cases, the commercial customer is the controller, and you can review their policies for more information about how they handle your personal data. Please see our Non-User Privacy Policy for information on how our large language models are ‘trained’ and how personal data obtained from third party sources, including where others may submit personal data when using our services, may be used when developing or delivering our products and services. This Privacy Policy also describes your privacy rights. More information about your rights, and how to exercise them, is set out in Section 4 (“Rights and Choices”). - Interpretation (disclaimed): Defines the scope and purpose of the Privacy Policy, identifying Anthropic as data controller and defining the categories of covered services (Services and Commercial Services), establishing foundational definitional terms that govern subsequent obligations and rights throughout the document. - Tier: All - Location: Privacy Policy › “Privacy Policy \ Anthropic” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20is%20an,(%E2%80%9CRights%20and%20Choices%E2%80%9D).%20 ### privacy data use — risk unknown > Identity and Contact Data:  Anthropic collects identifiers, including your name, email address, and phone number when you sign up for an Anthropic account, or to receive information on our Services. We may also collect or generate indirect identifiers (e.g., “USER12345”). Payment Information:  We shall collect your payment information if you choose to purchase access to Anthropic’s products and services. Inputs and Outputs:  You are able to interact with our Services in a variety of formats, including but not limited to chat, coding, and agentic sessions ( “Prompts”  or  "Inputs" ), which generate responses and actions ( “Outputs” ) based on your Inputs. This includes third-party applications you choose to integrate with our Services. If you include personal data or reference external content in your Inputs, we will collect that information and this information may be reproduced in your Outputs. Feedback on your use of our Services:  We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input (" Feedback "). If you rate an Output in response to an Input—for example, by using the thumbs up/thumbs down icon—we will store the entire related conversation as part of your Feedback. You can learn more about how we use Feedback here . Communication Information:  If you communicate with us, including via our chatbot on our Help site, we collect your name, contact information, and the contents of any messages you send. - Interpretation (disclaimed): Describes Anthropic's data collection obligation and practice regarding identity, contact, payment information, and user prompts/inputs/outputs, defining the categories of personal data collected and establishing the legal basis for processing such data. - Tier: All - Location: Privacy Policy › “Personal data you provide to us directly” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Identity%20and%20Contact,any%20messages%20you%20send. ### privacy data use — risk unknown > To provide, maintain and facilitate any products and services offered to you with respect to your Anthropic account, which are governed by our Terms of Service Identity and Contact Data - Interpretation (disclaimed): This segment specifies the purpose of processing Identity and Contact Data — to provide, maintain and facilitate products and services governed by the Terms of Service — establishing a legal basis (contract) and an obligation to process such data in connection with service delivery. - Tier: All - Location: Privacy Policy › “Purpose Type of Data Legal Basis” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20provide%2C%20maintain,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > Where necessary to perform a contract with you, such as processing your contact information to send you a technical announcement about the Services. Your consent when we ask for it to process your personal data for a specific purpose that we communicate to you, such as processing your contact information to send you certain forms of marketing communications. - Interpretation (disclaimed): This segment specifies two legal bases—contract performance and consent—for processing personal data for communication and marketing purposes, establishing conditions under which such processing is lawful. - Tier: All - Location: Privacy Policy › “Technical Information” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Where%20necessary%20to,forms%20of%20marketing%20communications. ### privacy data use — risk unknown > We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services, conduct research, study user behavior, and train our AI models as permitted under applicable laws. For instance: When you submit Feedback, we disassociate Inputs and Outputs from your user ID to use them for training and improving our models. If our systems flag Inputs or Outputs for potentially violating our  Usage Policy , we disassociate the content from your user ID to train our trust and safety internal classification and generative models. However, we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary. To improve user experience, we may analyze and aggregate general user behavior and usage data. This information does not identify individual users. - Interpretation (disclaimed): This segment restricts Anthropic's Services from being directed at children under 18, prohibits knowing collection of their data, and establishes a remedy procedure for reporting and deleting children's data, creating legally operative restrictions and procedural obligations under child privacy law. - Tier: All - Location: Privacy Policy › “Aggregated or De-Identified Information” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20may%20process,not%20identify%20individual%20users. ### privacy data use — risk unknown > Our Services are not directed towards, and we do not knowingly collect, use, disclose, sell, or share any information from children under the age of 18. If you become aware that a child under the age of 18 has provided any personal data to us while using our Services, please email us at  privacy@anthropic.com  and we will investigate the matter and, if appropriate, delete the personal data. - Interpretation (disclaimed): Restricts Anthropic's Services from being directed at children under 18 and prohibits knowing collection, use, or disclosure of their personal data, while establishing a procedure for reporting and deleting children's data if inadvertently collected. - Tier: All - Location: § 7 (Children) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Our%20Services%20are,delete%20the%20personal%20data. ### privacy data use — risk unknown > It is in our legitimate interests to protect user data and our systems from intrusion or compromise through monitoring and swift response. We also have a legal obligation to provide adequate security safeguards. To debug and to identify and repair errors that impair existing functionality Identity and Contact Data - Interpretation (disclaimed): States that Anthropic has a legal obligation to provide adequate security safeguards and a legitimate interest in protecting user data and systems through monitoring; also introduces a new processing purpose (debugging and error repair) with associated data categories, establishing both an obligation and permission to process data for those purposes. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > These supplemental disclosures contain additional information relevant to residents of Canada. This content should be read in conjunction with the rest of our Privacy Policy. In case of conflict between our Privacy Policy and these supplemental disclosures, the supplemental disclosures shall prevail in relation to residents of Canada. Consent. By expressly consenting to this Privacy Policy, you confirm you have read, understand, and consent to the collection, use, processing, and disclosure of your personal data in accordance with this Privacy Policy and understand that, in jurisdictions where it is available, Anthropic also relies on other lawful bases for the foregoing as more fully set out in this policy. We will only collect, use and disclose your personal data with your consent, unless otherwise permitted or required by law. Your consent may be given expressly or implied, depending on the circumstances and the sensitivity of the information involved. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Cross-jurisdictional Transfers. By providing us with personal data, you acknowledge and agree that your personal data may be transferred or disclosed to other jurisdictions for processing and storage outside of Canada, including to the United States and the countries listed on our  Subprocessor List , where laws regarding the protection of personal data may be less stringent than the laws in your jurisdiction. - Interpretation (disclaimed): Requires Canadian residents to read supplemental disclosures in conjunction with the main Privacy Policy, establishes that supplemental disclosures prevail in case of conflict, and records express consent to the collection, use, processing, and disclosure of personal data in accordance with the policy. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Canada” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20These%20supplemental%20disclosures,in%20your%20jurisdiction.%20 ### privacy data use — risk unknown > Where necessary to perform a contract with you, such as processing your contact information to send you a technical announcement about the Services. Your consent when we ask for it to process your personal data for a specific purpose that we communicate to you, such as processing your contact information to send you certain forms of marketing communications. - Interpretation (disclaimed): This segment defines two legal bases — contractual necessity (e.g., technical announcements) and consent (e.g., marketing communications) — applicable to processing contact information for communication purposes, distinguishing the conditions under which each basis applies. - Tier: All - Location: Privacy Policy › “Technical Information” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Where%20necessary%20to,forms%20of%20marketing%20communications. ### privacy data use — risk unknown > It is in our and our users' legitimate interests to expand our product features and deliver additional services that enhance platform functionality and user experience. To communicate with you and to promote our Services Identity and Contact Data - Interpretation (disclaimed): This segment articulates the legitimate interests rationale for expanding product features and delivering additional services, establishing the legal justification for processing Identity and Contact Data to communicate with users and promote services, and specifying this as an operative basis for processing. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > These supplemental disclosures contain additional information relevant to residents of Brazil. This content should be read in conjunction with the rest of our Privacy Policy. In case of conflict between our Privacy Policy and these supplemental disclosures, the supplemental disclosures shall prevail in relation to residents of Brazil. Legal Bases. Depending on the specific purpose of the processing, we may rely on different grounds than those listed under section 2, where permitted by and in accordance with the Brazilian General Data Protection Law (LGPD). For example, we may rely on the "exercise of legal rights" basis to process personal data associated with customer complaints and to enforce our Terms of Service and similar terms and agreements, including our Usage Policy. Data Subject's Rights. LGPD grants certain rights regarding your personal data, which differ from the ones listed under section 4. We will respond to your requests to exercise your rights below in accordance with applicable law: Confirmation of whether your data is being processed. You have the right to receive a confirmation on whether Anthropic processes your data.Access to your data. You have the right to know what personal data Anthropic processes about you. Correction of incomplete, inaccurate or outdated data. You have the right to request the correction of your data that is incomplete, inaccurate, or outdated. Anonymization, blocking or erasure of data. - Interpretation (disclaimed): Requires Brazilian residents to read supplemental disclosures in conjunction with the main Privacy Policy, establishes conflict-of-laws priority for supplemental disclosures, and specifies that lawful bases for processing may differ under Brazil's LGPD. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20These%20supplemental%20disclosures,erasure%20of%20data.%20 ### privacy data use — risk unknown > Anthropic may update this Privacy Policy from time to time. We will notify you of any material changes to this Privacy Policy, as appropriate, and update the Effective Date at the top of  https://www.anthropic.com/legal/privacy . You can view a summary of privacy policy changes and previous versions in our Privacy Center . - Interpretation (disclaimed): Establishes Anthropic's obligation to notify users of material changes to the Privacy Policy and to update the effective date, while providing a procedure for users to access previous versions, constituting a notification and transparency obligation. - Tier: All - Location: § 8 (Changes to Our Privacy Policy) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20may%20update,our%20Privacy%20Center%20. ### privacy data use — risk unknown > Cookies & Similar Technologies.  We and our service providers use cookies, scripts, or similar technologies (“ Cookies ”) to manage the Services and to collect information about you and your use of the Services. These technologies help us to recognize you, customize or personalize your experience, market additional products or services to you, and analyze the use of our Services to make them safer and more useful to you. For more details about how we use these technologies, and your opt-out controls and other options, please visit our  Cookie Policy . - Interpretation (disclaimed): This segment discloses Anthropic's use of cookies and similar technologies by itself and service providers for purposes including personalization, marketing, and analytics, and references opt-out controls in the Cookie Policy, constituting a procedural and disclosure obligation under applicable privacy law. - Tier: All - Location: Privacy Policy › “Personal data we receive automatically from your use of the Services” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Cookies%20%26%20Similar,our%20Cookie%20Policy%20. ### privacy data use — risk unknown > We collect the following categories of personal data: - Interpretation (disclaimed): Introduces the enumeration of personal data categories collected by Anthropic, serving as a definitional framing clause for the data collection practices described in subsequent segments. - Tier: All - Location: § 1 (Collection of Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20collect%20the,categories%20of%20personal%20data%3A ### privacy data use — risk unknown > Anthropic retains your personal data for as long as reasonably necessary for the purposes and criteria outlined in this Privacy Policy and explained further in our  privacy center . When the personal data collected is no longer required by us, we and our service providers will perform the necessary procedures for destroying, deleting, erasing, or converting it into an anonymous form as permitted or required under applicable laws. - Interpretation (disclaimed): This segment imposes an obligation on Anthropic to implement appropriate technical and organizational security measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. - Tier: All - Location: § 6 (Data Retention, Data Lifecycle, and Security Controls) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20retains%20your,required%20under%20applicable%20laws. ### privacy data use — risk unknown > Cookies & Similar Technologies.  We and our service providers use cookies, scripts, or similar technologies (“ Cookies ”) to manage the Services and to collect information about you and your use of the Services. These technologies help us to recognize you, customize or personalize your experience, market additional products or services to you, and analyze the use of our Services to make them safer and more useful to you. For more details about how we use these technologies, and your opt-out controls and other options, please visit our  Cookie Policy . - Interpretation (disclaimed): Discloses Anthropic's and its service providers' use of cookies and similar tracking technologies to collect user data, manage services, personalize experience, and analyze usage, constituting a processing obligation disclosure with a reference to opt-out controls. - Tier: All - Location: Privacy Policy › “Personal data we receive automatically from your use of the Services” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Cookies%20%26%20Similar,our%20Cookie%20Policy%20. ### privacy data use — risk unknown > Entrusted Data Name, ID, phone number, email, address, and other information that you may provide to the domestic representative - Interpretation (disclaimed): Defines the categories of personal data (name, ID, phone number, email, address) entrusted to the domestic representative, establishing the scope of data subject to the transfer arrangement. - Tier: All - Location: Privacy Policy › “Trustees and Contacts Bae, Kim & Lee LLC (02-3404-0001)” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Entrusted%20Data%20Name%2C,the%20domestic%20representative%20 ### privacy data use — risk unknown > Consent (for example for precise device location or for health app integrations) - Interpretation (disclaimed): This segment defines 'Consent' as a legal basis for optional services and features, providing examples such as precise device location or health app integrations, which establishes the definitional scope of consent-based processing for these specific data categories. - Tier: All - Location: Privacy Policy › “Technical Information” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Consent%20(for%20example,for%20health%20app%20integrations) ### privacy data use — risk unknown > It is in our legitimate interests to fully understand and make reasonable efforts to resolve customer complaints in order to improve user satisfaction. We also have a legal obligation in some cases. - Interpretation (disclaimed): This segment articulates the legitimate interests rationale for dispute processing, stating that it is in Anthropic's legitimate interests to understand and resolve customer complaints to improve user satisfaction, and acknowledging a legal obligation in some cases, thereby providing the operative justification for this processing activity. - Tier: All - Location: Privacy Policy › “Legal obligation” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,in%20some%20cases.%20 ### privacy data use — risk unknown > Restriction: the right to restrict our processing of your personal data in certain circumstances. Withdrawal of consent.  Where Anthropic’s processing of your personal data is based on consent, you have the right to withdraw your consent. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Automated decision-making : Anthropic does not engage in decision making based solely on automated processing or profiling in a manner which produces a legal effect (i.e., impacts your legal rights) or significantly affects you in a similar way (e.g., significantly affects your financial circumstances or ability to access essential goods or services). Sale & targeted Anthropic marketing of its products and services . Anthropic does not “sell” your personal data as that term is defined by applicable laws and regulations. You can opt-out of sharing your personal data for targeted advertising to promote our products and services, and we will honor global privacy controls. To learn more,  click here . Anthropic gives you access to a variety of tools to help you manage your data. You can access these in your Privacy Settings . - Interpretation (disclaimed): Establishes user rights to restrict processing, withdraw consent (with a limitation that withdrawal does not affect prior lawful processing), and declares that Anthropic does not engage in solely automated decision-making with legal or significant effects, constituting both rights and a restriction disclaimer. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Restriction%3A%20the%20right,your%20Privacy%20Settings%20. ### privacy data use — risk unknown > To provide, maintain and facilitate optional services and features that enhance platform functionality and user experience Identity and Contact Data - Interpretation (disclaimed): This segment specifies the purpose of processing Identity and Contact Data for optional services and features that enhance platform functionality and user experience, establishing a permission to process this data under consent and legitimate interests legal bases. - Tier: All - Location: Privacy Policy › “Contract” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20provide%2C%20maintain,Identity%20and%20Contact%20Data ### privacy data use — risk unknown > It is in our legitimate interests to protect user data and our systems from intrusion or compromise through monitoring and swift response. We also have a legal obligation to provide adequate security safeguards. To debug and to identify and repair errors that impair existing functionality Identity and Contact Data - Interpretation (disclaimed): Articulates the legitimate interest rationale for security monitoring and swift response, confirming both a legal obligation for security safeguards and a legitimate interest basis for processing personal data to debug and repair errors impairing functionality. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### data retention — risk medium > You also are able to  delete individual conversations , which will be removed immediately from your conversation history and automatically deleted from our back-end within 30 days. - Interpretation (disclaimed): The 30-day back-end deletion window means personal data persists in Anthropic's systems for up to a month after user-initiated deletion. This window interacts with the training-use carve-outs, potentially allowing flagged content to be used for training before deletion is processed. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=You%20also%20are%20able,back-end%20within%2030%20days. ### data retention — risk medium > Anthropic retains your personal data for as long as reasonably necessary for the purposes and criteria outlined in this Privacy Policy and explained further in our  privacy center . When the personal data collected is no longer required by us, we and our service providers will perform the necessary procedures for destroying, deleting, erasing, or converting it into an anonymous form as permitted or required under applicable laws. - Interpretation (disclaimed): GDPR Art. 5(1)(e) requires storage limitation with specific periods. 'Reasonably necessary' without defined timeframes is a compliance risk marker and limits user ability to predict how long their data is held. - Tier: All - Location: § 6 (Data Retention, Data Lifecycle, and Security Controls) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Anthropic%20retains%20your%20personal,required%20under%20applicable%20laws. ### data retention — risk unknown > If we terminate your Account due to inactivity, we will provide you with notice before doing so. Upon termination of these Terms, a Subscription, or your access to the Services, we may at our option delete any Materials or other data associated with your Account. Sections 6 (with respect to fees outstanding as of such expiration or termination) and 9 – 12 will survive any expiration or termination of our Terms or a Subscription. Severability.  If a particular Term or portion of these Terms is not valid or enforceable, this will have no effect on any other Terms. No waiver.  Any delay or failure on our part to enforce a provision of these Terms is not a waiver of our right to enforce them later. No assignment. These Terms may not be transferred or assigned by you without our prior written consent, but may be assigned by us without restriction. Use of our brand.  You may not, without our prior written permission, use our name, logos, or other trademarks in connection with products or services other than the Services, or in any other way that implies our affiliation, endorsement, or sponsorship. To seek permission, please email us at marketing@anthropic.com. Export Controls.  You may not export or provide access to the Services into any U.S. embargoed countries or to anyone on (i) the U.S. Treasury Department’s list of Specially Designated Nationals, (ii) any other restricted party lists identified by the Office of Foreign Asset Control, (iii) the U.S. - Interpretation (disclaimed): This segment specifies the procedure for termination due to inactivity (notice required), establishes the platform's discretionary right to delete user Materials and data upon termination, and identifies which contractual sections survive expiration or termination — directly governing data deletion and retention obligations post-termination. - Tier: All - Location: § 12 (General terms) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=If%20we%20terminate%20your,(iii)%20the%20U.S.%20 ### data retention — risk unknown > In certain cases and subject to applicable law, you have the right to port your information. Deletion: the right to request that we delete personal data collected from you when you use our Services, subject to certain exceptions. You also are able to  delete individual conversations , which will be removed immediately from your conversation history and automatically deleted from our back-end within 30 days. Learn more  here . Correction: the right to request that we correct inaccurate personal data Anthropic retains about you, subject to certain exceptions. Please note that we cannot guarantee the factual accuracy of Outputs. If Outputs contain factually inaccurate personal data relating to you, you can submit a correction request and we will make a reasonable effort to correct this information—but due to the technical complexity of our large language models, it may not always be possible for us to do so. Objection: the right to object to processing of your personal data, including profiling conducted on grounds of public or legitimate interest. In places where such a right applies, we will no longer process the personal data in case of such objection unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise or defense of legal claims. If we use your information for direct marketing, you can object and opt out of future direct marketing messages using the unsubscribe link in such communications. - Interpretation (disclaimed): This segment is a section heading introducing the data retention, lifecycle, and security controls section, contextualizing the definitions and obligations regarding retention periods and security measures that follow. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=In%20certain%20cases%20and,in%20such%20communications.%20 ### data retention — risk unknown > If we link to a site or service via our Services, you should read their data usage policies or other documentation. Our linking to another site or service doesn’t mean we endorse it or speak for that third party. Pursuant to regulatory or legal requirements, safety, rights of others, and to enforce our rights or our terms.  We may disclose personal data to governmental regulatory authorities as required by law, including for legal, tax or accounting purposes, in response to their requests for such information or to assist in investigations. We may also disclose personal data to third parties in connection with claims, disputes or litigation, when otherwise permitted or required by law, or if we determine its disclosure is necessary to protect the health and safety of you or any other person, to protect against fraud or credit risk, to enforce our legal rights or the legal rights of others, to enforce contractual commitments that you have made, or as otherwise permitted or required by applicable law. With an individual's consent.  Anthropic will otherwise disclose personal data when an individual gives us permission or directs us to disclose this information, including as a part of our Services. You can find information on our  Subprocessor List  about the third parties Anthropic engages to help us process personal data provided to us where Anthropic acts as a data processor, such as with respect to personal data we receive, process, store, or host when you use Anthropic's commercial services. - Interpretation (disclaimed): This segment grants data subjects the right to data portability, the right to deletion of personal data (with a specific 30-day back-end deletion timeline for individual conversations), and the right to correction of inaccurate data, subject to exceptions, establishing enforceable individual rights and associated retention/deletion obligations. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=If%20we%20link%20to,use%20Anthropic%26%23x27%3Bs%20commercial%20services. ### data retention — risk ambiguous > Retention period The period necessary to process your request - Interpretation (disclaimed): Vague retention language ('period necessary') provides no enforceable upper bound on how long the Korean subprocessor retains personal data, creating uncertainty about deletion timelines. - Tier: All - Location: Privacy Policy › “Retention period The period necessary to process your request” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Retention%20period%20The%20period,to%20process%20your%20request ### data retention — risk unknown > In certain cases and subject to applicable law, you have the right to port your information. Deletion: the right to request that we delete personal data collected from you when you use our Services, subject to certain exceptions. You also are able to  delete individual conversations , which will be removed immediately from your conversation history and automatically deleted from our back-end within 30 days. Learn more  here . Correction: the right to request that we correct inaccurate personal data Anthropic retains about you, subject to certain exceptions. Please note that we cannot guarantee the factual accuracy of Outputs. If Outputs contain factually inaccurate personal data relating to you, you can submit a correction request and we will make a reasonable effort to correct this information—but due to the technical complexity of our large language models, it may not always be possible for us to do so. Objection: the right to object to processing of your personal data, including profiling conducted on grounds of public or legitimate interest. In places where such a right applies, we will no longer process the personal data in case of such objection unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise or defense of legal claims. If we use your information for direct marketing, you can object and opt out of future direct marketing messages using the unsubscribe link in such communications. - Interpretation (disclaimed): Establishes user rights to data portability, deletion, and correction of personal data, and specifies a concrete procedure and timeline (removal from conversation history immediately, deletion from back-end within 30 days) for exercising deletion rights, constituting a data retention and deletion procedure. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=In%20certain%20cases%20and,in%20such%20communications.%20 ### data retention — risk unknown > Restriction: the right to restrict our processing of your personal data in certain circumstances. Withdrawal of consent.  