Privacy policy discloses AI data processing

Why it matters

GDPR Articles 13 and 14 require data controllers to inform users about third-party processors and the purposes for which their data is shared — at the time of collection. CCPA §1798.100 similarly mandates disclosure of data sharing practices. A privacy policy that makes no mention of AI providers, large language models, or the categories of data sent to them is a material omission that creates regulatory exposure and undermines user trust. When a breach or complaint triggers regulatory review, an undisclosed sub-processor is one of the clearest indicators of non-compliance.

Remediation

Add a dedicated AI data processing section to your privacy policy. Name the provider, describe what data categories are sent, the purpose, and the retention period.

## AI Features

Our application uses AI services to power [feature name]. When you use
these features, your input is sent to [Provider Name] for processing.
[Provider Name] processes this data under a Data Processing Agreement
with us and their own privacy policy: [link]. We do not use your data
to train AI models [or: model training opt-out is available in Settings].
AI conversation history is retained for [X days / the session duration].

If you use multiple providers (e.g., OpenAI for chat, Anthropic for summarization), list each one separately. Link to their privacy policies. Revisit this section whenever you add or switch AI providers.

Detection

ID: ai-data-privacy.data-collection-consent.privacy-policy-ai-disclosure
Severity: high
What to look for: Enumerate every relevant item. Locate privacy policy content in the codebase — look for privacy.mdx, privacy.md, privacy-policy.tsx, app/(marketing)/privacy/page.tsx, or similar. Search the content for terms like "artificial intelligence", "AI", "machine learning", "OpenAI", "Anthropic", "Google AI", "language model", "LLM", or "third-party AI". Also check terms of service files for the same terms.
Pass criteria: At least 1 of the following conditions is met. The privacy policy text contains at least one reference to AI processing, third-party AI sub-processors, or data being sent to AI providers. The disclosure identifies what categories of data are sent and for what purpose. Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: A privacy policy file exists but contains no mention of AI processing, LLMs, or third-party AI sub-processors — despite the application clearly calling AI APIs.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: No privacy policy file is found anywhere in the codebase (note: absence of a privacy policy is a separate significant issue not checked here).
Cross-reference: For deployment and infrastructure concerns, the Deployment Readiness audit covers production configuration.
Detail on fail: "Privacy policy file found at [path] but contains no disclosure of AI data processing or third-party AI sub-processors"

Remediation: Users have a right to know their data is being sent to a third-party AI provider. Most jurisdictions require this disclosure in the privacy policy.

Add an AI data processing section to your privacy policy:

## AI Features

Our application uses AI services to power [feature name]. When you use these features,
your input is sent to [Provider Name] for processing. [Provider Name] processes this data
pursuant to their Data Processing Agreement with us and their own privacy policy.
We do not use your data to train AI models [or: model training opt-out is available in Settings].
AI conversation history is retained for [X days / the duration of your session].

Identify your actual AI provider and link to their privacy policy. If you use multiple providers, disclose each one.

External references

gdpr · Art. 13 — Information to be provided where personal data collected from data subject

gdpr · Art. 14 — Information where personal data have not been obtained from the data subject

ccpa · §1798.100 — Right to know / privacy policy disclosure

nist-ai-rmf:1.0 · GOVERN 6.1 — Policies for responsible AI in third-party contexts

Why it matters

Remediation

Add a dedicated AI data processing section to your privacy policy. Name the provider, describe what data categories are sent, the purpose, and the retention period.

## AI Features

Our application uses AI services to power [feature name]. When you use
these features, your input is sent to [Provider Name] for processing.
[Provider Name] processes this data under a Data Processing Agreement
with us and their own privacy policy: [link]. We do not use your data
to train AI models [or: model training opt-out is available in Settings].
AI conversation history is retained for [X days / the session duration].

Detection

ID: ai-data-privacy.data-collection-consent.privacy-policy-ai-disclosure
Severity: high
What to look for: Enumerate every relevant item. Locate privacy policy content in the codebase — look for privacy.mdx, privacy.md, privacy-policy.tsx, app/(marketing)/privacy/page.tsx, or similar. Search the content for terms like "artificial intelligence", "AI", "machine learning", "OpenAI", "Anthropic", "Google AI", "language model", "LLM", or "third-party AI". Also check terms of service files for the same terms.
Pass criteria: At least 1 of the following conditions is met. The privacy policy text contains at least one reference to AI processing, third-party AI sub-processors, or data being sent to AI providers. The disclosure identifies what categories of data are sent and for what purpose. Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: A privacy policy file exists but contains no mention of AI processing, LLMs, or third-party AI sub-processors — despite the application clearly calling AI APIs.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: No privacy policy file is found anywhere in the codebase (note: absence of a privacy policy is a separate significant issue not checked here).
Cross-reference: For deployment and infrastructure concerns, the Deployment Readiness audit covers production configuration.
Detail on fail: "Privacy policy file found at [path] but contains no disclosure of AI data processing or third-party AI sub-processors"

Remediation: Users have a right to know their data is being sent to a third-party AI provider. Most jurisdictions require this disclosure in the privacy policy.

Add an AI data processing section to your privacy policy:

## AI Features

Our application uses AI services to power [feature name]. When you use these features,
your input is sent to [Provider Name] for processing. [Provider Name] processes this data
pursuant to their Data Processing Agreement with us and their own privacy policy.
We do not use your data to train AI models [or: model training opt-out is available in Settings].
AI conversation history is retained for [X days / the duration of your session].

Identify your actual AI provider and link to their privacy policy. If you use multiple providers, disclose each one.

External references

gdpr · Art. 13 — Information to be provided where personal data collected from data subject

gdpr · Art. 14 — Information where personal data have not been obtained from the data subject

ccpa · §1798.100 — Right to know / privacy policy disclosure

nist-ai-rmf:1.0 · GOVERN 6.1 — Policies for responsible AI in third-party contexts

Privacy policy discloses AI data processing

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Privacy policy discloses AI data processing

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History