Generate your Terms & Conditions for free — Get started now →

to navigate to select ESC to close
What the EU AI Act Means for Your Privacy Policy in 2025

What the EU AI Act Means for Your Privacy Policy in 2025

The EU AI Act came into force in August 2024. The first set of obligations - for prohibited AI systems - applied from February 2025. General-purpose AI model rules apply from August 2025. High-risk AI system requirements phase in through 2026 and 2027.

If your product uses AI features in any form - a chatbot, auto-suggest, content generation, image processing, fraud detection - you need to look at your privacy policy. Existing GDPR-style disclosures are not enough on their own.

This post covers exactly what needs to change, with screenshots from real policies that are handling this well.

Why your existing privacy policy is not sufficient

GDPR requires you to disclose what personal data you collect and why. That is still required and still important. But the EU AI Act adds a different layer: transparency about the AI system itself, not just the data it uses.

Specifically, the Act requires:

  • Disclosure that AI is being used for decisions that affect users
  • Explanation of the logic involved in automated processing (this was already in GDPR Article 22, but is now more prominent)
  • Information about training data if the system is a general-purpose AI model
  • Opt-out rights for users who do not want their data used to train AI models
  • Human oversight disclosures for high-risk AI applications (hiring, credit scoring, medical, law enforcement, etc.)

The practical upshot: if you use AI in your product, three things need to be visible in your privacy policy or as a separate AI disclosure:

  1. That you use AI, and what it does
  2. Whether user data is used to train models - and how to opt out
  3. What automated decisions are made and whether a human can review them

What good AI disclosures look like

OpenAI - The clearest example of AI training transparency

OpenAI Privacy Policy — AI training and model disclosures with highlighted text OpenAI’s policy explicitly links to how “training” data works and lets users opt out. Long, dense sentences are a readability risk.

OpenAI’s privacy policy is unusually transparent about AI training. They directly address:

  • That they collect data to train language models
  • That users can opt out of having their conversations used for training
  • That API data is not used for training by default

The long highlighted sentences in the screenshot above illustrate a common problem: the most important disclosures are often buried inside complex paragraphs. The EU AI Act doesn’t prescribe a format, but clear, plain-language statements that users can actually find and read are both better practice and more defensible if challenged.

What to take from this: Name the AI feature. Say whether user content goes into training. Give an opt-out path. Put this somewhere users can actually find it - not paragraph 14 of 20.

GitHub Copilot - A separate policy for AI features

GitHub Copilot for Business Privacy Statement GitHub publishes a separate privacy statement specifically for Copilot, distinct from GitHub’s main privacy policy.

GitHub made a sensible decision: rather than expanding their main privacy policy with Copilot specifics, they created a separate document called the “GitHub Copilot for Business Privacy Statement.”

This approach has real advantages:

  • Users who care about AI specifically can find that document directly
  • The main privacy policy stays readable for users who don’t use Copilot
  • Enterprise buyers - who often have procurement requirements around AI data handling - get a standalone document they can review and attach to contracts

The Copilot policy covers: what code snippets are sent to the model, how long they’re retained, whether they’re used for training (by default, no for business customers), and how administrators can configure data handling.

What to take from this: If your product has distinct AI features used by different user segments, consider a separate AI-specific privacy page or section. It is cleaner and easier to update independently.

Canva - Integrating AI disclosure into an existing policy

Canva Privacy Policy — AI features section Canva has added AI-specific sections to its existing privacy policy as new features launched.

Canva has been rolling out AI features (Magic Write, Magic Edit, text-to-image tools) and has updated its privacy policy to reflect this. Rather than a separate document, they’ve integrated AI disclosures into the existing policy structure.

Their approach:

  • Named sections for AI-generated features
  • Disclosure that content submitted to AI tools may be used to improve those features
  • Separate treatment of design content vs. prompts entered into AI tools

The integration approach works if the policy is well-structured with clear headings and a table of contents. Without those, AI-specific disclosures get lost.

What to take from this: Add headings that users can search for - “Artificial Intelligence”, “AI Features”, “Automated Processing”. Don’t assume users will read the whole document.

Figma - AI in a design tool context

Figma Privacy Policy — AI feature disclosures Figma’s policy addresses AI features introduced through Figma AI, with specific treatment of design files submitted to AI processing.

Figma launched Figma AI in 2024 and updated their privacy policy accordingly. The policy addresses a specific concern their user base had: whether design files (which may contain proprietary client work) would be used to train external models.

Their disclosure: Figma AI uses third-party model providers. Design content submitted to AI features may be processed by those providers. Enterprise customers can opt out. Free and Professional users have a different default.

This tier-based approach to AI data handling - where enterprise customers get stronger defaults - is increasingly common and reflects the commercial reality that enterprise procurement requires it.

What to take from this: If you have multiple pricing tiers, be explicit about whether AI data handling defaults differ by tier. Burying this creates trust problems when enterprise buyers discover it later.

What to add to your own privacy policy

Based on these examples, here is a concrete checklist for any product with AI features:

Section: How we use AI

  • List the AI features in your product by name
  • State what input data each feature receives (user content, files, prompts, behavioral data)
  • State the purpose of the AI processing (personalization, content generation, fraud detection, etc.)
  • Name the third-party model providers you use (OpenAI, Google, Anthropic, etc.)

Section: AI training data

  • State whether user data is used to train AI models
  • If yes: what data, how, and for how long
  • If no: say so explicitly
  • Provide an opt-out mechanism or link to one

Section: Automated decisions

  • Identify any decisions made automatically that affect users (pricing, access, content moderation)
  • State whether human review is available
  • Explain how users can challenge automated decisions

Section: Third-party AI providers

  • List providers and link to their privacy policies
  • Specify what data is shared with them
  • State the data processing agreement basis (GDPR Article 28)

High-risk AI - additional requirements

If your product falls into a high-risk category under the EU AI Act (employment, education, credit scoring, biometrics, law enforcement, critical infrastructure), additional obligations apply beyond privacy policy disclosures:

  • Conformity assessment before deployment
  • Registration in the EU database for high-risk AI systems
  • Ongoing logging and monitoring
  • Designated point of contact in the EU

Most SaaS products outside these verticals are not classified as high-risk. General productivity tools, content generators, and business analytics fall into lower-risk categories where transparency disclosures are the main requirement.

Generate a compliant privacy policy

Our privacy policy generator includes fields for AI feature disclosures. You can describe the AI tools your product uses, specify whether data is used for training, and select your jurisdiction. The generated policy includes the relevant GDPR and EU AI Act transparency language.

If you already have a privacy policy and just need to add an AI section, contact us and we can help you identify what’s missing.

Tags :
Share :

Related Posts

GDPR Privacy Policy: What You Must Include in 2026

GDPR Privacy Policy: What You Must Include in 2026

The GDPR (General Data Protection Regulation) has been in effect since May 2018, but many websites still get their Privacy Policies wrong — risking fines of up to **€20 million or 4% of annual global

read more