Where Anthropic’s processing of your personal data is based on consent, you have the right to withdraw your consent. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Automated decision-making : Anthropic does not engage in decision making based solely on automated processing or profiling in a manner which produces a legal effect (i.e., impacts your legal rights) or significantly affects you in a similar way (e.g., significantly affects your financial circumstances or ability to access essential goods or services). Sale & targeted Anthropic marketing of its products and services . Anthropic does not “sell” your personal data as that term is defined by applicable laws and regulations. You can opt-out of sharing your personal data for targeted advertising to promote our products and services, and we will honor global privacy controls. To learn more,  click here . Anthropic gives you access to a variety of tools to help you manage your data. You can access these in your Privacy Settings . - Interpretation (disclaimed): This segment establishes Anthropic's obligation to retain personal data only as long as reasonably necessary for stated purposes and to destroy, delete, erase, or anonymize data when no longer required, imposing enforceable retention and deletion obligations on Anthropic and its service providers. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Restriction%3A%20the%20right,your%20Privacy%20Settings%20. ### data retention — risk unknown > Anthropic retains your personal data for as long as reasonably necessary for the purposes and criteria outlined in this Privacy Policy and explained further in our  privacy center . When the personal data collected is no longer required by us, we and our service providers will perform the necessary procedures for destroying, deleting, erasing, or converting it into an anonymous form as permitted or required under applicable laws. - Interpretation (disclaimed): Establishes Anthropic's obligation to retain personal data only as long as reasonably necessary and to destroy, delete, erase, or anonymize data when no longer required, constituting a binding data retention and deletion obligation for both Anthropic and its service providers. - Tier: All - Location: § 6 (Data Retention, Data Lifecycle, and Security Controls) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20retains%20your,required%20under%20applicable%20laws. ### subprocessors data sharing — risk medium > By providing us with personal data, you acknowledge and agree that your personal data may be transferred or disclosed to other jurisdictions for processing and storage outside of Canada, including to the United States and the countries listed on our  Subprocessor List , where laws regarding the protection of personal data may be less stringent than the laws in your jurisdiction. Furthermore, we may disclose your personal data in these jurisdictions in response to legal processes or where we believe in good faith that disclosure is required or permitted by law. - Interpretation (disclaimed): This clause creates broad consent to cross-border data transfers to jurisdictions potentially lacking equivalent privacy protections, and permits disclosure to authorities on a subjective 'good faith' standard—reducing user control over their data. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Canada” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=By%20providing%20us%20with,or%20permitted%20by%20law. ### subprocessors data sharing — risk medium > You acknowledge that Anthropic is a company based and headquartered in the United States. Any information we hold about you will be transferred to, used, processed, and stored in the United States and other countries and territories, which may not have data privacy or data protection laws equivalent to those in your country or territory. - Interpretation (disclaimed): Transferring personal data to jurisdictions with weaker legal protections exposes users to reduced privacy rights and enforcement options. The explicit acknowledgment of this gap is notable from a risk perspective. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=You%20acknowledge%20that%20Anthropic,your%20country%20or%20territory. ### subprocessors data sharing — risk medium > Affiliates & corporate partners.  Anthropic discloses the categories of personal data described above between and among its affiliates and related entities. Service providers & business partners.  Anthropic may disclose the categories of personal data described above with service providers and business partners for a variety of business purposes, including website and data hosting, ensuring compliance with industry standards, research, auditing, data processing, and providing you with the services. - Interpretation (disclaimed): Broad disclosure authority to affiliates and third-party service providers/business partners with a non-exhaustive list of purposes (including 'research') creates uncertainty about who receives personal data and for what purposes. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Affiliates%20%26%20corporate%20partners.,you%20with%20the%20services. ### subprocessors data sharing — risk medium > As part of a significant corporate event.  If Anthropic is involved in a merger, corporate transaction, bankruptcy, or other situation involving the transfer of business assets, Anthropic will disclose your personal data as part of these corporate transactions. - Interpretation (disclaimed): Standard M&A data transfer clause; however, combined with the breadth of data collected (inputs, outputs, usage data), the volume and sensitivity of data transferable without user consent is notable. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=As%20part%20of%20a,of%20these%20corporate%20transactions. ### subprocessors data sharing — risk medium > Standard contractual clauses.   The European Commission has approved contractual clauses under Article 46 GDPR that allows companies in the EEA to transfer data outside the EEA. These (and their approved equivalent for the UK and Switzerland) are called standard contractual clauses. We rely on standard contractual clauses to transfer information as described in “Collection of Personal Data” to certain affiliates and third parties in countries without an adequacy decision. - Interpretation (disclaimed): SCCs are a recognized GDPR Art. 46 transfer mechanism but require a Transfer Impact Assessment post-Schrems II. The policy does not specify which countries or sub-processors receive the data, limiting user ability to assess risk. - Tier: All - Location: § 5 (Data Transfers) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Standard%20contractual%20clauses.%20The,without%20an%20adequacy%20decision. ### subprocessors data sharing — risk low > You can find information on our  Subprocessor List  about the third parties Anthropic engages to help us process personal data provided to us where Anthropic acts as a data processor, such as with respect to personal data we receive, process, store, or host when you use Anthropic's commercial services. - Interpretation (disclaimed): The policy references an external subprocessor list rather than enumerating subprocessors. While common practice, it limits users' ability to assess data-sharing scope from this document alone. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=You%20can%20find%20information,use%20Anthropic%26%23x27%3Bs%20commercial%20services. ### subprocessors data sharing — risk low > Trustees and Contacts Bae, Kim & Lee LLC (02-3404-0001) Entrusted Data Name, ID, phone number, email, address, and other information that you may provide to the domestic representative Purpose Assisting with the domestic representative duties Recipient Location South Korea Retention period The period necessary to process your request Times and methods of transfer Telephone, text, or email - Interpretation (disclaimed): Korean law (PIPA) requires disclosure of domestic data processing trustees. The clause is a compliance disclosure rather than a risk-generating provision, and the data shared is limited to contact/representative-related data. - Tier: All - Location: Privacy Policy › “Trustees and Contacts Bae, Kim & Lee LLC (02-3404-0001)” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Trustees%20and%20Contacts%20Bae%2C,Telephone%2C%20text%2C%20or%20email ### subprocessors data sharing — risk unknown > If you live in the European Economic Area (EEA), UK or Switzerland (the “European Region”), the data controller responsible for your personal data is Anthropic Ireland, Limited. If you live outside the European Region, the data controller responsible for your personal data is Anthropic PBC. If you have any questions about this Privacy Policy, or have any questions, complaints or requests regarding your personal data, you can contact us as described below: Anthropic PBC with a registered address at 548 Market St, PMB 90375, San Francisco, CA 94104 (United States). Anthropic Ireland, Limited with a registered address at 6th Floor, South Bank House, Barrow Street. Dublin 4, D04 TR29 (Ireland). You can email us at  privacy@anthropic.com  and contact our Data Protection Officer at  dpo@anthropic.com . Please note that under many countries' laws, you have the right to lodge a complaint with the supervisory authority in the place in which you live or work. A full list of EU supervisory authorities’ contact details is available  here . If you live or work in the UK, you have the right to lodge a complaint with the  UK Information Commissioner’s Office . If you live in Brazil, you have the right to lodge a complaint with the  Brazilian Data Protection Authority (ANPD) .If you live in Australia, you have the right to lodge a complaint with the Office of the Australian Information Commissioner . - Interpretation (disclaimed): This segment defines the data controllers responsible for processing personal data depending on the user's geographic region (EEA/UK/Switzerland vs. outside), establishing the legal identity of the responsible entity and providing contact details for privacy inquiries, which is a foundational definition for data processing accountability obligations. - Tier: All - Location: § 9 (Contact Information) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20If%20you%20live,Australian%20Information%20Commissioner%20. ### subprocessors data sharing — risk unknown > Email: [anthropicprivacy@bkl.co.kr] Data Processors: - Interpretation (disclaimed): Introduces the category 'Data Processors' for Korean residents, defining the class of third-party entities that process personal data on Anthropic's behalf and initiating required disclosures under Korean data protection law. - Tier: All - Location: Privacy Policy › “Telephone: [+82-2-6252-2080]” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Email%3A%20%5Banthropicprivacy%40bkl.co.kr%5D%0A%20Data%20Processors%3A ### subprocessors data sharing — risk unknown > If we link to a site or service via our Services, you should read their data usage policies or other documentation. Our linking to another site or service doesn’t mean we endorse it or speak for that third party. Pursuant to regulatory or legal requirements, safety, rights of others, and to enforce our rights or our terms.  We may disclose personal data to governmental regulatory authorities as required by law, including for legal, tax or accounting purposes, in response to their requests for such information or to assist in investigations. We may also disclose personal data to third parties in connection with claims, disputes or litigation, when otherwise permitted or required by law, or if we determine its disclosure is necessary to protect the health and safety of you or any other person, to protect against fraud or credit risk, to enforce our legal rights or the legal rights of others, to enforce contractual commitments that you have made, or as otherwise permitted or required by applicable law. With an individual's consent.  Anthropic will otherwise disclose personal data when an individual gives us permission or directs us to disclose this information, including as a part of our Services. You can find information on our  Subprocessor List  about the third parties Anthropic engages to help us process personal data provided to us where Anthropic acts as a data processor, such as with respect to personal data we receive, process, store, or host when you use Anthropic's commercial services. - Interpretation (disclaimed): Discloses that personal data may be shared with governmental authorities pursuant to legal requirements, safety concerns, or enforcement of rights, establishing legal compulsion and rights-enforcement as legitimate bases for third-party disclosure, including limiting Anthropic's liability for third-party linked sites. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=If%20we%20link%20to,use%20Anthropic%26%23x27%3Bs%20commercial%20services. ### subprocessors data sharing — risk unknown > Email: [anthropicprivacy@bkl.co.kr] Data Processors: - Interpretation (disclaimed): Introduces 'Data Processors' as a section label for Korea-specific disclosure of subprocessors or data processors, beginning the enumeration of entities that process personal data on Anthropic's behalf as required under Korean data protection law. - Tier: All - Location: Privacy Policy › “Telephone: [+82-2-6252-2080]” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Email%3A%20%5Banthropicprivacy%40bkl.co.kr%5D%0A%20Data%20Processors%3A ### subprocessors data sharing — risk unknown > Furthermore, we may disclose your personal data in these jurisdictions in response to legal processes or where we believe in good faith that disclosure is required or permitted by law. Contact. If you have any questions or comments about our processing of your personal data, or to exercise your rights as outlined in Section 4. (“Rights and Choices”), please contact us at privacy@anthropic.com. - Interpretation (disclaimed): Permits Anthropic to disclose Canadian residents' personal data to third jurisdictions in response to legal processes or where disclosure is required or permitted by law, and provides a contact mechanism for exercising privacy rights. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Canada” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Furthermore%2C%20we%20may%20disclose,contact%20us%20at%20privacy%40anthropic.com. ### subprocessors data sharing — risk unknown > International Data Transfers. You acknowledge that Anthropic is a company based and headquartered in the United States. Any information we hold about you will be transferred to, used, processed, and stored in the United States and other countries and territories, which may not have data privacy or data protection laws equivalent to those in your country or territory. For the proper operation of the Services, Anthropic needs to carry out international transfers of personal data. In the case of Brazil, we will rely on standard contractual clauses (SCCs) for our data transfers where required and in instances where they are not covered by an adequacy decision. These SCCs have been approved by the Brazilian Data Protection Authority (ANPD), which is the "competent supervisory authority" for these transfers, as governed by Brazilian Data Protection Laws. You can view the SCCs adopted by the ANPD here . - Interpretation (disclaimed): Discloses that personal data of Brazilian residents will be transferred to and stored in the United States and other countries, and obligates Anthropic to rely on Standard Contractual Clauses (SCCs) for international data transfers where required under Brazilian law, establishing a transfer mechanism obligation. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20International%20Data%20Transfers.,the%20ANPD%20here%20. ### subprocessors data sharing — risk unknown > We use your personal data for the following purposes: To provide, maintain and facilitate any products and services offered to you with respect to your Anthropic account, which are governed by our Terms of Service; To provide, maintain and facilitate optional services and features that enhance platform functionality and user experience; To communicate with you, including to send you information about our Services and events; To create and administer your Anthropic account; To facilitate payments for products and services provided by Anthropic; To prevent and investigate fraud, abuse, and violations of our  Usage Policy , unlawful or criminal activity, unauthorized access to or use of personal data or Anthropic systems and networks, to protect our rights and the rights of others, and to meet legal, governmental and institutional policy obligations; To investigate and resolve disputes; To investigate and resolve security issues; To debug and to identify and repair errors that impair existing functionality To improve the Services and conduct research, including training our models; and To enforce our  Terms of Service  and similar terms and agreements, including our  Usage Policy . We may use your Inputs and Outputs to train our models and improve our Services, unless you opt out through your account settings. Even if you opt-out, we will use Inputs and Outputs for model improvement when: (1) your conversations are flagged for safety review to improve our ability to detect harmful content, enforce our policies, or advance AI safety research, or (2) you've explicitly reported the materials to us (for example via our feedback mechanisms). Please see Section 10 below for details of our legal bases for processing your personal data. - Interpretation (disclaimed): This segment discloses the categories of third parties to whom Anthropic discloses personal data, including affiliates, service providers, and business partners, and the purposes for such disclosures, establishing Anthropic's data sharing framework and obligations regarding third-party disclosures. - Tier: All - Location: § 2 - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20We%20use%20your,processing%20your%20personal%20data. ### subprocessors data sharing — risk unknown > Anthropic will disclose personal data to the following categories of third parties for the purposes explained in this Policy: Affiliates & corporate partners.  Anthropic discloses the categories of personal data described above between and among its affiliates and related entities. Service providers & business partners.  Anthropic may disclose the categories of personal data described above with service providers and business partners for a variety of business purposes, including website and data hosting, ensuring compliance with industry standards, research, auditing, data processing, and providing you with the services. Anthropic may also disclose personal data in the following circumstances: As part of a significant corporate event.  If Anthropic is involved in a merger, corporate transaction, bankruptcy, or other situation involving the transfer of business assets, Anthropic will disclose your personal data as part of these corporate transactions. Third-Party Websites and Services:  Our Services may involve integrations with, or may direct you to, websites, apps, and services managed by third parties. By interacting with these third parties, you are providing information directly to the third party and not Anthropic and subject to the third party’s privacy policy.If you access third-party services, such as social media sites or other sites linked through the Services (e.g., if you follow a link to our Twitter account), these third-party services will be able to collect personal data about you, including information about your activity on the Services. - Interpretation (disclaimed): Identifies categories of third parties to whom Anthropic discloses personal data, including affiliates and service providers/business partners, and specifies the business purposes for such disclosures, establishing the legal framework for third-party data sharing and subprocessor relationships. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Anthropic%20will%20disclose,on%20the%20Services.%20 ### subprocessors data sharing — risk unknown > International Data Transfers. You acknowledge that Anthropic is a company based and headquartered in the United States. Any information we hold about you will be transferred to, used, processed, and stored in the United States and other countries and territories, which may not have data privacy or data protection laws equivalent to those in your country or territory. For the proper operation of the Services, Anthropic needs to carry out international transfers of personal data. In the case of Brazil, we will rely on standard contractual clauses (SCCs) for our data transfers where required and in instances where they are not covered by an adequacy decision. These SCCs have been approved by the Brazilian Data Protection Authority (ANPD), which is the "competent supervisory authority" for these transfers, as governed by Brazilian Data Protection Laws. You can view the SCCs adopted by the ANPD here . - Interpretation (disclaimed): Discloses that personal data of Brazilian residents will be transferred to and processed in the United States and other countries, acknowledges potential lack of equivalent data protection laws, and specifies reliance on standard contractual clauses (SCCs) as the transfer mechanism where required. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20International%20Data%20Transfers.,the%20ANPD%20here%20. ### subprocessors data sharing — risk unknown > Furthermore, we may disclose your personal data in these jurisdictions in response to legal processes or where we believe in good faith that disclosure is required or permitted by law. Contact. If you have any questions or comments about our processing of your personal data, or to exercise your rights as outlined in Section 4. (“Rights and Choices”), please contact us at privacy@anthropic.com. - Interpretation (disclaimed): Grants Anthropic permission to disclose personal data of Canadian residents to foreign jurisdictions in response to legal processes or where disclosure is required or permitted by law, and provides a contact mechanism for exercising rights, establishing both a disclosure permission and a procedural right. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Canada” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Furthermore%2C%20we%20may%20disclose,contact%20us%20at%20privacy%40anthropic.com. ### audit rights dpa residency — risk medium > When you access our website or Services, your personal data may be transferred to our servers in the US, or to other countries outside the European Economic Area ( “EEA” ) and the UK. This may be a direct provision of your personal data to us, or a transfer that we or a third party make. - Interpretation (disclaimed): EEA/UK users have no stated option to keep data within their jurisdiction. US storage subjects data to US government access laws (e.g., CLOUD Act, FISA 702), which is a risk factor under GDPR adequacy assessments. - Tier: All - Location: § 5 (Data Transfers) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=When%20you%20access%20our,a%20third%20party%20make. ### audit rights dpa residency — risk low > In the case of Brazil, we will rely on standard contractual clauses (SCCs) for our data transfers where required and in instances where they are not covered by an adequacy decision. These SCCs have been approved by the Brazilian Data Protection Authority (ANPD), which is the "competent supervisory authority" for these transfers, as governed by Brazilian Data Protection Laws. - Interpretation (disclaimed): Use of SCCs approved by the Brazilian data protection authority (ANPD) is a standard LGPD compliance mechanism for international transfers; this is a positive safeguard for Brazilian residents. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=In%20the%20case%20of,Brazilian%20Data%20Protection%20Laws. ### audit rights dpa residency — risk unknown > Depending on where you live and the laws that apply in your country of residence, you may enjoy certain rights regarding your personal data, as described further below. However, please be aware that these rights are limited, and that the process by which we may need to action your requests regarding our training dataset are complex. We may also decline a request if we have a lawful reason for doing so. That said, we strive to prioritize the protection of personal data, and comply with all applicable privacy laws. To exercise your rights, you or an authorized agent may submit a request by emailing us at  privacy@anthropic.com . After we receive your request, we may verify it by requesting information sufficient to confirm your identity. You may also have the right to appeal requests that we deny by emailing  privacy@anthropic.com . Anthropic will not discriminate based on the exercising of privacy rights you may have. Set out below is a summary of the rights which you may enjoy, depending on the laws that apply in your country of residence. Right to know:  the right to know what personal data Anthropic processes about you, including the categories of personal data, the categories of sources from which it is collected, the business or commercial purposes for collection, and the categories of third parties to whom we disclose it. Access & data portability: the right to request a copy of the personal data Anthropic processes about you, subject to certain exceptions and conditions. - Interpretation (disclaimed): This segment describes the mechanisms by which Anthropic ensures adequate protection for cross-border personal data transfers outside the EEA and UK, including adequacy decisions under GDPR Article 45, establishing procedural and compliance obligations for international data transfers. - Tier: All - Location: § 4 (Rights and Choices) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20Depending%20on%20where,exceptions%20and%20conditions.%20 ### audit rights dpa residency — risk unknown > You have the right to request the anonymisation, blocking or erasure of data that is unnecessary, excessive or processed in non-compliance with the provisions of the law. Portability of personal data to a third party. You have the right to request portability of your data to a third-party, as long as this does not infringe on our trade secrets. Information of public and private entities with which we shared data. You have the right to request information of public and private entities with which we have shared your data. Information about the possibility to refuse to provide consent and the respective consequences, when applicable. Withdrawal of your consent. You have the right to withdraw your consent. This procedure will be carried out free of charge. Request a review of decisions made solely based on automated processing of personal data. Please keep in mind that these rights are not absolute and may not apply in certain circumstances. For example, in certain cases we may continue to process and retain data regardless of your request for deletion, objection, blocking or anonymisation, in order to comply with legal, contractual and regulatory obligations, safeguard and exercise rights, including in judicial, administrative and arbitration proceedings and in other cases provided for by law. - Interpretation (disclaimed): Grants Brazilian residents specific LGPD rights including anonymisation, blocking or erasure of unnecessary or excessive data, data portability to third parties (subject to trade secret limits), information about entities with whom data was shared, and information about the right to refuse consent, establishing enforceable data subject rights. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=You%20have%20the%20right,provided%20for%20by%20law. ### audit rights dpa residency — risk ambiguous > You can find information on our  Subprocessor List  about the third parties Anthropic engages to help us process personal data provided to us where Anthropic acts as a data processor, such as with respect to personal data we receive, process, store, or host when you use Anthropic's commercial services. - Interpretation (disclaimed): The policy is silent on user or customer audit rights, formal DPA arrangements, and data residency controls. This is a gap relevant especially to enterprise customers and regulated-industry users. - Tier: All - Location: § 3 (How We Disclose Personal Data) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=You%20can%20find%20information,use%20Anthropic%26%23x27%3Bs%20commercial%20services. ### audit rights dpa residency — risk unknown > These supplemental disclosures contain additional information relevant to residents of Canada. This content should be read in conjunction with the rest of our Privacy Policy. In case of conflict between our Privacy Policy and these supplemental disclosures, the supplemental disclosures shall prevail in relation to residents of Canada. Consent. By expressly consenting to this Privacy Policy, you confirm you have read, understand, and consent to the collection, use, processing, and disclosure of your personal data in accordance with this Privacy Policy and understand that, in jurisdictions where it is available, Anthropic also relies on other lawful bases for the foregoing as more fully set out in this policy. We will only collect, use and disclose your personal data with your consent, unless otherwise permitted or required by law. Your consent may be given expressly or implied, depending on the circumstances and the sensitivity of the information involved. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Cross-jurisdictional Transfers. By providing us with personal data, you acknowledge and agree that your personal data may be transferred or disclosed to other jurisdictions for processing and storage outside of Canada, including to the United States and the countries listed on our  Subprocessor List , where laws regarding the protection of personal data may be less stringent than the laws in your jurisdiction. - Interpretation (disclaimed): Requires Canadian residents to expressly consent to the collection, use, processing, and disclosure of their personal data in accordance with the Privacy Policy, establishing a consent obligation and noting that the supplemental disclosures prevail over the main policy in case of conflict. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Canada” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20These%20supplemental%20disclosures,in%20your%20jurisdiction.%20 ### audit rights dpa residency — risk unknown > When you access our website or Services, your personal data may be transferred to our servers in the US, or to other countries outside the European Economic Area ( “EEA” ) and the UK. This may be a direct provision of your personal data to us, or a transfer that we or a third party make. Where information is transferred outside the EEA or the UK, we ensure it benefits from an adequate level of data protection by relying on: Adequacy decisions.   These are decisions from the European Commission under Article 45 GDPR (or equivalent decisions under other laws) where they recognise that a country outside of the EEA offers an adequate level of data protection. We transfer your information as described in “Collection of Personal Data” to some countries with adequacy decisions, such as the countries listed  here ; or Standard contractual clauses.   The European Commission has approved contractual clauses under Article 46 GDPR that allows companies in the EEA to transfer data outside the EEA. These (and their approved equivalent for the UK and Switzerland) are called standard contractual clauses. We rely on standard contractual clauses to transfer information as described in “Collection of Personal Data” to certain affiliates and third parties in countries without an adequacy decision. In certain situations, we rely on derogations provided for under applicable data protection law to transfer information to a third country. - Interpretation (disclaimed): Discloses that personal data may be transferred to the US or countries outside the EEA/UK and identifies the legal mechanisms (adequacy decisions under Article 45 GDPR) relied upon to ensure adequate data protection for international transfers, constituting a compliance obligation under data protection law. - Tier: All - Location: § 5 (Data Transfers) - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20When%20you%20access,to%20a%20third%20country. ### audit rights dpa residency — risk unknown > The domestic representative of Anthropic PBC for data protection and related regulatory purposes under Article 31-2 of the Personal Information Protection Act and Article 32-5 of the Act on Promotion of Information and Communications Network Utilization and Data Protection, Etc. in the Republic of Korea is as follows: Entity Name and Representative: Anthropic Korea, Limited (Representative Patrick Azubike Ekeruo) Registered Address: (Yeoksam-dong), 41F, 152 Teheran-ro, Gangnam-gu, Seoul, South Korea - Interpretation (disclaimed): Identifies Anthropic Korea, Limited as the mandatory domestic representative under Article 31-2 of Korea's Personal Information Protection Act and Article 32-5 of the Network Act, disclosing the entity name, representative, and registered address to satisfy Korean legal compliance obligations. - Tier: All - Location: Privacy Policy › “Domestic Representative in the Republic of Korea” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20The%20domestic%20representative,Gangnam-gu%2C%20Seoul%2C%20South%20Korea ### audit rights dpa residency — risk unknown > These supplemental disclosures contain additional information relevant to residents of Brazil. This content should be read in conjunction with the rest of our Privacy Policy. In case of conflict between our Privacy Policy and these supplemental disclosures, the supplemental disclosures shall prevail in relation to residents of Brazil. Legal Bases. Depending on the specific purpose of the processing, we may rely on different grounds than those listed under section 2, where permitted by and in accordance with the Brazilian General Data Protection Law (LGPD). For example, we may rely on the "exercise of legal rights" basis to process personal data associated with customer complaints and to enforce our Terms of Service and similar terms and agreements, including our Usage Policy. Data Subject's Rights. LGPD grants certain rights regarding your personal data, which differ from the ones listed under section 4. We will respond to your requests to exercise your rights below in accordance with applicable law: Confirmation of whether your data is being processed. You have the right to receive a confirmation on whether Anthropic processes your data.Access to your data. You have the right to know what personal data Anthropic processes about you. Correction of incomplete, inaccurate or outdated data. You have the right to request the correction of your data that is incomplete, inaccurate, or outdated. Anonymization, blocking or erasure of data. - Interpretation (disclaimed): Establishes that processing of Brazilian residents' data will rely on legal bases permitted under the LGPD, which may differ from those stated in the main policy, creating a legal obligation to comply with Brazilian data protection law and prevail over conflicting policy terms. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20These%20supplemental%20disclosures,erasure%20of%20data.%20 ### audit rights dpa residency — risk unknown > If you are located in Canada, Brazil, or the Republic of Korea, please read the relevant Regional Supplemental Disclosure which applies to you. If you are located in Washington or a state with similar consumer health data laws, please read our Consumer Health Data Privacy Policy which applies to you if you integrate third party health applications with Claude. - Interpretation (disclaimed): This segment incorporates by reference Regional Supplemental Disclosures for Canada, Brazil, and South Korea, as well as a Consumer Health Data Privacy Policy, directing affected users to additional legally operative supplemental documents that impose jurisdiction-specific obligations. - Tier: All - Location: Privacy Policy › “Privacy Policy \ Anthropic” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20If%20you%20are,health%20applications%20with%20Claude. ### audit rights dpa residency — risk unknown > The domestic representative of Anthropic PBC for data protection and related regulatory purposes under Article 31-2 of the Personal Information Protection Act and Article 32-5 of the Act on Promotion of Information and Communications Network Utilization and Data Protection, Etc. in the Republic of Korea is as follows: Entity Name and Representative: Anthropic Korea, Limited (Representative Patrick Azubike Ekeruo) Registered Address: (Yeoksam-dong), 41F, 152 Teheran-ro, Gangnam-gu, Seoul, South Korea - Interpretation (disclaimed): Identifies Anthropic Korea, Limited (representative Patrick Azubike Ekeruo) as the designated domestic representative under Article 31-2 of the Personal Information Protection Act and Article 32-5 of the Act on Promotion of Information and Communications Network Utilization, fulfilling a mandatory legal obligation under Korean data protection law. - Tier: All - Location: Privacy Policy › “Domestic Representative in the Republic of Korea” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20The%20domestic%20representative,Gangnam-gu%2C%20Seoul%2C%20South%20Korea ### audit rights dpa residency — risk unknown > If you are located in Canada, Brazil, or the Republic of Korea, please read the relevant Regional Supplemental Disclosure which applies to you. If you are located in Washington or a state with similar consumer health data laws, please read our Consumer Health Data Privacy Policy which applies to you if you integrate third party health applications with Claude. - Interpretation (disclaimed): Incorporates by reference Regional Supplemental Disclosures for Canada, Brazil, and Republic of Korea, and the Consumer Health Data Privacy Policy for Washington-state users, making those external documents operative parts of the privacy framework for applicable individuals. - Tier: All - Location: Privacy Policy › “Privacy Policy \ Anthropic” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20If%20you%20are,health%20applications%20with%20Claude. ### audit rights dpa residency — risk unknown > You have the right to request the anonymisation, blocking or erasure of data that is unnecessary, excessive or processed in non-compliance with the provisions of the law. Portability of personal data to a third party. You have the right to request portability of your data to a third-party, as long as this does not infringe on our trade secrets. Information of public and private entities with which we shared data. You have the right to request information of public and private entities with which we have shared your data. Information about the possibility to refuse to provide consent and the respective consequences, when applicable. Withdrawal of your consent. You have the right to withdraw your consent. This procedure will be carried out free of charge. Request a review of decisions made solely based on automated processing of personal data. Please keep in mind that these rights are not absolute and may not apply in certain circumstances. For example, in certain cases we may continue to process and retain data regardless of your request for deletion, objection, blocking or anonymisation, in order to comply with legal, contractual and regulatory obligations, safeguard and exercise rights, including in judicial, administrative and arbitration proceedings and in other cases provided for by law. - Interpretation (disclaimed): Grants Brazilian residents the right to request anonymisation, blocking, or erasure of unnecessary or excessive data; portability to third parties subject to trade secret protection; and information about entities with whom their data has been shared, as well as information about consent refusal consequences. - Tier: All - Location: Privacy Policy › “Supplemental Disclosures for Residents of Brazil” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=You%20have%20the%20right,provided%20for%20by%20law. ### indemnity liability — risk high > You agree that (a) no adequate remedy exists at law if you breach Section 3 (Use of Our Services); (b) it would be difficult to determine the damages resulting from such breach, and any such breach would cause irreparable harm; and (c) a grant of injunctive relief provides the best remedy for any such breach. You waive any opposition to such injunctive relief, as well as any demand that we prove actual damage or post a bond or other security in connection with such injunctive relief. - Interpretation (disclaimed): This clause is a pre-agreed stipulation for injunctive relief. By accepting these Terms, users concede irreparable harm and waive procedural safeguards (proof of actual damage, bond requirement) that courts would otherwise impose before granting an injunction. This materially weakens user defenses in any enforcement action related to acceptable use. - Tier: All - Location: § 13 (In case of disputes) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=You%20agree%20that%20(a),with%20such%20injunctive%20relief. ### indemnity liability — risk unknown > Our team works hard to provide great services, and we’re continuously working on improvements. However, there are certain aspects we can’t guarantee. We are using ALL CAPS to explain this, to make sure that you see it. YOUR USE OF THE SERVICES, MATERIALS, AND ACTIONS IS SOLELY AT YOUR OWN RISK. THE SERVICES, OUTPUTS, AND ACTIONS ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS AND, TO THE FULLEST EXTENT PERMISSIBLE UNDER APPLICABLE LAW, ARE PROVIDED WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY. WE AND OUR PROVIDERS EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, TITLE, MERCHANTABILITY, ACCURACY, AVAILABILITY, RELIABILITY, SECURITY, PRIVACY, COMPATIBILITY, NON-INFRINGEMENT, AND ANY WARRANTY IMPLIED BY COURSE OF DEALING, COURSE OF PERFORMANCE, OR TRADE USAGE. TO THE FULLEST EXTENT PERMISSIBLE UNDER APPLICABLE LAW, IN NO EVENT WILL WE, OUR PROVIDERS, OR OUR OR THEIR RESPECTIVE AFFILIATES, INVESTORS, DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, SUCCESSORS OR ASSIGNS (COLLECTIVELY, THE “ANTHROPIC PARTIES”), BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR OTHER DAMAGES ARISING OUT OF OR IN ANY WAY RELATED TO THE SERVICES, THE MATERIALS, THE ACTIONS, OR THESE TERMS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHER THEORY, EVEN IF ANY ANTHROPIC PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF DAMAGES, AND EVEN IF THE DAMAGES ARE FORESEEABLE. - Interpretation (disclaimed): This segment disclaims all warranties—express, implied, and statutory—with respect to the Services, Outputs, and Actions, placing all risk of use on the user and explicitly disclaiming fitness for purpose warranties on behalf of Anthropic and its Providers. - Tier: All - Location: § 11 (Disclaimer of warranties, limitations of liability, and indemnity) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Our%20team%20works,DAMAGES%20ARE%20FORESEEABLE.%20 ### indemnity liability — risk unknown > TO THE FULLEST EXTENT PERMISSIBLE UNDER APPLICABLE LAW, THE ANTHROPIC PARTIES’ TOTAL AGGREGATE LIABILITY TO YOU FOR ALL DAMAGES, LOSSES AND CAUSES OF ACTION ARISING OUT OF OR IN ANY WAY RELATED TO THE SERVICES, THE MATERIALS, THE ACTIONS, OR THESE TERMS, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WILL NOT EXCEED THE GREATER OF THE AMOUNT YOU PAID TO US FOR ACCESS TO OR USE OF THE SERVICES (IF ANY) IN THE SIX MONTHS PRECEDING THE DATE SUCH DAMAGES, LOSSES, AND CAUSES OF ACTION FIRST AROSE, AND $100. THE FOREGOING LIMITATIONS ARE ESSENTIAL TO THESE TERMS, AND WE WOULD NOT OFFER THE SERVICES TO YOU UNDER THESE TERMS WITHOUT THESE LIMITATIONS. YOU AGREE TO INDEMNIFY AND HOLD HARMLESS THE ANTHROPIC PARTIES FROM AND AGAINST ANY AND ALL LIABILITIES, CLAIMS, DAMAGES, EXPENSES (INCLUDING REASONABLE ATTORNEYS’ FEES AND COSTS), AND OTHER LOSSES ARISING OUT OF OR RELATED TO YOUR BREACH OR ALLEGED BREACH OF THESE TERMS; YOUR ACCESS TO, USE OF, OR ALLEGED USE OF THE SERVICES, THE MATERIALS, OR THE ACTIONS; YOUR FEEDBACK; ANY PRODUCTS OR SERVICES THAT YOU DEVELOP, OFFER, OR OTHERWISE MAKE AVAILABLE USING OR OTHERWISE IN CONNECTION WITH THE SERVICES; YOUR VIOLATION OF APPLICABLE LAW OR ANY THIRD-PARTY RIGHT; AND ANY ACTUAL OR ALLEGED FRAUD, INTENTIONAL MISCONDUCT, GROSS NEGLIGENCE, OR CRIMINAL ACTS COMMITTED BY YOU OR YOUR EMPLOYEES OR AGENTS. WE RESERVE THE RIGHT TO ENGAGE SEPARATE COUNSEL AND PARTICIPATE IN OR ASSUME THE EXCLUSIVE DEFENSE AND CONTROL OF ANY MATTER OTHERWISE SUBJECT TO INDEMNIFICATION BY YOU HEREUNDER, IN WHICH CASE YOU AGREE TO COOPERATE WITH US AND SUCH SEPARATE COUNSEL AS WE REASONABLY REQUEST. - Interpretation (disclaimed): This segment caps Anthropic's aggregate liability to the greater of fees paid in the preceding six months or $100, covering all causes of action related to the Services, Materials, Actions, or Terms, constituting a material limitation of liability essential to the contract. - Tier: All - Location: § 11 (Disclaimer of warranties, limitations of liability, and indemnity) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20TO%20THE%20FULLEST,WE%20REASONABLY%20REQUEST.%20 ### indemnity liability — risk unknown > THE LAWS OF SOME JURISDICTIONS DO NOT ALLOW THE DISCLAIMER OF IMPLIED WARRANTIES OR CERTAIN TYPES OF DAMAGES, SO SOME OR ALL OF THE DISCLAIMERS AND LIMITATIONS OF LIABILITY IN THESE TERMS MAY NOT APPLY TO YOU. OUR PROVIDERS ARE INTENDED THIRD PARTY BENEFICIARIES OF THE WARRANTY DISCLAIMERS AND LIMITATIONS OF LIABILITY CONTAINED IN THIS SECTION 11. - Interpretation (disclaimed): This segment creates a jurisdictional exception to the warranty disclaimers and liability limitations where local law prohibits them, and designates Providers as intended third-party beneficiaries of the disclaimer and limitation provisions, qualifying the scope of Section 11's restrictions. - Tier: All - Location: § 11 (Disclaimer of warranties, limitations of liability, and indemnity) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20THE%20LAWS%20OF,IN%20THIS%20SECTION%2011. ### indemnity liability — risk unknown > Our Services may use or be used in connection with third-party content (" Third-Party Content "), services, or integrations. We do not control or accept responsibility for any loss or damage that may arise from your use of any Third-Party Content, services, and integrations, for which we make no representations or warranties. Your use of any Third-Party Content, services, and integrations is at your own risk and subject to any terms, conditions, or policies (including privacy policies) applicable to such third-party content, services, and integrations. - Interpretation (disclaimed): This segment disclaims Anthropic's responsibility for third-party content, services, and integrations, places risk of use on the user, and subjects third-party use to external terms and privacy policies, functioning as a liability disclaimer limiting Anthropic's exposure from third-party integrations. - Tier: All - Location: § 7 (Third-party services and links) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Our%20Services%20may,content%2C%20services%2C%20and%20integrations. ### governing law disputes — risk medium > Our Terms will be governed by, and construed and interpreted in accordance with, the laws of the State of California without giving effect to conflict of law principles. You and Anthropic agree that any disputes arising out of or relating to these Terms will be resolved exclusively in the state or federal courts located in San Francisco, California, and you and Anthropic submit to the personal and exclusive jurisdiction of those courts. By accessing our Services, you waive any claims that may arise under the laws of other jurisdictions. - Interpretation (disclaimed): This clause mandates California law and exclusive venue in San Francisco for all disputes, with an express waiver of other jurisdictional claims. Non-US users or users in jurisdictions with mandatory consumer-protection laws may find this clause unenforceable or disadvantageous, as it forces them to litigate far from home and potentially forfeits local law protections. - Tier: All - Location: § 13 (In case of disputes) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=Our%20Terms%20will%20be,laws%20of%20other%20jurisdictions. ### governing law disputes — risk unknown > Equitable relief.  You agree that (a) no adequate remedy exists at law if you breach Section 3 (Use of Our Services); (b) it would be difficult to determine the damages resulting from such breach, and any such breach would cause irreparable harm; and (c) a grant of injunctive relief provides the best remedy for any such breach. You waive any opposition to such injunctive relief, as well as any demand that we prove actual damage or post a bond or other security in connection with such injunctive relief. Governing law and exclusive jurisdiction.  Our Terms will be governed by, and construed and interpreted in accordance with, the laws of the State of California without giving effect to conflict of law principles. You and Anthropic agree that any disputes arising out of or relating to these Terms will be resolved exclusively in the state or federal courts located in San Francisco, California, and you and Anthropic submit to the personal and exclusive jurisdiction of those courts. By accessing our Services, you waive any claims that may arise under the laws of other jurisdictions. - Interpretation (disclaimed): This segment establishes the platform's right to seek equitable/injunctive relief for breaches of the use-of-services section without needing to prove actual damages or post a bond, and includes a user waiver of opposition to such relief. It also begins establishing governing law and exclusive jurisdiction for disputes under the Terms. - Tier: All - Location: § 13 (In case of disputes) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Equitable%20relief.%20You,laws%20of%20other%20jurisdictions. ### governing law disputes — risk unknown > When using our Services, you agree to comply with any applicable guidelines, rules, or supplemental terms that may be posted on the Services from time to time (“Supplemental Terms”). If these Terms conflict with Supplemental Terms, the Supplemental Terms will govern for the applicable Service. Entire agreement.  These Terms and any other terms expressly incorporated by reference form the entire agreement between you and us regarding the subject matter of our Terms. Termination.  You may stop accessing the Services at any time. We may suspend or terminate your access to the Services (including any Subscriptions) at any time without notice to you if we believe that you have breached these Terms, or if we must do so in order to comply with law. If we terminate your access to the Services due to a violation of these Terms and you have a Subscription, you will not be entitled to any refund. In addition, if you have a Subscription, we may terminate the Subscription at any time for any other reason. If we exercise this right and you purchased the subscription via our website, we will refund you, on a pro rata basis, the fees you paid for the remaining portion of your Subscription after termination. Any refunds for Subscriptions purchased via an App Distributor are subject to the App Distributor’s terms and not these terms. We may also terminate your Account if you have been inactive for over a year and you do not have a paid Account. - Interpretation (disclaimed): This segment incorporates Supplemental Terms by reference, establishes that Supplemental Terms govern in cases of conflict, and defines the entire agreement scope. It also grants the platform a right to suspend or terminate user access to Services, which constitutes a procedural and rights-bearing clause affecting the user's continued use. - Tier: All - Location: § 12 (General terms) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=When%20using%20our%20Services%2C,a%20paid%20Account.%20 ### moderation enforcement — risk high > We may comply with governmental, court, and law enforcement requests or requirements relating to provision or use of the Services, or to information provided to or collected under our Terms. We reserve the right, at our sole discretion, to report information from or about you, including but not limited to Inputs, Outputs, or Actions to law enforcement. - Interpretation (disclaimed): The clause goes beyond passive compliance with lawful process: Anthropic explicitly reserves the right to voluntarily and proactively disclose user content (Inputs, Outputs, Actions) to law enforcement at its sole discretion. This creates significant privacy and due-process risk for users, as there is no requirement of a court order or other legal compulsion before disclosure. - Tier: All - Location: § 12 (General terms) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=We%20may%20comply%20with,Actions%20to%20law%20enforcement. ### moderation enforcement — risk high > he creation of a new account, use of an existing account, or providing access to a person or entity that was previously banned Access or facilitate account or API access to Claude to persons, entities, or users in violation of our Supported Regions Policy - Interpretation (disclaimed): This clause imposes affirmative compliance obligations on operators to enforce Anthropic's ban list and supported regions policy. Failure to do so creates breach-of-contract exposure. The geographic access restriction may also implicate export control laws and OFAC sanctions compliance. - Tier: All - Location: Usage Policy › “Do Not Abuse our Platform” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=he%20creation%20of%20a,our%20Supported%20Regions%20Policy ### moderation enforcement — risk high > Do Not Generate Sexually Explicit Content This includes using our products or services to: Depict or request sexual intercourse or sex acts Generate content related to sexual fetishes or fantasies Facilitate, promote, or depict incest or bestiality Engage in erotic chats - Interpretation (disclaimed): This is a categorical, non-waivable content restriction. Any product design that could foreseeably lead to such outputs places the operator in breach. Operators should implement content filters and user-facing terms that explicitly prohibit this use to reduce downstream liability. - Tier: All - Location: Usage Policy › “Do Not Generate Sexually Explicit Content” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Do%20Not%20Generate%20Sexually,Engage%20in%20erotic%20chats ### moderation enforcement — risk medium > Materials flagged for safety, security, or policy review - Interpretation (disclaimed): Flagged content is both a basis for enforcement action and a training data source, meaning moderation triggers permanent training use regardless of user opt-out preferences. - Tier: All - Location: Privacy Policy › “Materials flagged for safety, security, or policy review” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=Materials%20flagged%20for%20safety%2C%20security%2C%20or%20policy%20review ### moderation enforcement — risk medium > All consumer-facing chatbots, including any external-facing or interactive AI agent, must disclose to users that they are interacting with AI rather than a human. This disclosure must be provided at a minimum at the beginning of each chat session. - Interpretation (disclaimed): This is an absolute, non-negotiable disclosure obligation for any external-facing deployment. Non-compliance constitutes a breach of the usage policy and may also violate consumer protection laws prohibiting deceptive practices (e.g., FTC Act Section 5, EU consumer law). Operators must build this into their UX flows. - Tier: All - Location: Usage Policy › “Additional Use Case Guidelines” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=All%20consumer-facing%20chatbots%2C%20including,of%20each%20chat%20session. ### moderation enforcement — risk medium > Coordinate malicious activity across multiple accounts to avoid detection or circumvent product guardrails or generating identical or similar inputs that otherwise violate our Usage Policy Utilize automation in account creation or to engage in spammy behavior Circumvent a ban through the use of a different account, such as the creation of a new account, use of an existing account, or providing access to a person or entity that was previously banned Access or facilitate account or API access to Claude to persons, entities, or users in violation of our Supported Regions Policy - Interpretation (disclaimed): The clause extends enforcement reach beyond the banned account to any facilitating account, creating vicarious liability risk for organizations. The phrase 'providing access to a person or entity that was previously banned' is particularly broad and could inadvertently ensnare third parties. - Tier: All - Location: Usage Policy › “Do Not Abuse our Platform” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Coordinate%20malicious%20activity%20across,our%20Supported%20Regions%20Policy ### moderation enforcement — risk medium > Agentic use cases must still comply with the Usage Policy. We provide examples of Usage Policy prohibitions in the context of agentic use in this Help Center article . - Interpretation (disclaimed): This clause closes a potential loophole where operators might argue that agentic use cases fall outside normal policy scope. By explicitly incorporating the full Usage Policy for agentic use, Anthropic retains enforcement authority over automated, multi-step AI workflows. Operators must review the referenced Help Center article to understand specific agentic prohibitions. - Tier: All - Location: Usage Policy › “Additional Use Case Guidelines” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Agentic%20use%20cases%20must,Help%20Center%20article%20. ### moderation enforcement — risk medium > Intentionally bypass capabilities, restrictions, or guardrails established within our products for the purposes of instructing the model to produce harmful outputs (e.g., jailbreaking or prompt injection) without prior authorization from Anthropic - Interpretation (disclaimed): This clause exposes users to suspension/termination risk for prompt engineering that Anthropic unilaterally deems as 'bypassing guardrails.' The lack of a defined authorization process creates legal uncertainty for security researchers and developers conducting legitimate adversarial testing. - Tier: All - Location: Usage Policy › “Do Not Abuse our Platform” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Intentionally%20bypass%20capabilities%2C%20restrictions%2C,prior%20authorization%20from%20Anthropic ### moderation enforcement — risk low > To prevent and investigate fraud, abuse, and violations of our  Usage Policy , unlawful or criminal activity, unauthorized access to or use of personal data or Anthropic systems and networks, to protect our rights and the rights of others, and to meet legal, governmental and institutional policy obligations; - Interpretation (disclaimed): Anthropic reserves the right to use personal data for enforcement and investigation purposes. This is a standard clause but signals that user data may be reviewed in connection with policy enforcement without specific notice. - Tier: All - Location: § 2 - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=To%20prevent%20and%20investigate,and%20institutional%20policy%20obligations%3B ### moderation enforcement — risk low > Model Context Protocol (MCP) servers listed in our Connector Directory must comply with our Directory Policy . - Interpretation (disclaimed): This clause incorporates by reference a separate Directory Policy for MCP server operators. Non-compliance could result in removal from the directory or broader policy enforcement actions. Operators should review the Directory Policy independently before listing. - Tier: API - Location: Usage Policy › “Additional Use Case Guidelines” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=Model%20Context%20Protocol%20(MCP),our%20Directory%20Policy%20. ### moderation enforcement — risk unknown > Our Usage Policy (also referred to as our “Acceptable Use Policy” or “AUP”) applies to anyone who can submit inputs to Anthropic’s products and/or services, including via any authorized resellers or passthrough access, all of whom we refer to as “users.” The Usage Policy is intended to help our users stay safe and promote the responsible use of our products and services. The Usage Policy is categorized according to who can use our products and for what purposes. We will update our policy as our technology and the associated risks evolve or as we learn about unanticipated risks. Universal Usage Standards: Our Universal Usage Standards apply to all users and use cases. High-Risk Use Case Requirements: Our High-Risk Use Case Requirements apply to specific consumer-facing use cases that pose an elevated risk of harm. Additional Use Case Guidelines: Our Additional Use Case Guidelines apply to certain other use cases, including consumer-facing chatbots, products serving minors, agentic use, and Model Context Protocol servers. Anthropic’s Safeguards Team will implement detection and monitoring to enforce our Usage Policy, so please review this policy carefully before using our products or services. If we learn that you have violated our Usage Policy, we may throttle, suspend, or terminate your access to our products and services. We may also block or modify model outputs when inputs violate our Usage Policy. If you believe that our model outputs are potentially inaccurate, biased or harmful, please notify us at usersafety@anthropic.com, or report it directly in our product through the “report issues” thumbs down button or similar feedback features (where available). - Interpretation (disclaimed): This segment defines the scope of the Usage Policy, identifies who qualifies as a 'user,' states the policy's purpose of promoting safe and responsible use, and signals that the policy will be updated as risks evolve — establishing the foundational definitional and scope provisions that govern enforcement of platform rules. - Tier: All - Location: Usage Policy › “Usage Policy \ Anthropic” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Our%20Usage%20Policy,features%20(where%20available).%20 ### moderation enforcement — risk unknown > You can read more about our Safeguards practices and recommendations in our Safeguards Support Center . This Usage Policy is calibrated to strike an optimal balance between enabling beneficial uses and mitigating potential harms. Anthropic may enter into contracts with certain governmental customers that tailor use restrictions to that customer’s public mission and legal authorities if, in Anthropic’s judgment, the contractual use restrictions and applicable safeguards are adequate to mitigate the potential harms addressed by this Usage Policy. - Interpretation (disclaimed): This segment carves out an exception to the standard Usage Policy by permitting Anthropic to enter tailored contracts with governmental customers that modify use restrictions, subject to Anthropic's judgment that safeguards are adequate — creating a conditional exception to universal enforcement standards. - Tier: All - Location: Usage Policy › “Usage Policy \ Anthropic” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=You%20can%20read%20more,this%20Usage%20Policy.%20 ### moderation enforcement — risk unknown > Infringe, misappropriate, or violate the intellectual property rights of a third party - Interpretation (disclaimed): This segment restricts users from infringing, misappropriating, or violating third-party intellectual property rights through use of the platform, imposing an IP-related compliance obligation on users. - Tier: All - Location: Usage Policy › “Engage in or facilitate human trafficking or prostitution” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Infringe%2C%20misappropriate%2C%20or,of%20a%20third%20party ### moderation enforcement — risk unknown > Synthesize, or otherwise develop, high-yield explosives or biological, chemical, radiological, or nuclear weapons or their precursors, including modifications to evade detection or medical countermeasures - Interpretation (disclaimed): This segment restricts users from synthesizing or developing high-yield explosives or biological, chemical, radiological, or nuclear weapons or their precursors, including modifications to evade detection or countermeasures. - Tier: All - Location: Usage Policy › “Circumvent regulatory controls to acquire weapons or their precursors” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Synthesize%2C%20or%20otherwise,detection%20or%20medical%20countermeasures ### moderation enforcement — risk unknown > This includes using our products or services to: Incite, facilitate, or promote violent extremism, terrorism, or hateful behavior Provide material support for organizations or individuals associated with violent extremism, terrorism, or hateful behavior Facilitate or promote any act of violence or intimidation targeting individuals, groups, animals, or property Promote discriminatory practices or behaviors against individuals or groups on the basis of one or more protected attributes such as race, ethnicity, religion, national origin, gender, sexual orientation, or any other identifying trait - Interpretation (disclaimed): This segment enumerates specific prohibited activities including facilitating violent extremism, terrorism, hateful behavior, material support for such organizations, acts of violence or intimidation, and discriminatory practices based on protected attributes. - Tier: All - Location: Usage Policy › “Do Not Incite Violence or Hateful Behavior” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,any%20other%20identifying%20trait ### moderation enforcement — risk unknown > Promote, trivialize, or depict graphic violence or gratuitous gore, including sexual violence Develop a new product or service, or support an existing product or service that employs or facilitates deceptive techniques with the intent of causing emotional harm - Interpretation (disclaimed): This segment restricts users from promoting or depicting graphic violence, gratuitous gore, or sexual violence, and from developing products or services that employ deceptive techniques intended to cause emotional harm. - Tier: All - Location: Usage Policy › “Generate content depicting animal cruelty or abuse” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Promote%2C%20trivialize%2C%20or,of%20causing%20emotional%20harm ### moderation enforcement — risk unknown > This includes using our products or services to: Create or disseminate deceptive or misleading information about, or with the intention of targeting, a group, entity or person Create or disseminate deceptive or misleading information about laws, regulations, procedures, practices, standards established by an institution, entity or governing body Create or disseminate conspiratorial narratives meant to target a specific group, individual or entity Impersonate real entities or create fake personas to falsely attribute content or mislead others about its origin without consent or legal right Provide false or misleading information related to medical, health or science issues - Interpretation (disclaimed): This segment enumerates specific misinformation-related prohibitions including creating deceptive information about groups or entities, misleading information about laws or institutions, conspiratorial narratives, impersonation of real entities, and fake personas for false attribution. - Tier: All - Location: Usage Policy › “Do Not Create or Spread Misinformation” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,health%20or%20science%20issues ### moderation enforcement — risk unknown > Do Not Undermine Democratic Processes or Engage in Targeted Campaign Activities This includes using our products or services to: Engage in personalized vote or campaign targeting based on individual profiles or data Create artificial or deceptive political movements in which the source, scale or nature of the campaign or activities is misrepresented Generate automated communications to public officials or voters at scale that conceal their artificial origin, or engage in systematic vote solicitation that could undermine election integrity Create political content designed to deceive or mislead voters, including synthetic media of political figures Generate or disseminate false or misleading information in political and electoral contexts, including about candidates, parties, policies, voting procedures, or election security Engage in political lobbying or grassroots advocacy using false or fabricated information, or create lobbying or advocacy materials containing demonstrably false claims about facts, data, or events Incite, glorify or facilitate the disruption of electoral or civic processes, including interference with voting systems, vote counting, or certification processes Create content designed to suppress voter turnout or discourage legitimate political participation through deception or intimidation - Interpretation (disclaimed): This segment establishes a categorical restriction prohibiting users from undermining democratic processes or engaging in targeted campaign activities, and enumerates specific prohibited activities including personalized vote targeting, artificial political movements, automated deceptive communications to officials or voters, and creation of politically deceptive content. - Tier: All - Location: Usage Policy › “Do Not Create or Spread Misinformation” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Do%20Not%20Undermine,through%20deception%20or%20intimidation ### moderation enforcement — risk unknown > This includes using our products or services to: Coordinate malicious activity across multiple accounts to avoid detection or circumvent product guardrails or generating identical or similar inputs that otherwise violate our Usage Policy Utilize automation in account creation or to engage in spammy behavior Circumvent a ban through the use of a different account, such as the creation of a new account, use of an existing account, or providing access to a person or entity that was previously banned Access or facilitate account or API access to Claude to persons, entities, or users in violation of our Supported Regions Policy Intentionally bypass capabilities, restrictions, or guardrails established within our products for the purposes of instructing the model to produce harmful outputs (e.g., jailbreaking or prompt injection) without prior authorization from Anthropic Utilization of inputs and outputs to train an AI model (e.g., “model scraping” or “model distillation”) without prior authorization from Anthropic - Interpretation (disclaimed): This clause restricts users from coordinating malicious multi-account activity, using automation to create accounts or spam, circumventing bans via new or alternate accounts, and facilitating API access to banned persons or entities — all of which are prohibited uses enforceable under the platform's moderation and enforcement framework. - Tier: All - Location: Usage Policy › “Do Not Abuse our Platform” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,prior%20authorization%20from%20Anthropic ### moderation enforcement — risk unknown > This includes using our products or services to: - Interpretation (disclaimed): This introductory clause signals that the following enumerated items constitute specific prohibited uses falling under the sexually explicit content restriction, serving as an incorporation clause for the subsequent list of prohibited behaviors. - Tier: All - Location: Usage Policy › “Do Not Generate Sexually Explicit Content” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,products%20or%20services%20to%3A ### moderation enforcement — risk unknown > Some use cases pose an elevated risk of harm because they influence domains that are vital to public welfare and social equity. For these use cases, given potential risks to individuals and consumers, we believe that relevant human expertise should be integrated and that end-users should be aware when AI has been involved in producing outputs. As such, for the “High-Risk Use Cases” described below, we require that you implement these additional safety measures: Human-in-the-loop: When using our products or services to provide advice, recommendations, or in subjective decision-making directly affecting individuals or consumers , a qualified professional in that field must review the content or decision prior to dissemination or finalization. You or your organization are responsible for the accuracy and appropriateness of that information. Disclosure: If model outputs are presented directly to individuals or consumers , you must disclose to them that you are using AI to help produce your advice, decisions, or recommendations. This disclosure must be provided at a minimum at the beginning of each session. “High-Risk Use Cases” include: Legal: Use cases related to legal interpretation, legal guidance, or decisions with legal implications Healthcare: Use cases related to healthcare decisions, medical diagnosis, patient care, therapy, mental health, or other medical guidance. Wellness advice (e.g., advice on sleep, stress, nutrition, exercise, etc.) does not fall under this category Insurance: Use cases related to health, life, property, disability, or other types of insurance underwriting, claims processing, or coverage decisions Finance: Use cases related to financial decisions, including investment advice, loan approvals, and determining financial eligibility or - Interpretation (disclaimed): This clause imposes affirmative obligations on operators deploying high-risk use cases, specifically requiring integration of human expertise ('human-in-the-loop') and disclosure to end-users of AI involvement, establishing mandatory safety measures for domains affecting public welfare and social equity. - Tier: All - Location: Usage Policy › “High-Risk Use Case Requirements” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Some%20use%20cases,determining%20financial%20eligibility%20or ### moderation enforcement — risk unknown > This includes using our products or services to: Facilitate the destruction or disruption of critical infrastructure such as power grids, water treatment facilities, medical devices, telecommunication networks, or air traffic control systems Obtain unauthorized access to critical systems such as voting machines, healthcare databases, and financial markets Interfere with the operation of military bases and related infrastructure - Interpretation (disclaimed): This segment enumerates specific prohibited activities under the critical infrastructure restriction, including facilitating destruction of power grids and water facilities, gaining unauthorized access to voting machines and healthcare databases, and interfering with military infrastructure operations. - Tier: All - Location: Usage Policy › “Do Not Compromise Critical Infrastructure” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,bases%20and%20related%20infrastructure ### moderation enforcement — risk unknown > This includes using our products or services to: Facilitate, promote, or glamorize any form of suicide or self-harm, including disordered eating and unhealthy or compulsive exercise Engage in behaviors that promote unhealthy or unattainable body image or beauty standards, such as using the model to critique anyone’s body shape or size Shame, humiliate, intimidate, bully, harass, or celebrate the suffering of individuals - Interpretation (disclaimed): This segment enumerates specific prohibited psychologically harmful activities, including facilitating suicide or self-harm, promoting unhealthy body image, and shaming, humiliating, bullying, or harassing individuals. - Tier: All - Location: Usage Policy › “Do Not Create Psychologically or Emotionally Harmful Content” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,the%20suffering%20of%20individuals ### moderation enforcement — risk unknown > It is in our legitimate interests and in the interest of Anthropic users to evaluate the use of the Services and adoption of new features to inform the development of future features and improve direction and development of the Services. Our research also benefits the AI industry and society: it investigates the safety, inner workings, and societal impact of AI models so that artificial intelligence has a positive impact on society as it becomes increasingly advanced and capable. To enforce our Terms of Service  and similar terms and agreements, including our Usage Policy . Identity and Contact Data - Interpretation (disclaimed): Grants Anthropic permission to process Identity, Contact, and related data to enforce its Terms of Service, Usage Policy, and similar agreements, relying on contract and legitimate interests as legal bases, and explains the rationale of maintaining platform safety and intended functionality. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### moderation enforcement — risk unknown > In certain circumstances outside of the performance of our contract with you, we may rely on legitimate interests. It is in our legitimate interests to enforce the rules and policies governing use of our services, to maintain intended functionality and value for users. We aim to provide a safe, useful platform. - Interpretation (disclaimed): Clarifies that outside of contract performance Anthropic may rely on legitimate interests to enforce platform rules and policies, granting a permission to process data for enforcement purposes and articulating the rationale of maintaining a safe, functional platform. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20In%20certain%20circumstances,safe%2C%20useful%20platform.%20 ### moderation enforcement — risk unknown > You may access and use our Services only in compliance with our Terms, including our  Acceptable Use Policy , the policy governing the countries and regions Anthropic currently supports ("Supported Regions Policy"), and any guidelines or supplemental terms we may post on the Services (the “ Permitted Use ”). You are responsible for all activity under the account through which you access the Services. You may not access or use, or help another person to access or use, our Services in the following ways: In any manner that violates any applicable law or regulation—including, without limitation, any laws about exporting data or software to and from the United States or other countries. To develop any products or services that compete with our Services, including to develop or train any artificial intelligence or machine learning algorithms or models or resell the Services. To decompile, reverse engineer, disassemble, or otherwise reduce our Services to human-readable form, except when these restrictions are prohibited by applicable law. To crawl, scrape, or otherwise harvest data or information from our Services other than as permitted under these Terms. To use our Services, the Materials, or the Actions to obtain unauthorized access to any system or information, or to deceive any person. To infringe, misappropriate, or violate intellectual property or other legal rights (including the rights of publicity or privacy). - Interpretation (disclaimed): This segment restricts how users may access and use the Services, requiring compliance with the Acceptable Use Policy, Supported Regions Policy, and other guidelines, and holds users responsible for all account activity, imposing binding usage restrictions enforceable against the user. - Tier: All - Location: § 3 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20You%20may%20access,publicity%20or%20privacy).%20 ### moderation enforcement — risk unknown > creditworthiness Employment and housing: Use cases related to decisions about the employability of individuals, resume screening, hiring tools, or other employment determinations or decisions regarding eligibility for housing, including leases and home loans Academic testing, accreditation and admissions: Use cases related to standardized testing companies that administer school admissions (including evaluating, scoring or ranking prospective students), language proficiency, or professional certification exams; agencies that evaluate and certify educational institutions Media or professional journalistic content: Use cases related to using our products or services to automatically generate content and publish it for external consumption - Interpretation (disclaimed): This segment defines specific categories of 'High-Risk Use Cases,' including creditworthiness, employment and housing decisions, academic testing and admissions, and media or professional contexts, thereby establishing the scope of applications subject to heightened compliance obligations. - Tier: All - Location: Usage Policy › “High-Risk Use Case Requirements” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20creditworthiness%20Employment%20and,it%20for%20external%20consumption ### moderation enforcement — risk unknown > This includes using our products or services to: Produce, modify, design, or illegally acquire weapons, explosives, dangerous materials or other systems designed to cause harm to or loss of human life Design or develop weaponization and delivery processes for the deployment of weapons - Interpretation (disclaimed): This segment enumerates specific prohibited activities under the weapons restriction, including producing, modifying, designing, or illegally acquiring weapons or dangerous materials, and designing weaponization and deployment processes. - Tier: All - Location: Usage Policy › “Do Not Develop or Design Weapons” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,the%20deployment%20of%20weapons ### moderation enforcement — risk unknown > This includes using our products or services to: Coordinate malicious activity across multiple accounts to avoid detection or circumvent product guardrails or generating identical or similar inputs that otherwise violate our Usage Policy Utilize automation in account creation or to engage in spammy behavior Circumvent a ban through the use of a different account, such as the creation of a new account, use of an existing account, or providing access to a person or entity that was previously banned Access or facilitate account or API access to Claude to persons, entities, or users in violation of our Supported Regions Policy Intentionally bypass capabilities, restrictions, or guardrails established within our products for the purposes of instructing the model to produce harmful outputs (e.g., jailbreaking or prompt injection) without prior authorization from Anthropic Utilization of inputs and outputs to train an AI model (e.g., “model scraping” or “model distillation”) without prior authorization from Anthropic - Interpretation (disclaimed): This clause restricts users from coordinating malicious multi-account activity, using automation for spammy behavior, circumventing bans via new or alternate accounts, and facilitating API access to banned persons or entities, thereby imposing enforceable prohibitions on platform misuse. - Tier: All - Location: Usage Policy › “Do Not Abuse our Platform” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,prior%20authorization%20from%20Anthropic ### moderation enforcement — risk unknown > This includes using our products or services to: Create or disseminate deceptive or misleading information about, or with the intention of targeting, a group, entity or person Create or disseminate deceptive or misleading information about laws, regulations, procedures, practices, standards established by an institution, entity or governing body Create or disseminate conspiratorial narratives meant to target a specific group, individual or entity Impersonate real entities or create fake personas to falsely attribute content or mislead others about its origin without consent or legal right Provide false or misleading information related to medical, health or science issues - Interpretation (disclaimed): This segment enumerates specific prohibited misinformation-related activities, including creating or disseminating deceptive information targeting groups or persons, spreading false information about laws and institutions, creating conspiratorial narratives, and impersonating real entities or creating fake personas to mislead about content origin. - Tier: All - Location: Usage Policy › “Do Not Create or Spread Misinformation” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,health%20or%20science%20issues ### moderation enforcement — risk unknown > This includes using our products or services to: Facilitate the destruction or disruption of critical infrastructure such as power grids, water treatment facilities, medical devices, telecommunication networks, or air traffic control systems Obtain unauthorized access to critical systems such as voting machines, healthcare databases, and financial markets Interfere with the operation of military bases and related infrastructure - Interpretation (disclaimed): This segment enumerates specific prohibited activities under the critical infrastructure restriction, including disruption of power grids, water facilities, medical devices, voting machines, financial markets, and military infrastructure. - Tier: All - Location: Usage Policy › “Do Not Compromise Critical Infrastructure” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,bases%20and%20related%20infrastructure ### moderation enforcement — risk unknown > This includes using our products or services to: Facilitate the production, acquisition, or distribution of counterfeit or illicitly acquired goods - Interpretation (disclaimed): This segment restricts users from facilitating the production, acquisition, or distribution of counterfeit or illicitly acquired goods, constituting a specific enumerated prohibition under the fraud/abuse restriction. - Tier: All - Location: Usage Policy › “Do Not Engage in Fraudulent, Abusive, or Predatory Practices” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,or%20illicitly%20acquired%20goods ### moderation enforcement — risk unknown > Our Usage Policy (also referred to as our “Acceptable Use Policy” or “AUP”) applies to anyone who can submit inputs to Anthropic’s products and/or services, including via any authorized resellers or passthrough access, all of whom we refer to as “users.” The Usage Policy is intended to help our users stay safe and promote the responsible use of our products and services. The Usage Policy is categorized according to who can use our products and for what purposes. We will update our policy as our technology and the associated risks evolve or as we learn about unanticipated risks. Universal Usage Standards: Our Universal Usage Standards apply to all users and use cases. High-Risk Use Case Requirements: Our High-Risk Use Case Requirements apply to specific consumer-facing use cases that pose an elevated risk of harm. Additional Use Case Guidelines: Our Additional Use Case Guidelines apply to certain other use cases, including consumer-facing chatbots, products serving minors, agentic use, and Model Context Protocol servers. Anthropic’s Safeguards Team will implement detection and monitoring to enforce our Usage Policy, so please review this policy carefully before using our products or services. If we learn that you have violated our Usage Policy, we may throttle, suspend, or terminate your access to our products and services. We may also block or modify model outputs when inputs violate our Usage Policy. If you believe that our model outputs are potentially inaccurate, biased or harmful, please notify us at usersafety@anthropic.com, or report it directly in our product through the “report issues” thumbs down button or similar feedback features (where available). - Interpretation (disclaimed): This segment defines who qualifies as a 'user' subject to the AUP (anyone submitting inputs, including via resellers or passthrough access), states the policy's purpose of promoting safety and responsible use, and signals that the policy will be updated as risks evolve, establishing the scope and applicability of enforcement obligations. - Tier: All - Location: Usage Policy › “Usage Policy \ Anthropic” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Our%20Usage%20Policy,features%20(where%20available).%20 ### moderation enforcement — risk unknown > Some use cases pose an elevated risk of harm because they influence domains that are vital to public welfare and social equity. For these use cases, given potential risks to individuals and consumers, we believe that relevant human expertise should be integrated and that end-users should be aware when AI has been involved in producing outputs. As such, for the “High-Risk Use Cases” described below, we require that you implement these additional safety measures: Human-in-the-loop: When using our products or services to provide advice, recommendations, or in subjective decision-making directly affecting individuals or consumers , a qualified professional in that field must review the content or decision prior to dissemination or finalization. You or your organization are responsible for the accuracy and appropriateness of that information. Disclosure: If model outputs are presented directly to individuals or consumers , you must disclose to them that you are using AI to help produce your advice, decisions, or recommendations. This disclosure must be provided at a minimum at the beginning of each session. “High-Risk Use Cases” include: Legal: Use cases related to legal interpretation, legal guidance, or decisions with legal implications Healthcare: Use cases related to healthcare decisions, medical diagnosis, patient care, therapy, mental health, or other medical guidance. Wellness advice (e.g., advice on sleep, stress, nutrition, exercise, etc.) does not fall under this category Insurance: Use cases related to health, life, property, disability, or other types of insurance underwriting, claims processing, or coverage decisions Finance: Use cases related to financial decisions, including investment advice, loan approvals, and determining financial eligibility or - Interpretation (disclaimed): This clause imposes affirmative obligations on operators using high-risk use cases to implement human-in-the-loop safeguards and to disclose AI involvement to end-users, requiring specific procedural and transparency measures to mitigate elevated harm risk. - Tier: All - Location: Usage Policy › “High-Risk Use Case Requirements” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Some%20use%20cases,determining%20financial%20eligibility%20or ### moderation enforcement — risk unknown > Generate content for fraudulent activities, schemes, scams, phishing, or malware that can result in direct financial or psychological harm Create falsified documents including fake IDs, licenses, currency, or other government documents Develop, promote, or otherwise facilitate the sale or distribution of fraudulent or deceptive products Generate deceptive or misleading digital content such as fake reviews, comments, or media Engage in or facilitate multi-level marketing, pyramid schemes, or other deceptive business models that use high-pressure sales tactics or exploit participants Promote or facilitate payday loans, title loans, or other high-interest, short-term lending practices that exploit vulnerable individuals Engage in deceptive or abusive practices that exploit individuals based on age, disability or a specific social or economic situation Promote or facilitate the use of abusive or harassing debt collection practices Develop a product or support an existing service that deploys subliminal, manipulative, or deceptive techniques to distort behavior by impairing decision-making Engage in actions or behaviors that circumvent the guardrails or terms of other platforms or services Plagiarize or submit AI-assisted work without proper permission or attribution - Interpretation (disclaimed): This segment enumerates additional fraudulent and predatory practice prohibitions including generating content for scams or phishing, creating falsified documents, developing fraudulent products, generating fake reviews, facilitating pyramid schemes, and other deceptive business practices. - Tier: All - Location: Usage Policy › “Promote or facilitate the generation or distribution of spam” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Generate%20content%20for,proper%20permission%20or%20attribution ### moderation enforcement — risk unknown > This includes using our products or services to: Create, distribute, or promote child sexual abuse material (“CSAM”), including AI-generated CSAM Facilitate the trafficking, sextortion, or any other form of exploitation of a minor Facilitate minor grooming, including generating content designed to impersonate a minor Facilitate child abuse of any form, including instructions for how to conceal abuse Promote or facilitate pedophilic relationships, including via roleplay with the model Fetishize or sexualize minors, including in fictional settings or via roleplay with the model Note: We define a minor or child to be any individual under the age of 18 years old, regardless of jurisdiction. When we detect CSAM (including AI-generated CSAM), or coercion or enticement of a minor to engage in sexual activities, we will report to relevant authorities. - Interpretation (disclaimed): This segment enumerates specific prohibited activities related to child safety, including creating or distributing CSAM (including AI-generated), facilitating child trafficking or exploitation, grooming, abuse, pedophilic relationships, and sexualizing minors, and begins a definition of minor-related terms. - Tier: All - Location: Usage Policy › “Do Not Compromise Children’s Safety” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,to%20relevant%20authorities.%20 ### moderation enforcement — risk unknown > This includes using our products or services to: Incite, facilitate, or promote violent extremism, terrorism, or hateful behavior Provide material support for organizations or individuals associated with violent extremism, terrorism, or hateful behavior Facilitate or promote any act of violence or intimidation targeting individuals, groups, animals, or property Promote discriminatory practices or behaviors against individuals or groups on the basis of one or more protected attributes such as race, ethnicity, religion, national origin, gender, sexual orientation, or any other identifying trait - Interpretation (disclaimed): This segment enumerates specific prohibited activities under the violence/hate restriction, including inciting violent extremism or terrorism, providing material support for extremist groups, facilitating violence or intimidation, and promoting discriminatory practices against protected groups. - Tier: All - Location: Usage Policy › “Do Not Incite Violence or Hateful Behavior” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,any%20other%20identifying%20trait ### moderation enforcement — risk unknown > This includes using our products or services to: Discover or exploit vulnerabilities in systems, networks, or applications without authorization of the system owner Gain unauthorized access to systems, networks, applications, or devices through technical attacks or social engineering Create or distribute malware, ransomware, or other types of malicious code - Interpretation (disclaimed): This segment specifies prohibited activities under the computer/network systems restriction, including unauthorized vulnerability exploitation, unauthorized access, and creation or distribution of malware or ransomware. - Tier: All - Location: Usage Policy › “Do Not Compromise Computer or Network Systems” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,types%20of%20malicious%20code ### moderation enforcement — risk unknown > Do Not Undermine Democratic Processes or Engage in Targeted Campaign Activities This includes using our products or services to: Engage in personalized vote or campaign targeting based on individual profiles or data Create artificial or deceptive political movements in which the source, scale or nature of the campaign or activities is misrepresented Generate automated communications to public officials or voters at scale that conceal their artificial origin, or engage in systematic vote solicitation that could undermine election integrity Create political content designed to deceive or mislead voters, including synthetic media of political figures Generate or disseminate false or misleading information in political and electoral contexts, including about candidates, parties, policies, voting procedures, or election security Engage in political lobbying or grassroots advocacy using false or fabricated information, or create lobbying or advocacy materials containing demonstrably false claims about facts, data, or events Incite, glorify or facilitate the disruption of electoral or civic processes, including interference with voting systems, vote counting, or certification processes Create content designed to suppress voter turnout or discourage legitimate political participation through deception or intimidation - Interpretation (disclaimed): This segment establishes a categorical prohibition against using Anthropic's products or services to undermine democratic processes or engage in targeted campaign activities, and enumerates specific prohibited activities including personalized vote targeting, artificial political movements, automated communications concealing artificial origin, and political content designed to deceive voters. - Tier: All - Location: Usage Policy › “Do Not Create or Spread Misinformation” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Do%20Not%20Undermine,through%20deception%20or%20intimidation ### moderation enforcement — risk unknown > This includes using our products or services to: Create, distribute, or promote child sexual abuse material (“CSAM”), including AI-generated CSAM Facilitate the trafficking, sextortion, or any other form of exploitation of a minor Facilitate minor grooming, including generating content designed to impersonate a minor Facilitate child abuse of any form, including instructions for how to conceal abuse Promote or facilitate pedophilic relationships, including via roleplay with the model Fetishize or sexualize minors, including in fictional settings or via roleplay with the model Note: We define a minor or child to be any individual under the age of 18 years old, regardless of jurisdiction. When we detect CSAM (including AI-generated CSAM), or coercion or enticement of a minor to engage in sexual activities, we will report to relevant authorities. - Interpretation (disclaimed): This segment enumerates specific prohibitions protecting children, including creating CSAM, facilitating trafficking or exploitation of minors, grooming, child abuse facilitation, pedophilic relationships, and sexualization of minors including in fictional contexts. - Tier: All - Location: Usage Policy › “Do Not Compromise Children’s Safety” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,to%20relevant%20authorities.%20 ### moderation enforcement — risk unknown > Synthesize, or otherwise develop, high-yield explosives or biological, chemical, radiological, or nuclear weapons or their precursors, including modifications to evade detection or medical countermeasures - Interpretation (disclaimed): This segment restricts users from synthesizing or developing high-yield explosives or CBRN weapons or their precursors, including modifications to evade detection or medical countermeasures, constituting a specific enumerated prohibition under the weapons restriction. - Tier: All - Location: Usage Policy › “Circumvent regulatory controls to acquire weapons or their precursors” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Synthesize%2C%20or%20otherwise,detection%20or%20medical%20countermeasures ### moderation enforcement — risk unknown > This includes using our products or services to: - Interpretation (disclaimed): This segment introduces and incorporates the list of specific prohibited activities that fall under the preceding restriction heading, serving as a cross-reference connector for the enumerated prohibitions. - Tier: All - Location: Usage Policy › “Do Not Violate Applicable Laws or Engage in Illegal Activity” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,products%20or%20services%20to%3A ### moderation enforcement — risk unknown > Infringe, misappropriate, or violate the intellectual property rights of a third party - Interpretation (disclaimed): This segment restricts users from using Anthropic's products or services to infringe, misappropriate, or violate third-party intellectual property rights, imposing a specific IP-related usage prohibition. - Tier: All - Location: Usage Policy › “Engage in or facilitate human trafficking or prostitution” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Infringe%2C%20misappropriate%2C%20or,of%20a%20third%20party ### moderation enforcement — risk unknown > Do Not Use for Criminal Justice, Censorship, Surveillance, or Prohibited Law Enforcement Purposes This includes using our products or services to: Make determinations on criminal justice applications, including making decisions about or determining eligibility for parole or sentencing Target or track a person’s physical location, emotional state, or communication without their consent, including using our products for facial recognition, battlefield management applications or predictive policing Utilize models to assign scores or ratings to individuals based on an assessment of their trustworthiness or social behavior without notification or their consent Build or support emotional recognition systems or techniques that are used to infer emotions of a natural person, except for medical or safety reasons Analyze or identify specific content to censor on behalf of a government organization Utilize models as part of any biometric categorization system for categorizing people based on their biometric data to infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation Utilize models as part of any law enforcement application that violates or impairs the liberty, civil liberties, or human rights of natural persons - Interpretation (disclaimed): This segment prohibits use of the platform for certain criminal justice applications, surveillance, censorship, or prohibited law enforcement purposes, including parole/sentencing determinations, unauthorized tracking of individuals, and social scoring systems. - Tier: All - Location: Usage Policy › “Do Not Create or Spread Misinformation” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Do%20Not%20Use,rights%20of%20natural%20persons ### moderation enforcement — risk unknown > This includes using our products or services to: Discover or exploit vulnerabilities in systems, networks, or applications without authorization of the system owner Gain unauthorized access to systems, networks, applications, or devices through technical attacks or social engineering Create or distribute malware, ransomware, or other types of malicious code - Interpretation (disclaimed): This segment enumerates specific prohibited activities under the computer/network systems restriction, including unauthorized vulnerability exploitation, unauthorized system access via technical or social engineering attacks, and creating or distributing malware or ransomware. - Tier: All - Location: Usage Policy › “Do Not Compromise Computer or Network Systems” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,types%20of%20malicious%20code ### moderation enforcement — risk unknown > Create tools designed to intercept communications or monitor devices without authorization of the system owner Develop persistent access tools designed to operate below normal system security levels, including firmware modifications or hardware implants Create automated tools designed to compromise multiple systems at scale for malicious purposes Bypass security controls such as authenticated systems, endpoint protection, or monitoring tools - Interpretation (disclaimed): This segment enumerates additional prohibited cybersecurity activities including unauthorized communication interception tools, persistent access tools, firmware or hardware implants, large-scale automated compromise tools, and security control bypass, all restricted on the platform. - Tier: All - Location: Usage Policy › “Develop tools for denial-of-service attacks or managing botnets” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Create%20tools%20designed,protection%2C%20or%20monitoring%20tools ### moderation enforcement — risk unknown > This includes using our products or services to: Facilitate the production, acquisition, or distribution of counterfeit or illicitly acquired goods - Interpretation (disclaimed): This segment restricts users from facilitating production, acquisition, or distribution of counterfeit or illicitly acquired goods via the platform. - Tier: All - Location: Usage Policy › “Do Not Engage in Fraudulent, Abusive, or Predatory Practices” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,or%20illicitly%20acquired%20goods ### moderation enforcement — risk unknown > Promote, trivialize, or depict graphic violence or gratuitous gore, including sexual violence Develop a new product or service, or support an existing product or service that employs or facilitates deceptive techniques with the intent of causing emotional harm - Interpretation (disclaimed): This segment restricts users from promoting or depicting graphic violence or gratuitous gore (including sexual violence) and from developing products or services that employ deceptive techniques intended to cause emotional harm, constituting specific enumerated prohibitions under the harmful content restriction. - Tier: All - Location: Usage Policy › “Generate content depicting animal cruelty or abuse” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Promote%2C%20trivialize%2C%20or,of%20causing%20emotional%20harm ### moderation enforcement — risk unknown > creditworthiness Employment and housing: Use cases related to decisions about the employability of individuals, resume screening, hiring tools, or other employment determinations or decisions regarding eligibility for housing, including leases and home loans Academic testing, accreditation and admissions: Use cases related to standardized testing companies that administer school admissions (including evaluating, scoring or ranking prospective students), language proficiency, or professional certification exams; agencies that evaluate and certify educational institutions Media or professional journalistic content: Use cases related to using our products or services to automatically generate content and publish it for external consumption - Interpretation (disclaimed): This segment defines specific categories of 'High-Risk Use Cases'—including creditworthiness, employment, housing, academic testing, and media/professional contexts—establishing the scope of use cases subject to the elevated safety requirements described in the preceding clause. - Tier: All - Location: Usage Policy › “High-Risk Use Case Requirements” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20creditworthiness%20Employment%20and,it%20for%20external%20consumption ### moderation enforcement — risk unknown > Do Not Use for Criminal Justice, Censorship, Surveillance, or Prohibited Law Enforcement Purposes This includes using our products or services to: Make determinations on criminal justice applications, including making decisions about or determining eligibility for parole or sentencing Target or track a person’s physical location, emotional state, or communication without their consent, including using our products for facial recognition, battlefield management applications or predictive policing Utilize models to assign scores or ratings to individuals based on an assessment of their trustworthiness or social behavior without notification or their consent Build or support emotional recognition systems or techniques that are used to infer emotions of a natural person, except for medical or safety reasons Analyze or identify specific content to censor on behalf of a government organization Utilize models as part of any biometric categorization system for categorizing people based on their biometric data to infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation Utilize models as part of any law enforcement application that violates or impairs the liberty, civil liberties, or human rights of natural persons - Interpretation (disclaimed): This segment establishes a categorical prohibition against using Anthropic's products or services for criminal justice determinations, censorship, surveillance, or prohibited law enforcement purposes, and enumerates specific prohibited activities including parole/sentencing decisions, unauthorized location or emotion tracking, facial recognition, battlefield management, predictive policing, and social scoring of individuals. - Tier: All - Location: Usage Policy › “Do Not Create or Spread Misinformation” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Do%20Not%20Use,rights%20of%20natural%20persons ### moderation enforcement — risk unknown > This includes using our products or services to: Facilitate, promote, or glamorize any form of suicide or self-harm, including disordered eating and unhealthy or compulsive exercise Engage in behaviors that promote unhealthy or unattainable body image or beauty standards, such as using the model to critique anyone’s body shape or size Shame, humiliate, intimidate, bully, harass, or celebrate the suffering of individuals - Interpretation (disclaimed): This segment enumerates specific prohibited activities including facilitating suicide or self-harm, promoting unhealthy body image standards, and shaming, bullying, or harassing individuals. - Tier: All - Location: Usage Policy › “Do Not Create Psychologically or Emotionally Harmful Content” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,the%20suffering%20of%20individuals ### moderation enforcement — risk unknown > This includes using our products or services to: Produce, modify, design, or illegally acquire weapons, explosives, dangerous materials or other systems designed to cause harm to or loss of human life Design or develop weaponization and delivery processes for the deployment of weapons - Interpretation (disclaimed): This segment specifies that users are prohibited from producing, modifying, designing, or illegally acquiring weapons, explosives, or dangerous materials, or designing weaponization and delivery processes, through use of the platform. - Tier: All - Location: Usage Policy › “Do Not Develop or Design Weapons” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,the%20deployment%20of%20weapons ### moderation enforcement — risk unknown > This includes using our products or services to: - Interpretation (disclaimed): This introductory clause signals that the following enumerated items define specific prohibited activities under the sexually explicit content restriction, giving legal operative context to the list that follows. - Tier: All - Location: Usage Policy › “Do Not Generate Sexually Explicit Content” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,products%20or%20services%20to%3A ### moderation enforcement — risk unknown > This includes using our products or services to: - Interpretation (disclaimed): This segment is an introductory clause that incorporates the specific prohibited activities listed in subsequent segments under the 'Do Not Violate Applicable Laws' restriction, establishing that the following enumerated items are all covered by that prohibition. - Tier: All - Location: Usage Policy › “Do Not Violate Applicable Laws or Engage in Illegal Activity” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20This%20includes%20using,products%20or%20services%20to%3A ### moderation enforcement — risk unknown > You can read more about our Safeguards practices and recommendations in our Safeguards Support Center . This Usage Policy is calibrated to strike an optimal balance between enabling beneficial uses and mitigating potential harms. Anthropic may enter into contracts with certain governmental customers that tailor use restrictions to that customer’s public mission and legal authorities if, in Anthropic’s judgment, the contractual use restrictions and applicable safeguards are adequate to mitigate the potential harms addressed by this Usage Policy. - Interpretation (disclaimed): This segment creates an exception to the standard AUP restrictions, permitting Anthropic to enter contracts with governmental customers that tailor (i.e., modify or relax) use restrictions, conditioned on Anthropic's judgment that safeguards are adequate, thereby carving out a class of users from universal enforcement standards. - Tier: All - Location: Usage Policy › “Usage Policy \ Anthropic” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=You%20can%20read%20more,this%20Usage%20Policy.%20 ### moderation enforcement — risk unknown > Create tools designed to intercept communications or monitor devices without authorization of the system owner Develop persistent access tools designed to operate below normal system security levels, including firmware modifications or hardware implants Create automated tools designed to compromise multiple systems at scale for malicious purposes Bypass security controls such as authenticated systems, endpoint protection, or monitoring tools - Interpretation (disclaimed): This segment enumerates additional specific prohibited activities under the computer/network systems restriction, including unauthorized interception tools, persistent below-OS-level access tools, automated mass-compromise tools, and bypassing security controls. - Tier: All - Location: Usage Policy › “Develop tools for denial-of-service attacks or managing botnets” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Create%20tools%20designed,protection%2C%20or%20monitoring%20tools ### moderation enforcement — risk unknown > Generate content for fraudulent activities, schemes, scams, phishing, or malware that can result in direct financial or psychological harm Create falsified documents including fake IDs, licenses, currency, or other government documents Develop, promote, or otherwise facilitate the sale or distribution of fraudulent or deceptive products Generate deceptive or misleading digital content such as fake reviews, comments, or media Engage in or facilitate multi-level marketing, pyramid schemes, or other deceptive business models that use high-pressure sales tactics or exploit participants Promote or facilitate payday loans, title loans, or other high-interest, short-term lending practices that exploit vulnerable individuals Engage in deceptive or abusive practices that exploit individuals based on age, disability or a specific social or economic situation Promote or facilitate the use of abusive or harassing debt collection practices Develop a product or support an existing service that deploys subliminal, manipulative, or deceptive techniques to distort behavior by impairing decision-making Engage in actions or behaviors that circumvent the guardrails or terms of other platforms or services Plagiarize or submit AI-assisted work without proper permission or attribution - Interpretation (disclaimed): This segment enumerates additional specific prohibited fraudulent activities, including generating content for scams, phishing, or malware causing financial or psychological harm, creating falsified documents, developing deceptive products, generating fake reviews or media, and facilitating pyramid schemes or multi-level marketing with deceptive practices. - Tier: All - Location: Usage Policy › “Promote or facilitate the generation or distribution of spam” - Source: https://www.anthropic.com/legal/aup - Snapshot SHA-256: `14803ef6189dc1d0cd965845b0b6af7e3d3b54622129352f2d302d91dd7d29f0` - Wayback: — - Deep link: https://www.anthropic.com/legal/aup#:~:text=%20Generate%20content%20for,proper%20permission%20or%20attribution ### moderation enforcement — risk unknown > Except when you are accessing our Services via an Anthropic API Key or where we otherwise explicitly permit it, to access the Services through automated or non-human means, whether through a bot, script, or otherwise. To engage in any other conduct that restricts or inhibits any person from using or enjoying our Services, or that we reasonably believe exposes us—or any of our users, affiliates, or any other third party—to any liability, damages, or detriment of any type, including reputational harms. To rely upon the Services, the Materials, or the Actions to buy or sell securities or to provide or receive advice about securities, commodities, derivatives, or other financial products or services, as Anthropic is not a broker-dealer or a registered investment adviser under the securities laws of the United States or any other jurisdiction. - Interpretation (disclaimed): This segment restricts automated access to the Services except via API key, prohibits conduct that restricts other users' enjoyment or exposes Anthropic to liability, and prohibits using Services for securities trading decisions, constituting specific enforceable use restrictions. - Tier: All - Location: § 3 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Except%20when%20you,or%20any%20other%20jurisdiction. ### moderation enforcement — risk unknown > You also must not abuse, harm, interfere with, or disrupt our Services, including, for example, introducing viruses or malware, spamming or DDoSing Services, or bypassing any of our systems or protective measures. - Interpretation (disclaimed): This segment prohibits users from abusing, harming, interfering with, or disrupting the Services including introducing malware, spamming, DDoSing, or bypassing security measures, constituting an enforceable behavioral restriction. - Tier: All - Location: § 3 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20You%20also%20must,systems%20or%20protective%20measures. ### moderation enforcement — risk unknown > Department of Commerce Denied Persons List or Entity List, or (iv) any other restricted party lists. You represent and warrant that you and anyone accessing or using the Services on your behalf, or using your Account credentials, are not such persons or entities and are not located in any such country. Legal Compliance.  We may comply with governmental, court, and law enforcement requests or requirements relating to provision or use of the Services, or to information provided to or collected under our Terms. We reserve the right, at our sole discretion, to report information from or about you, including but not limited to Inputs, Outputs, or Actions to law enforcement. U.S. Government Use.  The Services were developed solely at private expense and are commercial computer software and commercial computer software documentation within the meaning of the applicable Federal Acquisition Regulations and their agency supplements. Accordingly, U.S. Government users of the Services will have only those rights that are granted to all other end users of the Services pursuant to these Terms. - Interpretation (disclaimed): This segment imposes a representation and warranty obligation on the user confirming they are not on restricted party lists, and grants the platform permission to comply with governmental and law enforcement requests and to report user information at its sole discretion, constituting an enforcement and disclosure obligation and permission. - Tier: All - Location: § 12 (General terms) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=Department%20of%20Commerce%20Denied,pursuant%20to%20these%20Terms. ### moderation enforcement — risk unknown > Third-Party Content is the responsibility of the person or entity that provides it to our Services. Anthropic is under no obligation to host or serve Third-Party Content. Third-Party Content may appear in Inputs or Outputs and become part of Materials. If you see any Third-Party Content you believe does not comply with these Terms, including by violating the Acceptable Use Policy or the law, you can report it to us. If we become aware that any Third-Party Content (1) infringes another’s copyright or any other intellectual property or related or neighboring right, (2) is in breach of these Terms or our Acceptable Use Policy, or (3) may cause harm to Anthropic, our users, or third parties, we reserve the right to remove or take down some or all of such Third-Party Content using, where appropriate, algorithmic and human review. You can learn more about our monitoring and enforcement, including how to appeal an account suspension or termination, in our T&S Support Center . - Interpretation (disclaimed): This segment establishes that third-party content responsibility lies with its provider, disclaims Anthropic's obligation to host such content, and creates a procedure for users to report non-compliant third-party content, including copyright-infringing or terms-violating material, enabling Anthropic to take enforcement action. - Tier: All - Location: § 8 (Content Moderation) - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Third-Party%20Content%20is,T%26S%20Support%20Center%20. ### moderation enforcement — risk unknown > It is in our legitimate interests and in the interest of Anthropic users to evaluate the use of the Services and adoption of new features to inform the development of future features and improve direction and development of the Services. Our research also benefits the AI industry and society: it investigates the safety, inner workings, and societal impact of AI models so that artificial intelligence has a positive impact on society as it becomes increasingly advanced and capable. To enforce our Terms of Service  and similar terms and agreements, including our Usage Policy . Identity and Contact Data - Interpretation (disclaimed): Articulates the legitimate interest rationale for research and model training purposes, then establishes a separate processing purpose to enforce Terms of Service and Usage Policy, permitting Anthropic to process Identity, Contact, and other data for policy enforcement against users. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,Identity%20and%20Contact%20Data ### moderation enforcement — risk unknown > To prevent and investigate fraud, abuse, and violations of our Usage Policy , unlawful or criminal activity, unauthorized access to or use of personal data or Anthropic systems and networks, to protect our rights and the rights of others, and to meet legal, governmental and institutional policy obligations Identity and Contact Data - Interpretation (disclaimed): This segment specifies the purpose of processing Identity and Contact Data to prevent and investigate fraud, abuse, and Usage Policy violations, protect Anthropic's rights, and meet legal obligations, establishing both legitimate interests and legal obligation as the bases for this enforcement-related processing activity. - Tier: All - Location: Privacy Policy › “Contract” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20prevent%20and,Identity%20and%20Contact%20Data ### moderation enforcement — risk unknown > It is in our legitimate interests to protect our business, employees and users from illegal activities, inappropriate behavior or violations of terms that would be detrimental. We also have a duty to cooperate with authorities. - Interpretation (disclaimed): This segment articulates the legitimate interest and legal obligation rationale for processing personal data to protect the business, employees, and users from illegal activities and policy violations, justifying the dual legal bases for enforcement-related processing. - Tier: All - Location: Privacy Policy › “Legal obligation” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,cooperate%20with%20authorities.%20 ### moderation enforcement — risk unknown > It is in our legitimate interests to protect our business, employees and users from illegal activities, inappropriate behavior or violations of terms that would be detrimental. We also have a duty to cooperate with authorities. - Interpretation (disclaimed): This segment articulates the legitimate interests rationale for fraud prevention and enforcement processing, stating that it is in Anthropic's legitimate interests to protect its business, employees, and users from illegal activities, and that Anthropic has a duty to cooperate with authorities, thereby justifying the identified processing activities. - Tier: All - Location: Privacy Policy › “Legal obligation” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20It%20is%20in,cooperate%20with%20authorities.%20 ### moderation enforcement — risk unknown > In certain circumstances outside of the performance of our contract with you, we may rely on legitimate interests. It is in our legitimate interests to enforce the rules and policies governing use of our services, to maintain intended functionality and value for users. We aim to provide a safe, useful platform. - Interpretation (disclaimed): Explains that Anthropic may rely on legitimate interests for enforcement activities outside contractual performance, granting permission to use personal data to enforce platform rules and maintain service integrity. - Tier: All - Location: Privacy Policy › “Legitimate interests” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20In%20certain%20circumstances,safe%2C%20useful%20platform.%20 ### moderation enforcement — risk unknown > To prevent and investigate fraud, abuse, and violations of our Usage Policy , unlawful or criminal activity, unauthorized access to or use of personal data or Anthropic systems and networks, to protect our rights and the rights of others, and to meet legal, governmental and institutional policy obligations Identity and Contact Data - Interpretation (disclaimed): This segment identifies fraud prevention, abuse investigation, Usage Policy enforcement, and legal compliance as purposes for processing personal data, specifying Identity and Contact Data as a processed category and establishing the obligation to process such data for security and compliance purposes. - Tier: All - Location: Privacy Policy › “Contract” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=%20To%20prevent%20and,Identity%20and%20Contact%20Data ### tier differences — risk medium > This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website and other places where Anthropic acts as a  data controller —for example, when you interact with Claude.ai or other products as a consumer for personal use (" Services ") or when Anthropic operates and provides our commercial customers and their end users with access to our commercial products, such as the Claude Team plan (“ Commercial Services ”). This Privacy Policy does not apply where Anthropic acts as a  data processor  and processes personal data on behalf of commercial customers using Anthropic’s Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the back-end with Claude. In those cases, the commercial customer is the controller, and you can review their policies for more information about how they handle your personal data. - Interpretation (disclaimed): The policy distinguishes between Anthropic as controller (consumer/Claude.ai users) and Anthropic as processor (enterprise/employer-provisioned users). Enterprise end-users must look to their employer's privacy policy, not Anthropic's, for data rights—creating a potential gap in protections. - Tier: Enterprise - Location: Privacy Policy › “Privacy Policy \ Anthropic” - Source: https://www.anthropic.com/legal/privacy - Snapshot SHA-256: `68d25fe251e6a971fed543610f088cdce07e69d251a0d0a04b16eb114bfeeaf4` - Wayback: — - Deep link: https://www.anthropic.com/legal/privacy#:~:text=This%20Privacy%20Policy%20explains,handle%20your%20personal%20data. ### tier differences — risk unknown > Except as expressly provided in these Terms or where required by law, all payments are non-refundable. Please check your order carefully before confirming it, and see below for additional information about recurring charges for our subscriptions. Additional fees.  We may increase fees for our Services. If we charge additional fees in connection with our Services, we will give you an opportunity to review and accept the additional fees before you are charged. Also, additional fees may apply for additional Services or features of the Services that we may make available. If you do not accept any such additional fees, we may discontinue your access to the Services or features. You agree that we will not be held liable for any errors caused by third-party payment processors used to process fees paid by you to us. Subscriptions.  To access Claude Pro and other subscription services we may make available to individuals, you must sign up for a subscription with us (a “ Subscription ”), first by creating an Account, and then following the subscription procedure on our Services. When you sign up for a Subscription, you agree to these Terms. Subscription content, features, and services.  The content, features, and other services provided as part of your Subscription, and the duration of your Subscription, will be described in the order process. We may change the content, features, and other services from time to time, and we do not guarantee that any particular piece of content, feature, or other service will always be available through the Services. - Interpretation (disclaimed): This segment restricts refund rights by declaring payments non-refundable except as required by law or expressly provided, and establishes Anthropic's right to increase fees with prior notice and user opportunity to review, governing financial terms of paid tiers. - Tier: All - Location: § 6 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=Except%20as%20expressly%20provided,through%20the%20Services.%20 ### tier differences — risk unknown > Subscription term and automatic renewal.  If you sign up for a paid Subscription, we or the App Distributor will automatically charge your Payment Method on each agreed-upon periodic renewal date until you cancel. If your Subscription has a minimum term (the “ Initial Term ”), we will let you know during the order process. Your Subscription will last for the Initial Term and will automatically renew, and your Payment Method will be charged, at the end of the Initial Term for an additional term equal in duration to the Initial Term and will continue to renew and incur charges for additional terms equal in duration to the Initial Term (each such additional term, a “ Renewal Term ”) until you cancel. Subscription cancellation.  If you subscribed via our website, you may cancel your Subscription for any reason by using a method we may provide to you through our products—for example, for Claude Pro, in your customer portal—or by notifying us at support@anthropic.com . If you subscribed via an app, you’ll need to cancel via the App Distributor according to the App Distributor’s terms. Learn more here . To avoid renewal and charges for the next Renewal Term, cancel your subscription at least 24 hours before the last day of the Initial Term or any Renewal Term. For example, if you subscribe on January 25th for a Subscription with a one-month Initial Term, you must cancel the Subscription per the instructions by February 23rd (24 hours before February 24th) to avoid renewal and charges for the next Renewal Term. - Interpretation (disclaimed): This segment establishes automatic renewal obligations for paid subscriptions, requiring periodic charges to the Payment Method until cancellation, and defines Initial Term and Renewal Term duration, creating binding financial obligations for subscription tiers. - Tier: All - Location: § 6 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Subscription%20term%20and,next%20Renewal%20Term.%20 ### tier differences — risk unknown > In the event of a cancellation, your fees will not be refunded, but your access to the Services will continue through the end of the Initial Term or any Renewal Term for which you previously paid fees. Additional cancellation rights. If you are a resident of Brazil, Mexico, South Korea, or Taiwan, you have a legal right to change your mind and cancel the Subscription within 7 days of entering into the Subscription without giving a reason. To exercise the right to cancel in the 7-day cancellation period, you must inform us of your decision to cancel the Subscription by making a clear statement to us of such decision before the cancellation period has expired. The easiest way to do this is by cancelling your subscription in the customer portal, or you may contact us at support@anthropic.com. You may also use the model cancellation form in Appendix 1 of these Terms, but it is not obligatory. For further details on how to cancel, please see support.anthropic.com. We will acknowledge your cancellation, e.g., through our online customer portal or console. If you cancel the Subscription under Section 6(4)(a), we will reimburse you all payments received from you for the cancelled Subscription. We will make the reimbursement without undue delay, and not later than 14 days after the day on which we are informed about your decision to cancel the Subscription. We will make the reimbursement using the same means of payment as you used for the initial transaction; you will not incur any fees as a result of the reimbursement. - Interpretation (disclaimed): This segment grants users in Brazil, Mexico, South Korea, and Taiwan a legal right to cancel subscriptions within 7 days without reason, and establishes that upon cancellation access continues through the paid period without refund, creating jurisdiction-specific tier rights and cancellation procedures. - Tier: All - Location: § 6 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=In%20the%20event%20of,of%20the%20reimbursement.%20 ### tier differences — risk unknown > Evaluation and Additional Services. In some cases, we may permit you to evaluate our Services for a limited time or with limited functionality. Use of our Services for evaluation purposes are for your personal, non-commercial use only. You may need to accept additional terms to use certain Services. These additional terms will supplement our Terms for those Services and may change your rights or obligations for those Services, including your obligations to pay fees. - Interpretation (disclaimed): This segment restricts evaluation-period use to personal, non-commercial purposes only, and notes that additional terms may supplement or modify user rights and obligations for certain services including fee obligations, thereby defining limitations specific to evaluation tiers. - Tier: All - Location: § 2 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Evaluation%20and%20Additional,obligations%20to%20pay%20fees. ### tier differences — risk unknown > Subscription fees.  You will pay the fees, either to us or to the App Distributor, for the Initial Term and each subsequent Renewal Term up front, at the start of that Initial Term or Renewal Term, as applicable. We have the right to make changes to the fees applicable to your Subscription from time to time, although we will not make any change to the fees applicable to your Subscription during the current Initial Term or Renewal Term, as applicable. If these changes result in an increase in the fees payable by you, we will inform you at least 30 days in advance of the change. You agree to the increase in fees payable by you unless you cancel the Subscription, as described in the paragraph (Subscription cancellation) immediately above, before the Renewal Term to which the increase in fees will apply. - Interpretation (disclaimed): This segment imposes obligations on users to pay subscription fees upfront for each term, grants Anthropic the right to change subscription fees with 30 days' notice, and deems continued use after notice as acceptance of new fees, creating binding financial obligations for subscription tiers. - Tier: All - Location: § 6 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Subscription%20fees.%20You,in%20fees%20will%20apply. ### tier differences — risk unknown > If you would like to use the Services during the 7-day cancellation period, you may do so. If you have used the Services during the 7-day cancellation period, and wish to cancel the Subscription, you can still do so by following the process in Section (4)(a) above, but we may retain an amount which is in proportion to what has been provided until you have communicated us your withdrawal from these Terms, in comparison with the full coverage of the Subscription. The 7-day cancellation period will not reset if you change subscription tiers or cancel and then resubscribe, as you have already had an opportunity to test the Services. - Interpretation (disclaimed): This segment establishes the procedure for exercising the 7-day cancellation right during the cancellation period, including proportional retention of fees for Services used, and clarifies that the cancellation period does not reset upon tier changes or resubscription. - Tier: All - Location: § 6 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20If%20you%20would,to%20test%20the%20Services. ### tier differences — risk unknown > Please note: Our Commercial Terms of Service  govern your use of any Anthropic API key, the Anthropic Console , or any other Anthropic offerings that reference the Commercial Terms of Service. For clarity, this does not include Claude.ai or Claude Pro use for individuals or entities. - Interpretation (disclaimed): This segment defines the boundary between consumer and commercial use terms, clarifying that the Commercial Terms of Service govern API key and Console use while excluding Claude.ai and Claude Pro individual use, thereby defining distinct service tiers with different governing documents. - Tier: All - Location: Terms of Service › “Consumer Terms of Service \ Anthropic” - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Please%20note%3A%20Our,individuals%20or%20entities.%20 ### tier differences — risk unknown > Fees and billing.  You may be required to pay us fees to access or use our Services or certain features of our Services. You are responsible for paying any applicable fees listed for the Services on the Model Pricing Page unless otherwise communicated to you by Anthropic in writing. If you purchase access to our Services or features of our Services, you must provide complete and accurate billing information (“ Payment Method ”). You agree that we may charge the Payment Method for any applicable fees listed on our Services and any applicable tax. If the fees for these Services or features are specified to be recurring or based on usage, you agree that we may charge these fees and applicable taxes to the Payment Method on a periodic basis. If you purchase access to our Services through a distributor (e.g. an app store) ( “App Distributor” ), then you will make payment to the App Distributor, and the App Distributor’s terms in relation to payment methods, billing, and refunds will apply instead of these Terms. - Interpretation (disclaimed): This segment imposes obligations on users to pay applicable fees, provide accurate billing information, and authorizes Anthropic to charge the Payment Method for fees and taxes, establishing the financial obligations tied to paid service tiers. - Tier: All - Location: § 6 - Source: https://www.anthropic.com/legal/consumer-terms - Snapshot SHA-256: `302af768945b9867a7fa2a9480b1fdc80d85c227ffaf671e19ee2025428d0705` - Wayback: — - Deep link: https://www.anthropic.com/legal/consumer-terms#:~:text=%20Fees%20and%20billing.,instead%20of%20these%20Terms. --- # GRC Risk Assessment — Microsoft Copilot - Platform: **Microsoft Copilot** (microsoft-copilot) - Headline risk rating: **HIGH** - Website: https://copilot.microsoft.com - Generated: 2026-06-14T10:17:38.513Z - Findings (verified, published): **96** > Every assertion is anchored to a verbatim quote with a SHA-256 snapshot hash and a Wayback archive URL for independent verification. Informational only; not legal advice. ## Control crosswalk (NIST AI RMF 1.0 + ISO/IEC 42001) | Surface | Risk | Confidence | NIST AI RMF | ISO/IEC 42001 | |---|---|---|---|---| | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | medium | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | medium | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | commercial use | unknown | medium | MANAGE-1.3 (use limitations) | ISO 42001 A.9.2 (intended use) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | data retention | unknown | medium | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | medium | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | medium | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | medium | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | medium | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | medium | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | ## Evidence (verbatim, with provenance) ### training use — risk unknown > Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs, including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): This segment explicitly restricts the use of prompts, responses, and Microsoft Graph data by prohibiting their use to train foundation LLMs, including those used by Microsoft 365 Copilot, thereby limiting how customer data may be used for model improvement. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Prompts%2C%20responses%2C%20and,by%20Microsoft%20365%20Copilot. ### training use — risk unknown > Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs, including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): This segment expressly restricts the use of prompts, responses, and data accessed through Microsoft Graph, stating they are not used to train foundation LLMs including those used by Microsoft 365 Copilot, creating a binding data-use limitation. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Prompts%2C%20responses%2C%20and,by%20Microsoft%20365%20Copilot. ### training use — risk unknown > We may use customer feedback, which is optional, to improve Microsoft 365 Copilot, just like we use customer feedback to improve other Microsoft 365 services and Microsoft 365 productivity apps. We don't use this feedback to train the foundation LLMs used by Microsoft 365 Copilot. Customers can manage feedback through admin controls. For more information, see Manage Microsoft feedback for your organization and Providing feedback about Microsoft Copilot with Microsoft 365 apps . - Interpretation (disclaimed): This segment restricts the use of optional customer feedback, stating it will not be used to train foundation LLMs used by Microsoft 365 Copilot, while permitting its use to improve Copilot services, and grants admins the right to manage feedback through admin controls. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20may%20use,Microsoft%20365%20apps%20. ### training use — risk unknown > Your personal data collected from the use of connected experiences in Microsoft 365 isn’t used to train large language models (LLMs), including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): Explicitly restricts Microsoft from using personal data collected from connected experiences in Microsoft 365 to train large language models, including those used by Microsoft 365 Copilot. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Your%20personal%20data,by%20Microsoft%20365%20Copilot. ### training use — risk unknown > By combining data and context, Work IQ helps tailor Copilot and agents with specialized instructions that optimize them for specific tasks. - Interpretation (disclaimed): This segment describes how Work IQ combines data and context to generate specialized instructions that tailor Copilot and agents for specific tasks — defining the mechanism by which user data is used to train or tune AI model behavior, implicating training-use obligations and restrictions. - Tier: All - Location: “Skills and tools” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20By%20combining%20data,for%20specific%20tasks.%20 ### output ownership — risk unknown > We don’t own Your Content, but we may use Your Content to operate Copilot and improve it. By using Copilot, you grant us permission to use Your Content, which means we can copy, distribute, transmit, publicly display, publicly perform, edit, translate, and reformat it, and we can give those same rights to others who work on our behalf. We get to decide whether to use Your Content, and we don’t have to pay you, ask your permission, or tell you when we do. But that doesn’t mean we can use it however we want. The Microsoft Privacy Statement explains how we use Your Content, and the privacy options in Copilot give you control over some of those uses. We can decide to remove or stop using Your Content at any time for any reason. By sharing Your Content with Copilot, you promise us that you have all rights to Your Content and that if we use Your Content, we won’t be violating someone else’s rights. Although our Terms grant you permission to use Copilot, we are not granting you any rights in the underlying technology, intellectual property, or data that makes up Copilot. - Interpretation (disclaimed): This segment addresses content ownership by stating Microsoft does not own user content but grants itself a broad license to copy, distribute, transmit, display, perform, edit, translate, and reformat user content and to sublicense these rights to third parties, establishing the scope of Microsoft's license to user-submitted Prompts and related content. - Tier: All - Location: Terms of Service › “OWNERSHIP OF CONTENT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20We%20don%E2%80%99t%20own,that%20makes%20up%20Copilot. ### output ownership — risk unknown > Can I trust the content that Microsoft 365 Copilot creates? Who owns that content? - Interpretation (disclaimed): This segment frames questions about trustworthiness of Copilot-created content and ownership of that content, signaling the output ownership surface addressed in the document. - Tier: All - Location: Privacy Policy › “What extensibility options are available for Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Can%20I%20trust,owns%20that%20content%3F%20 ### output ownership — risk unknown > The responses that generative AI produces aren't guaranteed to be 100% factual. While we continue to improve responses, users should still use their judgment when reviewing the output before sending them to others. Our Microsoft 365 Copilot capabilities provide useful drafts and summaries to help you achieve more while giving you a chance to review the generated AI rather than fully automating these tasks. - Interpretation (disclaimed): Disclaims that generative AI responses are not guaranteed to be 100% factual and places responsibility on users to review output before use, limiting Microsoft's liability for accuracy of generated content. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20The%20responses%20that,fully%20automating%20these%20tasks. ### output ownership — risk unknown > Microsoft doesn't claim ownership of the output of the service. That said, we don't make a determination on whether a customer's output is copyright protected or enforceable against other users. This is because generative AI systems may produce similar responses to similar prompts or queries from multiple customers. Consequently, multiple customers may have or claim rights in content that is the same or substantially similar. - Interpretation (disclaimed): Disclaims Microsoft's ownership of service output and disclaims any determination on whether customer output is copyright-protected or enforceable against others, noting that similar outputs may be generated for multiple customers. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20doesn't%20claim,same%20or%20substantially%20similar. ### output ownership — risk unknown > Quickly turn your ideas into designed content, videos, podcasts, or surveys—or edit what you already have. Get started easily with a prompt, a template, or your company brand kit. - Interpretation (disclaimed): This segment describes the Create feature allowing users to turn ideas into designed content, videos, podcasts, or surveys — defining the types of AI-generated outputs produced, which is relevant to output ownership classification regarding who holds rights over AI-created works. - Tier: All - Location: “Create” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Quickly%20turn%20your,company%20brand%20kit.%20 ### commercial use — risk unknown > Create or customize agents for specific tasks or workflows with Copilot Studio. You can start from a template or build from scratch using natural language. - Interpretation (disclaimed): This segment describes Copilot Studio as a tool allowing users to create or customize agents for specific tasks using natural language or templates, defining the scope of permissible commercial use and customization rights granted to subscribers. - Tier: All - Location: “Learn more” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Create%20or%20customize,using%20natural%20language.%20 ### privacy data use — risk unknown > Microsoft 365 Copilot, including Microsoft 365 Copilot Search , is compliant with our existing privacy, security, and compliance commitments to Microsoft 365 commercial customers, including the General Data Protection Regulation (GDPR) and European Union (EU) Data Boundary. - Interpretation (disclaimed): This segment states that Microsoft 365 Copilot, including Copilot Search, is compliant with existing privacy, security, and compliance commitments to Microsoft 365 commercial customers, including GDPR and the EU Data Boundary, thereby imposing a compliance obligation on Microsoft with respect to customer data processing. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot%2C,Union%20(EU)%20Data%20Boundary. ### privacy data use — risk unknown > How does Microsoft 365 Copilot use your proprietary organizational data? - Interpretation (disclaimed): This segment poses the question of how Microsoft 365 Copilot uses proprietary organizational data, framing the scope of the data use discussion but not itself imposing a legal obligation; however it signals the surface area of data use rights addressed in the document. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20How%20does%20Microsoft,proprietary%20organizational%20data%3F%20 ### privacy data use — risk unknown > How does Microsoft 365 Copilot protect organizational information and data? - Interpretation (disclaimed): This segment poses the question of how Copilot protects organizational information and data, framing a section on data protection obligations without itself being a binding clause. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20How%20does%20Microsoft,information%20and%20data%3F%20 ### privacy data use — risk unknown > How does Microsoft 365 Copilot meet regulatory compliance requirements? - Interpretation (disclaimed): This segment frames a question about how Microsoft 365 Copilot meets regulatory compliance requirements, introducing the compliance discussion but not itself imposing a legal obligation. - Tier: All - Location: Privacy Policy › “What extensibility options are available for Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20How%20does%20Microsoft,regulatory%20compliance%20requirements%3F%20 ### privacy data use — risk unknown > Do privacy controls for connected experiences in Microsoft 365 Apps apply to Microsoft 365 Copilot? - Interpretation (disclaimed): This segment frames a question about whether privacy controls for connected experiences in Microsoft 365 Apps apply to Copilot, introducing the applicability of privacy controls without independently establishing obligations. - Tier: All - Location: Privacy Policy › “What extensibility options are available for Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Do%20privacy%20controls,Microsoft%20365%20Copilot%3F%20 ### privacy data use — risk unknown > Microsoft 365 Copilot provides value by connecting LLMs to your organizational data. Microsoft 365 Copilot accesses content and context through Microsoft Graph. It can generate responses anchored in your organizational data, such as user documents, emails, calendar, chats, meetings, and contacts. Microsoft 365 Copilot combines this content with the user's working context, such as the meeting a user is in now, the email exchanges the user had on a topic, or the chat conversations the user had last week. Microsoft 365 Copilot uses this combination of content and context to help provide accurate, relevant, and contextual responses. - Interpretation (disclaimed): This segment defines how Microsoft 365 Copilot accesses and combines organizational data (documents, emails, calendar, chats, meetings, contacts) through Microsoft Graph to generate responses, establishing the scope of data processing activities. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot use your proprietary organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,relevant%2C%20and%20contextual%20responses. ### privacy data use — risk unknown > Microsoft 365 Copilot only surfaces organizational data to which individual users have at least view permissions. It's important that you're using the permission models available in Microsoft 365 services, such as SharePoint, to help ensure the right users or groups have the right access to the right content within your organization. This includes permissions you give to users outside your organization through inter-tenant collaboration solutions, such as shared channels in Microsoft Teams . - Interpretation (disclaimed): This segment restricts Microsoft 365 Copilot to surfacing only organizational data to which individual users have at least view permissions, and instructs organizations to rely on Microsoft 365 permission models to enforce access controls, imposing a data access boundary obligation. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,in%20Microsoft%20Teams%20. ### privacy data use — risk unknown > When you enter prompts using Microsoft 365 Copilot, the information contained within your prompts, the data they retrieve, and the generated responses remain within the Microsoft 365 service boundary, in keeping with our current privacy, security, and compliance commitments. Microsoft 365 Copilot uses Azure OpenAI services for processing, not OpenAI's publicly available services. Azure OpenAI doesn't cache customer content and Copilot modified prompts for Microsoft 365 Copilot. For more information, see the Data stored about user interactions with Microsoft 365 Copilot section later in this article. - Interpretation (disclaimed): This segment imposes an obligation that prompts, retrieved data, and generated responses remain within the Microsoft 365 service boundary consistent with privacy, security, and compliance commitments, and specifies that Azure OpenAI (not public OpenAI) is used for processing and does not cache customer content. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you%20enter,later%20in%20this%20article. ### privacy data use — risk unknown > When you're using web search, Microsoft 365 Copilot parses the user's prompt and identifies terms where web search would improve the quality of the response. Based on these terms, Copilot generates a search query that it sends to the Bing Search service. For more information, Data, privacy, and security for web queries in Microsoft 365 Copilot and Microsoft 365 Copilot Chat . - Interpretation (disclaimed): This segment describes the procedure by which Microsoft 365 Copilot processes user prompts for web search, generating search queries sent to Bing Search service, and references further detail on data, privacy, and security for web queries. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you're%20using,365%20Copilot%20Chat%20. ### privacy data use — risk unknown > When agents are enabled, Microsoft 365 Copilot determines whether it needs to use a specific agent to help provide a relevant response to the user. If an agent is needed, Microsoft 365 Copilot generates a search query to send to the agent on the user's behalf. The query is based on the user's prompt, Copilot activity history, and data the user has access to in Microsoft 365. - Interpretation (disclaimed): This segment describes the procedure by which Microsoft 365 Copilot determines whether to invoke an agent and generates a search query on the user's behalf based on prompt, activity history, and accessible data, defining the data processing flow for agent interactions. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20agents%20are,to%20in%20Microsoft%20365. ### privacy data use — risk unknown > The permissions model within your Microsoft 365 tenant can help ensure that data won't unintentionally leak between users, groups, and tenants. Microsoft 365 Copilot presents only data that each individual can access using the same underlying controls for data access used in other Microsoft 365 services. Semantic Index honors the user identity-based access boundary so that the grounding process only accesses content that the current user is authorized to access. For more information, see Microsoft's privacy policy and service documentation . - Interpretation (disclaimed): This segment imposes an obligation that Microsoft 365 Copilot presents only data each individual user can access using the same underlying access controls as other Microsoft 365 services, and that Semantic Index honors user identity-based access boundaries during grounding, restricting data surfacing to authorized content only. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20The%20permissions%20model,and%20service%20documentation%20. ### privacy data use — risk unknown > Your control over your data is reinforced by Microsoft's commitment to comply with broadly applicable privacy laws, such as the GDPR, and privacy standards, such as ISO/IEC 27018, the world's first international code of practice for cloud privacy. - Interpretation (disclaimed): Establishes Microsoft's obligation to comply with broadly applicable privacy laws (GDPR) and privacy standards (ISO/IEC 27018), reinforcing customer control over their data. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Your%20control%20over,practice%20for%20cloud%20privacy. ### privacy data use — risk unknown > Microsoft continues to adapt and respond to fulfill AI regulatory requirements as they evolve, so we earn and keep the trust of customers, partners, and regulators. - Interpretation (disclaimed): States Microsoft's commitment (obligation) to adapt and respond to fulfil evolving AI regulatory requirements, establishing an ongoing duty to maintain regulatory compliance. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20continues%20to,customers%2C%20partners%2C%20and%20regulators. ### privacy data use — risk unknown > Microsoft 365 Copilot provides broad compliance offerings and certifications, including GDPR , ISO 27001 , HIPAA , and the ISO 42001 standard for AI management systems . These help support our customers on their compliance journeys, complemented by features such as contractual readiness, built-in information and communication technology risk management, and operational resilience tooling. - Interpretation (disclaimed): Lists compliance offerings and certifications (GDPR, ISO 27001, HIPAA, ISO 42001) that Microsoft 365 Copilot provides, establishing contractual readiness obligations supporting customers' compliance journeys. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,and%20operational%20resilience%20tooling. ### privacy data use — risk unknown > Microsoft is committed to complying with all laws and regulations applicable to Microsoft, including the EU AI Act, to enable our AI solutions to meet evolving standards for trustworthy and responsible AI. Microsoft 365 Copilot is built on top of Microsoft's existing commitments to data security and privacy . There's no change to these commitments. Copilot is integrated into Microsoft 365 and adheres to existing privacy, security, and compliance commitments to Microsoft 365 customers. - Interpretation (disclaimed): Affirms Microsoft's obligation to comply with applicable laws including the EU AI Act and reaffirms that existing data security and privacy commitments to Microsoft 365 customers remain unchanged for Copilot. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20is%20committed,to%20Microsoft%20365%20customers. ### privacy data use — risk unknown > Work IQ is the unique intelligence layer behind Microsoft 365 Copilot and agents that helps Copilot know you, your job and your company—connecting individual and organizational knowledge to deliver intelligence built just for you and the flow of your work. - Interpretation (disclaimed): This segment defines 'Work IQ' as an intelligence layer that connects individual and organizational knowledge — including emails, files, meetings, chats, and transactions — to personalize Copilot outputs, establishing the scope of data processing and the nature of the system's use of user and organizational data. - Tier: All - Location: “Microsoft 365 Copilot,” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Work%20IQ%20is,of%20your%20work.%20 ### privacy data use — risk unknown > Work IQ starts with your work and business data—all the rich knowledge in your emails, files, meetings, chats, and transactions—capturing how work gets done across your organization. - Interpretation (disclaimed): This segment specifies that Work IQ processes emails, files, meetings, chats, and transactions to capture organizational work patterns, defining the categories of personal and business data used by the platform — directly relevant to privacy/data-use classification. - Tier: All - Location: “Data” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Work%20IQ%20starts,across%20your%20organization.%20 ### privacy data use — risk unknown > Work IQ uses memory to learn from your unique style, preferences, and habits, adapting to your patterns over time. - Interpretation (disclaimed): This segment states that Work IQ uses memory to learn from a user's unique style, preferences, and habits over time — describing persistent data retention and behavioral profiling of individual users, which carries implications for privacy and data-use rights. - Tier: All - Location: “Context” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Work%20IQ%20uses,patterns%20over%20time.%20 ### privacy data use — risk unknown > Supercharge productivity, streamline tasks, and uncover insights in seconds with secure AI chat powered by Work IQ. It works across Microsoft apps and gives everyone access to agents—all in the flow of work. - Interpretation (disclaimed): This segment describes the AI chat feature as 'secure' and powered by Work IQ, working across Microsoft apps — defining the scope of data access and the security representation associated with the chat functionality, relevant to privacy and data-use characterization. - Tier: All - Location: “Chat” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Supercharge%20productivity%2C%20streamline,flow%20of%20work.%20 ### privacy data use — risk unknown > Describe what you’re looking for—as a question, phrase, or command—and find it fast with AI-powered enterprise search. With Work IQ, it goes beyond keywords to surface the right results from your work content and apps. - Interpretation (disclaimed): This segment describes AI-powered enterprise search that uses Work IQ to surface results from the user's work content and apps, defining the scope of data queried and processed by the search feature — relevant to privacy and data-use classification. - Tier: All - Location: “Search” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Describe%20what%20you%E2%80%99re,content%20and%20apps.%20 ### privacy data use — risk unknown > Bring together your Copilot chats, files, meeting notes, and project materials—then build on it. Copilot Notebooks helps you organize and analyze your content, and even create something new from it. You can also get AI-generated podcast-style summaries of your content to help you quickly catch up. - Interpretation (disclaimed): This segment describes Copilot Notebooks as aggregating Copilot chats, files, meeting notes, and project materials to organize, analyze, and generate new content — defining the scope of data retention and reuse within the Notebooks feature, relevant to privacy and data-use obligations. - Tier: All - Location: “Notebooks” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Bring%20together%20your,quickly%20catch%20up.%20 ### privacy data use — risk unknown > You own your data—and we help keep it that way. Prompts, inputs, and responses are never used to train the models. - Interpretation (disclaimed): This segment expressly states that the customer owns their data and imposes a restriction on Microsoft prohibiting the use of prompts, inputs, and responses to train the underlying models, which is a core operative limitation on training use. - Tier: All - Location: “Built-in data privacy” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20You%20own%20your,train%20the%20models.%20 ### data retention — risk unknown > What data is stored about user interactions with Microsoft 365 Copilot? - Interpretation (disclaimed): This segment frames the question of what data is stored about user interactions with Microsoft 365 Copilot, signaling the retention and storage scope addressed in the document. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20What%20data%20is,Microsoft%20365%20Copilot%3F%20 ### data retention — risk unknown > When a user interacts with Microsoft 365 Copilot (using apps such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt and Copilot's response, including citations to any information used to ground Copilot's response. We refer to the user's prompt and Copilot's response to that prompt as the "content of interactions" and the record of those interactions is the user's Copilot activity history. For example, this stored data provides users with Copilot activity history in Microsoft 365 Copilot Chat (previously named Business Chat) and meetings in Microsoft Teams . This data is processed and stored in alignment with contractual commitments with your organization's other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): This segment imposes an obligation to store data about user interactions with Microsoft 365 Copilot, defining the scope of stored data as including user prompts, Copilot responses, and citations, and defines 'content of interactions' and 'Copilot activity history' as operative terms. - Tier: All - Location: Privacy Policy › “Data stored about user interactions with Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20a%20user,by%20Microsoft%20365%20Copilot. ### data retention — risk unknown > Your users can delete their Copilot activity history, which includes their prompts and the responses Copilot returns, by going to the My Account portal . For more information, see Delete your Microsoft 365 Copilot activity history . - Interpretation (disclaimed): This segment grants users the right to delete their Copilot activity history, including prompts and responses, through the My Account portal, establishing a user-exercisable deletion right over stored interaction data. - Tier: All - Location: Privacy Policy › “Deleting the history of user interactions with Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Your%20users%20can,Copilot%20activity%20history%20. ### subprocessors data sharing — risk unknown > You also authorize the third party to share information about you with us (“ Third Party Content ”). We aren’t responsible for any errors or omissions in Third Party Content, including information about you that may be wrong or otherwise incorrect. If you have questions about or disagree with the information that a third party provided to Copilot Health, you must address it with the third party. We do not control Third Party Content, so we are not responsible for any loss or damage that may result from your use of Third Party Content in Copilot Health. - Interpretation (disclaimed): This segment authorizes third parties to share user information with Microsoft ('Third Party Content'), disclaims responsibility for errors or inaccuracies in such third-party data, and disclaims liability for loss or damage resulting from use of Third Party Content, addressing third-party data sharing and associated liability limitations. - Tier: All - Location: Terms of Service › “COPILOT HEALTH” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=You%20also%20authorize%20the,Content%20in%20Copilot%20Health. ### subprocessors data sharing — risk unknown > Anthropic models within Microsoft 365 Copilot experiences are provided under the Microsoft Product Terms and Data Protection Addendum. Learn more about Anthropic's safeguards. - Interpretation (disclaimed): This segment specifies that Anthropic models within Microsoft 365 Copilot are provided under the Microsoft Product Terms and Data Protection Addendum and references Anthropic's safeguards, incorporating those governing terms by reference for subprocessor data handling. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Anthropic%20models%20within,about%20Anthropic's%20safeguards.%20 ### subprocessors data sharing — risk unknown > Anthropic is a subprocessor for Microsoft 365 Copilot. For more information, see Anthropic as a subprocessor for Microsoft Online Services . - Interpretation (disclaimed): This segment discloses that Anthropic is a named subprocessor for Microsoft 365 Copilot and incorporates by reference further information about Anthropic's role as a subprocessor for Microsoft Online Services, creating a subprocessor transparency obligation. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Anthropic%20is%20a,Microsoft%20Online%20Services%20. ### subprocessors data sharing — risk unknown > When you're using agents to help Microsoft 365 Copilot to provide more relevant information, check the privacy statement and terms of use of the agent to determine how it will handle your organization's data. For more information, see Extensibility of Microsoft 365 Copilot . - Interpretation (disclaimed): This segment directs users to review the privacy statement and terms of use of any agent used with Microsoft 365 Copilot to understand how that agent handles organizational data, establishing a due-diligence procedure for third-party data handling disclosures. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you're%20using,Microsoft%20365%20Copilot%20. ### subprocessors data sharing — risk unknown > We may deploy other AI models for Microsoft 365 Copilot to use that are hosted and operated by Microsoft. These models are governed by the same contractual and data protection commitments already in place, including that no data leaves Microsoft. For more information about models that may be used by Copilot, see Understanding AI functionality and models in Microsoft Online Services . - Interpretation (disclaimed): This segment discloses that Microsoft may deploy additional AI models hosted and operated by Microsoft for Copilot use, and imposes an obligation that these models are governed by the same contractual and data protection commitments already in place, including a restriction that no data leaves Microsoft. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20may%20deploy,Microsoft%20Online%20Services%20. ### subprocessors data sharing — risk unknown > While Microsoft 365 Copilot is already able to use the apps and data within the Microsoft 365 ecosystem, many organizations still depend on various external tools and services for work management and collaboration. Microsoft 365 Copilot experiences can reference third-party tools and services when responding to a user's request by using Microsoft Graph connectors or agents. Data from Graph connectors can be returned in Microsoft 365 Copilot responses if the user has permission to access that information. - Interpretation (disclaimed): This segment discloses that Microsoft 365 Copilot can reference third-party tools and services via Graph connectors or agents, and that data from Graph connectors may be returned in Copilot responses subject to the user's access permissions, establishing third-party data sharing scope. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20While%20Microsoft%20365,to%20access%20that%20information. ### subprocessors data sharing — risk unknown > Manage agents for Microsoft 365 Copilot in the Microsoft 365 admin center - Interpretation (disclaimed): This segment incorporates by reference the article on managing agents for Microsoft 365 Copilot in the admin center, which governs third-party agent data sharing and admin control procedures. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Manage%20agents%20for,365%20admin%20center%20 ### subprocessors data sharing — risk unknown > Add agents to Copilot that automate common tasks or work on your behalf. Ready-to-use agents—from Microsoft and trusted partners—are available in the Agent Store. Agents tap into Work IQ and are tuned for your unique workflows and business needs. - Interpretation (disclaimed): This segment describes agents from Microsoft and trusted partners available in the Agent Store that tap into Work IQ — implicitly identifying third-party partners as entities that access organizational data through agents, which is relevant to subprocessor and data-sharing classification. - Tier: All - Location: “Next” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Add%20agents%20to,and%20business%20needs.%20 ### audit rights dpa residency — risk unknown > Anthropic models are out of scope for the EU Data Boundary and when available, in-country LLM processing commitments. For more information, see Anthropic as a subprocessor for Microsoft Online Services . - Interpretation (disclaimed): This segment creates an exception by stating that Anthropic models are outside the scope of the EU Data Boundary and in-country LLM processing commitments, and cross-references further information about Anthropic as a subprocessor, establishing a data residency carve-out. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Anthropic%20models%20are,Microsoft%20Online%20Services%20. ### audit rights dpa residency — risk unknown > What data residency commitments does Microsoft 365 Copilot make? - Interpretation (disclaimed): This segment frames the question of what data residency commitments Microsoft 365 Copilot makes, introducing the residency commitments discussed in the document. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20What%20data%20residency,365%20Copilot%20make%3F%20 ### audit rights dpa residency — risk unknown > To view and manage this stored data, admins can use Content search or Microsoft Purview. Admins can also use Microsoft Purview to set retention policies for the data related to chat interactions with Copilot. For more information, see the following articles: - Interpretation (disclaimed): This segment grants admins the right to view and manage stored interaction data using Content Search or Microsoft Purview, and grants admins the right to set retention policies for Copilot chat interaction data, referencing further procedural articles. - Tier: All - Location: Privacy Policy › “Data stored about user interactions with Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20To%20view%20and,see%20the%20following%20articles%3A ### audit rights dpa residency — risk unknown > Microsoft Purview data security and compliance protections for generative AI apps - Interpretation (disclaimed): This segment incorporates by reference the Microsoft Purview data security and compliance protections article as governing the management of generative AI app data including Copilot interactions. - Tier: All - Location: Privacy Policy › “Overview of Content search” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20Purview%20data,generative%20AI%20apps%20 ### audit rights dpa residency — risk unknown > For Microsoft Teams chats with Copilot, admins can also use Microsoft Teams Export APIs to view the stored data. - Interpretation (disclaimed): This segment grants admins the additional right to use Microsoft Teams Export APIs to view stored Copilot interaction data for Microsoft Teams chats, expanding the set of tools available for data access and audit. - Tier: All - Location: Privacy Policy › “Learn about retention for Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20For%20Microsoft%20Teams,view%20the%20stored%20data. ### audit rights dpa residency — risk unknown > Microsoft 365 Copilot calls to the LLM are routed to the closest data centers in the region, but also can call into other regions where capacity is available during high utilization periods. - Interpretation (disclaimed): This segment discloses that LLM calls are routed to the closest regional data centers but may also route to other regions during high utilization, informing customers of potential cross-region data routing relevant to data residency obligations. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and the EU Data Boundary” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,during%20high%20utilization%20periods. ### audit rights dpa residency — risk unknown > For European Union (EU) users, we have additional safeguards to comply with the EU Data Boundary . EU traffic stays within the EU Data Boundary while worldwide traffic can be sent to the EU and other countries or regions for LLM processing. - Interpretation (disclaimed): This segment imposes an obligation to keep EU user traffic within the EU Data Boundary as an additional safeguard for EU users, while disclosing that worldwide traffic may be sent to the EU and other regions for LLM processing. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and the EU Data Boundary” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20For%20European%20Union,regions%20for%20LLM%20processing. ### audit rights dpa residency — risk unknown > Microsoft 365 Copilot is upholding data residency commitments as outlined in the Microsoft Product Terms and Data Protection Addendum. Microsoft 365 Copilot was added as a covered workload in the data residency commitments in Microsoft Product Terms on March 1, 2024. - Interpretation (disclaimed): This segment imposes an obligation that Microsoft 365 Copilot upholds data residency commitments as outlined in the Microsoft Product Terms and Data Protection Addendum, and incorporates those instruments by reference, noting Copilot was added as a covered workload on March 1, 2024. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and data residency” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,on%20March%201%2C%202024. ### audit rights dpa residency — risk unknown > Microsoft Advanced Data Residency (ADR) and Multi-Geo Capabilities offerings include data residency commitments for Microsoft 365 Copilot customers as of March 1, 2024. For EU customers, Microsoft 365 Copilot is an EU Data Boundary service. Customers outside the EU may have their queries processed in the US, EU, or other regions. - Interpretation (disclaimed): This segment specifies data residency commitments under Microsoft Advanced Data Residency and Multi-Geo Capabilities for Copilot customers as of March 1, 2024, designates Copilot as an EU Data Boundary service for EU customers, and discloses that non-EU customers may have queries processed in the US, EU, or other regions. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and data residency” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20Advanced%20Data,EU%2C%20or%20other%20regions. ### audit rights dpa residency — risk unknown > Additionally, we prioritize open dialogue with our partners and regulatory authorities. We provide customers with direct access to Microsoft compliance professionals, proactive guidance, and curated solutions to help navigate regulatory compliance, such as the Microsoft 365 Copilot & Copilot Chat Risk Assessment Quickstart . Our approach in the AI-driven landscape aims to empower organizations to innovate confidently with solutions built with transparency, privacy, and security in mind. - Interpretation (disclaimed): States Microsoft's obligation to provide customers with direct access to compliance professionals, proactive guidance, and curated solutions for navigating regulatory compliance, constituting a service-level commitment. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Additionally%2C%20we%20prioritize,and%20security%20in%20mind. ### indemnity liability — risk unknown > Copilot is an AI-powered conversational service. Copilot will generate Responses to Prompts you submit and may also offer you Responses directly in your ongoing conversations or for things you have asked Copilot to remember. Copilot tries to give you good answers, but it can make mistakes. Sometimes, the sources Copilot uses may not be reliable, relevant, or accurate, and sometimes, Copilot may give you wrong information. When responding, Copilot may use information it finds on the internet, and we don’t control that content. You might see Responses that seem convincing but are incomplete, inaccurate, or inappropriate. Always use your judgment and check the information you get from Copilot before you make decisions or act. Carefully review Responses and Creations before sharing them so you’re not exposing personal information you wouldn’t want others to see. If you see something wrong or inappropriate from Copilot, use the Report or Feedback features in Copilot to let us know. If you have a legal concern about something Copilot says, please use the Report a Concern page to tell us. Because of the way Copilot works, the Responses you get from Copilot may not be unique to you. Copilot may give the same or similar Responses and Creations to Microsoft, or to other people. Other people may send similar Prompts as yours, and they could get the same, similar, or different Responses and Creations. By using Copilot, you’re telling us that: You’ve read, understood, and agree to these Terms, and will abide by the Code of Conduct (below). You’ll use Copilot only in lawful ways and in compliance with all applicable laws. You won’t use Copilot to violate our or anyone else’s rights. - Interpretation (disclaimed): This segment disclaims the reliability and accuracy of Copilot's Responses, warns that outputs may be wrong or incomplete, and notes that Microsoft does not control internet content used in Responses, limiting Microsoft's liability for inaccurate or misleading outputs. - Tier: All - Location: Terms of Service › “HOW YOU USE COPILOT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Copilot%20is%20an,or%20anyone%20else%E2%80%99s%20rights. ### indemnity liability — risk unknown > Depending on your location and other factors, we may offer you the opportunity to browse, shop and buy certain products through Copilot. If you use Copilot to buy something, it’s sold and shipped by a third party (“ Merchant ”), not by us. We don’t process payments for your purchases through Copilot. Anything you buy with Copilot is subject to the Merchant’s terms and conditions (including pricing, fees, and shipping, cancellation, and refund policies). You are responsible for reading and complying with the Merchant’s terms that apply to your purchase, including how the Merchant collects and uses your personal information under its privacy policy. We aren’t responsible or liable for any dispute between you and the Merchant about your purchase. If you have any disputes or questions about any product you purchase through Copilot, you must address it directly with the Merchant. If you have disputes or questions about your payment for the product, you must address it with your payment issuer, bank, or wallet provider. We collect, store, use, and share your personal information, including your payment information and purchases you make, in accordance with the Microsoft Privacy Statement . You authorize each Merchant to share with us information about you and your purchase, and for us to send information (including your personal information and transaction details) to the Merchant, the Merchant’s payment processor, our payment processor, or other third party necessary to complete your purchase. - Interpretation (disclaimed): This segment clarifies that purchases through Copilot are fulfilled by third-party Merchants (not Microsoft), that Microsoft does not process payments, and that users are responsible for Merchant terms and conditions, limiting Microsoft's liability for third-party commercial transactions conducted through Copilot. - Tier: All - Location: Terms of Service › “SHOPPING EXPERIENCES” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Depending%20on%20your,to%20complete%20your%20purchase. ### indemnity liability — risk unknown > Copilot may include advertising. Copilot may include both automated and manual (human) processing of data. You shouldn’t share any information with Copilot that you don’t want us to review. We plan to continue to develop and improve Copilot, but we make no guarantees or promises about how Copilot will operate or that it will operate as intended. Sometimes, we may offer certain features or services as part of “Copilot Labs.” These features and services are highly experimental and may not always work as intended. We may add, modify, or remove features or services from Copilot Labs at any time for any reason. We may limit the speed or performance of Copilot as we think necessary. When you request that Copilot take Actions on your behalf, you are solely responsible for those Actions and any results or consequences. Copilot can make mistakes, and it may not work as intended. Do not use Copilot as a substitute for professional advice. Always verify the accuracy of information presented by Copilot before you rely on it. We are not responsible for any consequences that arise from your use of or reliance on Copilot. WITHOUT LIMITING SECTION 12 OF THE MICROSOFT SERVICES AGREEMENT IN ANY WAY, BUT FOR THE SAKE OF CLARITY, WE DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND ABOUT COPILOT. For example, we can’t promise that any Copilot’s Responses won’t infringe someone else’s rights (like their copyrights, trademarks, or rights of privacy) or defame them. - Interpretation (disclaimed): This segment discloses that Copilot may include advertising and both automated and human data processing, warns users not to share information they don't want reviewed, disclaims guarantees about Copilot's operation, and addresses the experimental nature of Copilot Labs features, limiting Microsoft's liability for service performance and feature availability. - Tier: All - Location: Terms of Service › “IMPORTANT DISCLOSURES & WARNINGS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Copilot%20may%20include,or%20defame%20them.%20 ### indemnity liability — risk unknown > You are solely responsible if you choose to publish or share Copilot’s Responses publicly or with any other person. You agree to indemnify us and hold us harmless (including our affiliates, employees and any other agents) from and against any claims, losses, and expenses (including attorneys' fees) arising from or relating to your use of Copilot, including without limitation your use, sharing, or publication of any Prompt, Responses, or Creations, or your breach of these Terms or violation of applicable law. You may stop using Copilot at any time. If you want to close your Microsoft Account, please see the Microsoft Services Agreement . - Interpretation (disclaimed): This segment imposes an indemnification obligation on users to defend and hold harmless Microsoft and its affiliates from claims, losses, and expenses (including attorneys' fees) arising from their use of Copilot, sharing or publishing of Prompts, Responses, or Creations, or breach of these Terms or applicable law. - Tier: All - Location: Terms of Service › “IMPORTANT DISCLOSURES & WARNINGS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=You%20are%20solely%20responsible,Microsoft%20Services%20Agreement%20. ### indemnity liability — risk unknown > If a third party sues a commercial customer for copyright infringement for using Microsoft's Copilots or the output they generate, we'll defend the customer and pay the amount of any adverse judgments or settlements that result from the lawsuit, as long as the customer used the guardrails and content filters we have built into our products. For more information, see Microsoft announces new Copilot Copyright Commitment for customers . - Interpretation (disclaimed): Establishes Microsoft's obligation to defend commercial customers and pay adverse judgments or settlements arising from third-party copyright infringement lawsuits related to Copilot use or output, conditioned on the customer using prescribed guardrails and content filters. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20If%20a%20third,Commitment%20for%20customers%20. ### confidentiality — risk unknown > We already implement multiple forms of protection to help prevent customers from compromising Microsoft 365 services and applications or gaining unauthorized access to other tenants or the Microsoft 365 system itself. Here are some examples of those forms of protection: - Interpretation (disclaimed): Describes Microsoft's obligation to implement multiple protective measures preventing unauthorized access to customer data and tenant isolation within Microsoft 365 services. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20already%20implement,those%20forms%20of%20protection%3A ### confidentiality — risk unknown > Logical isolation of customer content within each tenant for Microsoft 365 services is achieved through Microsoft Entra authorization and role-based access control. For more information, see Microsoft 365 isolation controls . - Interpretation (disclaimed): Specifies the obligation to achieve logical isolation of customer content within each tenant through Microsoft Entra authorization and role-based access control, protecting confidentiality of tenant data. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Logical%20isolation%20of,365%20isolation%20controls%20. ### confidentiality — risk unknown > Microsoft uses rigorous physical security, background screening, and a multi-layered encryption strategy to protect the confidentiality and integrity of customer content. - Interpretation (disclaimed): States Microsoft's obligation to use physical security, background screening, and multi-layered encryption to protect the confidentiality and integrity of customer content. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20uses%20rigorous,integrity%20of%20customer%20content. ### confidentiality — risk unknown > Microsoft 365 uses service-side technologies that encrypt customer content at rest and in transit, including BitLocker, per-file encryption, Transport Layer Security (TLS), and Internet Protocol Security (IPsec). For specific details about encryption in Microsoft 365, see Encryption in the Microsoft Cloud . - Interpretation (disclaimed): Details Microsoft's obligation to encrypt customer content at rest and in transit using specific technologies (BitLocker, TLS, IPsec), establishing a security commitment for data protection. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20uses,the%20Microsoft%20Cloud%20. ### governing law disputes — risk unknown > IF YOU LIVE IN (OR YOUR PRINCIPAL PLACE OF BUSINESS IS IN) THE UNITED STATES, PLEASE READ THE BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER IN SECTION 15 OF THE MICROSOFT SERVICES AGREEMENT . IT AFFECTS HOW DISPUTES RELATING TO THESE TERMS ARE RESOLVED. Welcome to Copilot, your personal AI companion! These Terms explain how you can use Copilot. By using Copilot, you agree to these Terms. Please read them carefully before you start using Copilot. - Interpretation (disclaimed): This segment incorporates by reference the binding arbitration clause and class action waiver in Section 15 of the Microsoft Services Agreement and conditions their applicability on US residency or principal place of business, establishing how disputes relating to these Terms are resolved. - Tier: All - Location: Terms of Service › “Summary of Changes” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20IF%20YOU%20LIVE,you%20start%20using%20Copilot. ### governing law disputes — risk unknown > By agreeing to these Terms, you’re also agreeing to the Microsoft Services Agreement , a legal agreement between you and us that applies to your use of our Services (including Copilot). If you have a Microsoft account, you already agreed to the Microsoft Services Agreement when you first created a Microsoft account. If you log in to Copilot using a non-Microsoft account, we may automatically create a Microsoft account for you, or let you link that non-Microsoft account to your existing Microsoft Account. Even if you don’t have a Microsoft Account – for example, if you’re using Copilot without logging in, you’re still agreeing to the Microsoft Services Agreement by using Copilot. Please make sure you review it carefully. If you use Copilot to create images, you’re also agreeing to the Image Creator Terms . If you use Copilot to access, update, or use payment methods (like credit cards) you’ve saved in your Microsoft Wallet, you are subject to the Payment Services Terms . If you use Gaming Copilot or other AI-powered experiences provided in connection with any Xbox Services, you are also subject to the Xbox Community Standards . Copilot may be integrated into other products and services we separately license to you. For example, Microsoft 365 Family or Microsoft 365 Personal subscriptions are separately licensed under the terms at https://www.microsoft.com/useterms . If any of the language in those other agreements conflicts with the language in these Terms, the language in these Terms controls. When you use Copilot, you are subject to the Microsoft Privacy Statement , which describes how we collect, use, and share information relating to your use of Copilot. - Interpretation (disclaimed): This segment incorporates the Microsoft Services Agreement by reference as a binding legal agreement governing use of the Services, and describes the mechanism by which a Microsoft account (and thus that agreement) may be automatically created or linked for users of Copilot, establishing the contractual framework that applies. - Tier: All - Location: Terms of Service › “OTHER TERMS & AGREEMENTS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20By%20agreeing%20to,your%20use%20of%20Copilot. ### governing law disputes — risk unknown > From time to time, we might need to update these Terms for different reasons. Some of those reasons might include adding new features, complying with changing laws, addressing security, safety, or fraud issues, or making our Terms clearer and easier to understand. There may be rare circumstances where we need to update these Terms immediately. Otherwise, we’ll post the updated Terms to this page at least 30 days before they take effect. We’ll also include the date the terms take effect at the top of the page, so you can easily tell when we’ve made an update. If you keep using Copilot after the updates take effect, you’re agreeing to those updates. If you don’t agree to the updates, you must stop using Copilot. - Interpretation (disclaimed): This segment establishes the procedural mechanism by which Microsoft may unilaterally update the Terms, including the obligation to post updates at least 30 days in advance (except in urgent circumstances), the method of notice (posting to the page with an effective date), and the consequence that continued use of Copilot after the effective date constitutes acceptance of the updated Terms. - Tier: All - Location: Terms of Service › “UPDATES TO THESE TERMS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20From%20time%20to,must%20stop%20using%20Copilot. ### moderation enforcement — risk unknown > You need to be old enough to use Copilot – usually at least 13, but sometimes 18 or older, depending on your country’s laws. Because laws vary by country, Copilot isn’t available everywhere. If you’re under 18, or if you use Copilot without logging in, we might turn off or limit some features for legal or safety reasons. If we ask for your birthday and country when you sign up or log in, you must give us your real information. Don’t use tools or computer programs (like bots or scrapers) to access Copilot. You can only use Copilot for your own personal use. - Interpretation (disclaimed): This segment restricts Copilot access based on age (minimum 13 or 18 depending on jurisdiction), prohibits use of bots or scrapers, limits use to personal use only, and authorizes Microsoft to disable features for minors or unauthenticated users, imposing access eligibility restrictions and enforcement authority. - Tier: All - Location: Terms of Service › “WHO CAN USE COPILOT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20You%20need%20to,your%20own%20personal%20use. ### moderation enforcement — risk unknown > When you use Copilot, you must follow the general Code of Conduct set out in the Microsoft Services Agreement . As applied to Copilot, this means: Don’t use Copilot to harm yourself or others . Don’t use Copilot to help harass, bully, abuse, threaten, or intimidate other people, or otherwise harm others. Don’t use Copilot to help exploit others based on age, disability, or social or economic situations. Don’t damage our ability to provide Copilot to you and others . Don’t use bots or scrapers, and don’t engage in technical attacks, excess usage, prompt-based manipulation, “jailbreaking”, and other abuses. Don’t violate the privacy of others . Don’t use Copilot to help violate the privacy of others, including sharing their private information (e.g. “doxing”). Don’t use Copilot to infer sensitive information about others, like a person's race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. Don’t try to use Copilot for facial identification, to collect or process someone else’s sensitive personal data, or to try to verify someone’s identity. Don’t share or capture images, video, audio, or other content that includes other people without their consent, and don’t try to use Copilot to process someone else’s biometric identifiers or information. Don’t use Copilot to trick, lie to, or cheat others . Don’t use Copilot to help mislead or deceive people. Don’t use Copilot to create or share disinformation or content that will be used to impersonate, defraud, or deceive others. - Interpretation (disclaimed): This segment imposes specific behavioral restrictions on users by prohibiting harmful, harassing, abusive, threatening, or service-damaging uses of Copilot, and incorporates the Microsoft Services Agreement Code of Conduct by reference, establishing enforceable conduct obligations. - Tier: All - Location: Terms of Service › “CODE OF CONDUCT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20When%20you%20use,or%20deceive%20others.%20 ### moderation enforcement — risk unknown > Don’t infringe the rights of others . Don’t use Copilot to infringe on other people’s legal rights, including their intellectual property and publicity rights. Don’t create or share inappropriate content or material . Don’t use Copilot to create or share adult content, violence or gore, hateful content, terrorism and violent extremist content, glorification of violence or suicide, child sexual exploitation or abuse material, or content that is otherwise disturbing or offensive. Don’t use Copilot to create or edit images, voice, or video of other people (e.g. “deepfakes”) without their permission. Don’t do anything illegal . Don’t use Copilot to break the law, or to help or encourage others to break the law. If you see something wrong or inappropriate from Copilot, use the Report or Feedback features in Copilot to let us know. If you have a legal concern about something Copilot says, please use the Report a Concern page to tell us. We may block, restrict, or remove your Prompts or other content from you that violates these Terms, or that could lead Copilot to create a Response that violates these Terms. - Interpretation (disclaimed): This segment restricts users from using Copilot to infringe intellectual property or publicity rights, and prohibits creation or sharing of adult content, violent content, hateful content, extremist content, and non-consensual deepfakes, establishing content moderation restrictions enforceable against users. - Tier: All - Location: Terms of Service › “CODE OF CONDUCT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Don%E2%80%99t%20infringe%20the,that%20violates%20these%20Terms. ### moderation enforcement — risk unknown > We may choose to limit or stop offering or supporting Copilot or any feature within Copilot at any time and for any reason. Unless prohibited by law, we may limit, suspend, or permanently revoke your access to or use of Copilot (and potentially all other Services) in our sole discretion, at any time and without notice . Some of the reasons we might do this, for example, is if you breach these Terms or violate the Code of Conduct, if we suspect you’re engaged in fraudulent or illegal activity, or if your Microsoft Account or the account you use to log in to Copilot is suspended or closed. If you feel your access has been restricted by mistake, you may ask us to reevaluate our decision by submitting a request using the Report a Concern form outlining what you think we got wrong and why. - Interpretation (disclaimed): This segment grants Microsoft the right to limit, suspend, or permanently revoke user access to Copilot at any time, without notice and in its sole discretion, including for breach of Terms, Code of Conduct violations, suspected fraud, or account suspension, establishing broad enforcement authority over user access. - Tier: All - Location: Terms of Service › “OUR DECISIONS ABOUT COPILOT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20We%20may%20choose,got%20wrong%20and%20why. ### moderation enforcement — risk unknown > Microsoft 365 Copilot operates with multiple protections, which include, but aren't limited to, blocking harmful content , detecting protected material , and blocking prompt injections (jailbreak attacks) . - Interpretation (disclaimed): This segment describes Microsoft's operational protections including blocking harmful content, detecting protected material, and blocking prompt injections, establishing obligations for moderation and safety enforcement within the Copilot service. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,injections%20(jailbreak%20attacks)%20. ### moderation enforcement — risk unknown > While abuse monitoring, which includes human review of content, is available in Azure OpenAI, Microsoft 365 Copilot services have opted out of it. For information about content filtering, see the How does Copilot block harmful content? section later in this article. - Interpretation (disclaimed): This segment states that Microsoft 365 Copilot services have opted out of abuse monitoring (including human review of content) available in Azure OpenAI, creating a documented exception to standard content moderation procedures, and cross-references content filtering information. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20While%20abuse%20monitoring%2C,later%20in%20this%20article. ### moderation enforcement — risk unknown > In the Integrated apps section of the Microsoft 365 admin center , admins can view the permissions and data access required by an agent as well as the agent's terms of use and privacy statement. Admins have full control to select which agents are allowed in their organization. A user can only access the agents that their admin allows and that the user installed or is assigned. Microsoft 365 Copilot only uses agents that are turned on by the user. - Interpretation (disclaimed): This segment grants admins the right to view agent permissions, data access requirements, terms of use, and privacy statements, and to control which agents are permitted within their organization, establishing organizational governance rights over Copilot extensibility. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20In%20the%20Integrated,on%20by%20the%20user. ### moderation enforcement — risk unknown > When you have data that's encrypted by Microsoft Purview Information Protection, Microsoft 365 Copilot honors the usage rights granted to the user. This encryption can be applied by sensitivity labels or by restricted permissions in apps in Microsoft 365 by using Information Rights Management (IRM). For more information about using Microsoft Purview with Microsoft 365 Copilot, see Microsoft Purview data security and compliance protections for generative AI apps . - Interpretation (disclaimed): Establishes that Microsoft 365 Copilot is obligated to honor usage rights granted via Microsoft Purview Information Protection encryption, including sensitivity labels and IRM permissions, restricting Copilot's access to encrypted content based on those rights. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you%20have,generative%20AI%20apps%20. ### moderation enforcement — risk unknown > For content accessed through agents in Microsoft 365, encryption can exclude programmatic access, thus limiting the agent from accessing the content. For more information, see Configure usage rights for Azure Information Protection . - Interpretation (disclaimed): Restricts agent access to encrypted content by stating that encryption can exclude programmatic access, thereby limiting what agents in Microsoft 365 can access. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20For%20content%20accessed,Azure%20Information%20Protection%20. ### moderation enforcement — risk unknown > Some privacy controls for connected experiences in Microsoft 365 Apps can affect the availability of Microsoft 365 Copilot features. This includes the privacy controls for connected experiences that analyze your content and the privacy control for optional connected experiences. For more information about these privacy controls, see Overview of privacy controls for Microsoft 365 Apps for enterprise . - Interpretation (disclaimed): States that certain privacy controls for connected experiences affect the availability of Microsoft 365 Copilot features, establishing the procedural relationship between privacy settings and feature access. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Some%20privacy%20controls,Apps%20for%20enterprise%20. ### moderation enforcement — risk unknown > If you turn off connected experiences that analyze your content on devices in your organization, Microsoft 365 Copilot features won't be available to your users in the following apps: - Interpretation (disclaimed): Restricts Microsoft 365 Copilot feature availability in specific apps (Excel, OneNote, Outlook, PowerPoint, Word) when the organization disables connected experiences that analyze content, limiting service delivery based on admin privacy controls. - Tier: All - Location: Privacy Policy › “Privacy control for connected experiences that analyze your content” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20If%20you%20turn,in%20the%20following%20apps%3A ### moderation enforcement — risk unknown > This applies to when you're running the most current version of these apps on Windows, Mac, iOS, or Android devices. - Interpretation (disclaimed): Defines the scope of the privacy control restriction as applying to the most current versions of the listed apps on Windows, Mac, iOS, and Android devices, delimiting applicability. - Tier: All - Location: Privacy Policy › “Word” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20This%20applies%20to,iOS%2C%20or%20Android%20devices. ### moderation enforcement — risk unknown > There's also a privacy control that turns off all connected experiences, including connected experiences that analyze your content. If you use that privacy control, Microsoft 365 Copilot features won't be available in the apps and on the devices described above. - Interpretation (disclaimed): States that activating the all-connected-experiences privacy control also disables Copilot features in the specified apps and devices, extending the restriction to a broader control setting. - Tier: All - Location: Privacy Policy › “Word” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20There's%20also%20a,the%20devices%20described%20above. ### moderation enforcement — risk unknown > In addition to content filtering provided by the Azure OpenAI Service, certain Microsoft 365 Copilot scenarios provide other mitigations, such as filters to help prevent workplace harms from happening. Workplace harms refers to a category of harms that can result from generative AI or models making inferences, judgments, or evaluations about an employee based on their workplace communication. Currently, that means inferences, judgments, or evaluations about an employee's performance, attitude, internal or emotional state, or personal characteristics. We restrict the use of generative AI or models from being used for these purposes. - Interpretation (disclaimed): Restricts the use of generative AI in certain Microsoft 365 Copilot scenarios to prevent workplace harms, specifically prohibiting AI from making inferences or evaluations about employee performance, attitude, internal state, or personal characteristics. - Tier: All - Location: Privacy Policy › “How does Copilot block harmful content?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20In%20addition%20to,used%20for%20these%20purposes. ### moderation enforcement — risk unknown > If you turn off optional connected experiences in your organization, Microsoft 365 Copilot features that are optional connected experiences won't be available to your users. For example, turning off optional connected experiences could affect the availability of web search . - Interpretation (disclaimed): Restricts availability of Copilot features that are optional connected experiences (e.g., web search) when the organization disables optional connected experiences, limiting feature access based on privacy settings. - Tier: All - Location: Privacy Policy › “Privacy control for optional connected experiences” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20If%20you%20turn,of%20web%20search%20. ### moderation enforcement — risk unknown > There's also a privacy control that turns off all connected experiences, including optional connected experiences. If you use that privacy control, Microsoft 365 Copilot features that are optional connected experiences won't be available. - Interpretation (disclaimed): States that the all-connected-experiences privacy control also disables optional connected experience Copilot features, extending the restriction of segment 107 to the broader control. - Tier: All - Location: Privacy Policy › “Privacy control for optional connected experiences” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20There's%20also%20a,experiences%20won't%20be%20available. ### moderation enforcement — risk unknown > We continue to improve algorithms to proactively address issues, such as misinformation and disinformation, content blocking, data safety, and preventing the promotion of harmful or discriminatory content in line with our responsible AI principles . - Interpretation (disclaimed): States Microsoft's ongoing obligation to improve algorithms to proactively address misinformation, disinformation, content blocking, data safety, and prevention of harmful or discriminatory content in line with responsible AI principles. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20continue%20to,responsible%20AI%20principles%20. ### moderation enforcement — risk unknown > To help block harmful content, Microsoft 365 Copilot uses safeguards that work alongside AI models used to generate responses. Depending on the scenario, these safeguards may include Microsoft first-party protections or, in some cases, safety mitigations built into the underlying model. These safeguards use a defense-in-depth approach and can include a mix of Microsoft first-party protections that help detect and reduce jailbreak attempts and prompt injection patterns (including cross-prompt injection attacks), content harm filters to identify harmful content in prompts or generated responses (such as Hate & Fairness, Sexual, Violence, and Self-harm), or in some scenarios, safety mitigations built into the underlying model. - Interpretation (disclaimed): Describes Microsoft's obligation to implement safeguards alongside AI models to block harmful content, including first-party protections against jailbreak attempts, prompt injection, and content harm filters applied to prompts and generated responses. - Tier: All - Location: Privacy Policy › “How does Copilot block harmful content?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20To%20help%20block,into%20the%20underlying%20model. ### moderation enforcement — risk unknown > Hate and fairness-related harms refer to any content that uses pejorative or discriminatory language based on attributes like race, ethnicity, nationality, gender identity and expression, sexual orientation, religion, immigration status, ability status, personal appearance, and body size. Fairness is concerned with making sure that AI systems treat all groups of people equitably without contributing to existing societal inequities. Sexual content involves discussions about human reproductive organs, romantic relationships, acts portrayed in erotic or affectionate terms, pregnancy, physical sexual acts, including those portrayed as an assault or a forced act of sexual violence, prostitution, pornography, and abuse. Violence describes language related to physical actions that are intended to harm or kill, including actions, weapons, and related entities. Self-harm language refers to deliberate actions that are intended to injure or kill oneself. - Interpretation (disclaimed): Defines categories of harmful content subject to filtering (hate/fairness-related harms and sexual content), establishing the scope of content moderation obligations and restrictions on generated outputs. - Tier: All - Location: Privacy Policy › “How does Copilot block harmful content?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Hate%20and%20fairness-related,injure%20or%20kill%20oneself. ### moderation enforcement — risk unknown > Yes, Microsoft 365 Copilot provides detection for protected materials, which includes text subject to copyright and code subject to licensing restrictions. This detection may not be available in all Microsoft 365 Copilot scenarios, and not all of these mitigations are relevant for all Microsoft 365 Copilot scenarios. - Interpretation (disclaimed): Confirms Microsoft's obligation to provide detection for protected materials including copyrighted text and licensed code within Microsoft 365 Copilot, while noting availability may vary by scenario. - Tier: All - Location: Privacy Policy › “Does Copilot provide protected material detection?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Yes%2C%20Microsoft%20365,Microsoft%20365%20Copilot%20scenarios. ### moderation enforcement — risk unknown > Jailbreak attacks are prompts designed to bypass Copilot's safeguards or induce non-compliant behavior. Microsoft 365 Copilot helps mitigate these attacks by using proprietary techniques, such as jailbreak and cross-prompt injection attack (XPIA) classifiers. These classifiers analyze inputs to the Copilot service and help block high-risk prompts prior to model execution. These classifiers may not be available in all Microsoft 365 Copilot scenarios. - Interpretation (disclaimed): This segment describes the technical procedure Microsoft uses to detect and block jailbreak and cross-prompt injection attacks, including classifier-based input analysis prior to model execution, and notes availability limitations — establishing a moderation enforcement mechanism with a partial disclaimer on scope. - Tier: All - Location: Privacy Policy › “Does Copilot block prompt injections (jailbreak attacks)?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Jailbreak%20attacks%20are,Microsoft%20365%20Copilot%20scenarios. ### moderation enforcement — risk unknown > The AI models that power Microsoft 365 Copilot are regularly updated and enhanced. Model updates bring performance improvements, more advanced reasoning, and expanded capabilities, but they don't change your security, privacy, or compliance settings. For more information, see Microsoft 365 Blog: Understanding foundation model changes in Microsoft 365 Copilot . - Interpretation (disclaimed): This segment disclaims that model updates do not change security, privacy, or compliance settings, limiting customer expectations about the impact of AI model changes on their data governance obligations. - Tier: All - Location: Privacy Policy › “What happens when foundation model changes occur?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20The%20AI%20models,Microsoft%20365%20Copilot%20. ### moderation enforcement — risk unknown > As AI is poised to transform our lives, we must collectively define new rules, norms, and practices for the use and impact of this technology. Microsoft has been on a Responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. - Interpretation (disclaimed): This segment references Microsoft's self-imposed obligation to adhere to responsible AI principles and practices since 2017, establishing an ethical governance commitment relevant to how the AI platform is operated and regulated. - Tier: All - Location: Privacy Policy › “Committed to responsible AI” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20As%20AI%20is,that%20put%20people%20first. ### moderation enforcement — risk unknown > At Microsoft, we're guided by our AI principles , our Responsible AI Standard , and decades of research on AI, grounding, and privacy-preserving machine learning. A multidisciplinary team of researchers, engineers, and policy experts reviews our AI systems for potential harms and mitigations - refining training data, filtering to limit harmful content, query- and result-blocking sensitive topics, and applying Microsoft technologies like InterpretML and Fairlearn to help detect and correct data bias. We make it clear how the system makes decisions by noting limitations, linking to sources, and prompting users to review, fact-check, and adjust content based on subject-matter expertise. For more information, see Governing AI: A Blueprint for the Future . - Interpretation (disclaimed): This segment describes Microsoft's obligation to follow its AI principles and Responsible AI Standard, including specific technical measures such as filtering harmful content, query/result blocking, and bias detection — constituting enforceable internal governance commitments affecting platform moderation and enforcement. - Tier: All - Location: Privacy Policy › “Committed to responsible AI” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20At%20Microsoft%2C%20we're,for%20the%20Future%20. ### moderation enforcement — risk unknown > We aim to help our customers use our AI products responsibly, sharing our learnings, and building trust-based partnerships. For these new services, we want to provide our customers with information about the intended uses, capabilities, and limitations of our AI platform service, so they have the knowledge necessary to make responsible deployment choices. We also share resources and templates with developers inside organizations and with independent software vendors (ISVs), to help them build effective, safe, and transparent AI solutions. - Interpretation (disclaimed): This segment describes Microsoft's commitment to provide customers with information about intended uses, capabilities, and limitations of the AI platform, and to share responsible deployment resources — establishing a transparency and support obligation relevant to moderation and responsible use enforcement. - Tier: All - Location: Privacy Policy › “Committed to responsible AI” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20aim%20to,and%20transparent%20AI%20solutions. ### moderation enforcement — risk unknown > Copilot is built on a comprehensive approach to enterprise-grade security and responsible AI—so you can move faster without compromising the safeguards your business depends on. - Interpretation (disclaimed): This segment makes a general representation about enterprise-grade security and responsible AI design, functioning as a disclaimer that conveys the vendor's security posture without creating a specific contractual obligation or enforceable guarantee. - Tier: All - Location: “Secure by design” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Copilot%20is%20built,business%20depends%20on.%20 ### moderation enforcement — risk unknown > Copilot inherits your Microsoft 365 permissions, sensitivity labels, and retention policies—so people only see what they’re meant to. - Interpretation (disclaimed): This segment describes Microsoft's obligation to provide comprehensive IT tools for managing Copilot and agents at scale, enabling security oversight and control at every administrative level. - Tier: All - Location: “Governed access” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Copilot%20inherits%20your,they%E2%80%99re%20meant%20to.%20 ### tier differences — risk unknown > We've added terms for Copilot Health (which take effect immediately). We’ve included a link to the Payment Services Terms , which apply if you use payment and wallet-related features in Copilot. We’ve updated our disclosures and warnings to be clearer about how you should and shouldn’t use Copilot. We’ve made other minor formatting and wording changes to accurately reflect current product experiences. - Interpretation (disclaimed): This segment summarizes material changes to the Terms including the addition of Copilot Health terms, incorporation of Payment Services Terms by reference, and updated disclosures, thereby incorporating external documents and flagging feature-specific obligations. - Tier: All - Location: Terms of Service › “Summary of Changes” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20We've%20added%20terms,reflect%20current%20product%20experiences. ### tier differences — risk unknown > These Terms don’t apply to Microsoft 365 Copilot apps or services unless that specific app or service says that these Terms apply. - Interpretation (disclaimed): This segment explicitly carves out Microsoft 365 Copilot apps and services from the scope of these Terms unless a specific app or service expressly states these Terms apply, creating a tier-based distinction in coverage. - Tier: All - Location: Terms of Service › “Other Copilot-branded apps and services that link to these Terms” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20These%20Terms%20don%E2%80%99t,that%20these%20Terms%20apply. ### tier differences — risk unknown > Add Copilot to your Microsoft 365 plan, get both together if you’re new, or try Copilot Chat today. - Interpretation (disclaimed): This segment describes the available purchasing paths (adding Copilot to an existing plan, bundling with Microsoft 365, or using Copilot Chat), defining the different tier/plan options available to customers without imposing obligations or restrictions. - Tier: All - Location: “Get started with Microsoft 365 Copilot” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Add%20Copilot%20to,try%20Copilot%20Chat%20today.