Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Mistral AI

Mistral AI

PartialEU: AvailableOpt-out Available30 DaysMulti-region

Business Plan Price

€14.99/mo (Pro), custom (Enterprise)

Enterprise Features

Self-deployment, EU hosting (Sweden + France), Mistral Compute, SOC 2, not subject to US CLOUD Act, hybrid deployment

Last Updated

March 23, 2026

Mistral AI - GDPR & Data Privacy Overview (EU)

Version: March 2026 - prepared by WAIMAKERS B.V.

Executive Summary

Mistral AI is a French AI company (Paris-based, €6 billion valuation as of June 2024) offering frontier large language models through two main products: La Plateforme (API) and Le Chat (ChatGPT-style interface).

Key GDPR considerations for European clients:

  • ✅ EU company: French startup, Paris headquarters; data hosted in EU by default (Sweden)
  • ⚠️ Feb 2025 expansion to USA: Google Cloud Platform subprocessor expanded to include USA processing (in addition to EU/Ireland)
  • ✅ API (La Plateforme): Data NOT used for training; 30-day audit log retention
  • ⚠️ Le Chat: MAY use data for training unless user opts out (all plans); NO Zero Data Retention (ZDR) available on any tier
  • ⚠️ Recent GDPR compliance: Complaint filed with French CNIL in Feb 2025 by a French lawyer — only Le Chat Pro subscribers (EUR 14.99/month) had a one-click opt-out button, while free users had to email privacy@mistral.ai (violates GDPR Article 12); CNIL has NOT yet issued a decision; Mistral added email-based opt-out for free users post-complaint, but it remains more cumbersome than the button for paid users; CNIL issued guidance on GDPR legal bases for AI training (June 2025)
  • ✅ SOC 2 certified: Report available to clients on request
  • ⚠️ ISO 27001: In progress, not yet completed
  • ✅ Self-deployment option: Full control via open-weight models (Mistral 7B, Mixtral, Mistral Large) on your own infrastructure
  • ✅ Not subject to US CLOUD Act: As a French company, Mistral data is not subject to US government data demands under the CLOUD Act
  • ✅ Le Chat tops independent AI privacy ranking (Feb 2026)
  • ✅ Mistral Compute launched (June 2025): 18,000 NVIDIA chips in France - expanding own EU infrastructure
  • ✅ Koyeb acquired (Feb 2026): First acquisition for cloud deployment capabilities
  • ✅ €1.2B committed to Swedish AI data centers
  • ✅ 1.4GW Paris AI campus planned (with MGX/Bpifrance/NVIDIA)

Recommendation: For GDPR-sensitive workloads, use La Plateforme API (not Le Chat) or consider self-deployment for maximum control. Le Chat has architectural limitations (no ZDR) and may use data for training.

Comparison of Mistral AI Offerings (EU focus)

Tier Training on data? EU data residency Retention Compliance Price (EUR)
Free ⚠️ Le Chat: Yes (unless opt-out) ⚠️ EU + USA (as of Feb 2025) Until manual deletion GDPR compliant (post-Feb 2025 update) €0
Pro ⚠️ Le Chat: Yes (unless opt-out) ⚠️ EU + USA Until manual deletion GDPR, SOC 2 (on request) €14.99/month
Team ⚠️ Le Chat: Yes (unless opt-out) ⚠️ EU + USA Until manual deletion GDPR, SOC 2 (on request) €24.99/user/month (min 2 users)
Enterprise ⚠️ Le Chat: Yes (unless opt-out)
✅ API: NO ⚠️ EU + USA (or on-premises / private cloud / serverless hybrid: full control) API: 30 days by default; zero retention option available
Le Chat: Until deletion GDPR, SOC 2, ISO 27001 (in progress) Custom pricing
API (La Plateforme) ✅ NO (contractual) ⚠️ EU + USA 30 days (audit/abuse monitoring only) GDPR, SOC 2 (on request) Pay-as-you-go or subscription
Self-Deployment ✅ NO (full control) ✅ Your infrastructure Your control Your responsibility Hosting costs only

Notes for Europe

⚠️ Critical Feb 2025 Changes:

  • USA processing added: Mistral expanded Google Cloud Platform to include USA in addition to EU/Ireland. Data can now be processed in USA.[1]
  • GDPR complaint (CNIL, pending): A French lawyer filed a complaint with CNIL alleging that only Le Chat Pro subscribers (EUR 14.99/month) had a one-click opt-out button, while free users had to email privacy@mistral.ai — violating GDPR Article 12. CNIL has NOT yet issued a decision. Post-complaint, Mistral updated privacy policy Feb 6, 2025 to add email-based opt-out for free users, but the process remains more cumbersome than the button for paid subscribers.[2][3][4]
  • Notification policy change: Mistral no longer notifies customers of subprocessor modifications (only additions/replacements), which allowed the USA expansion without notification.[1]

Infrastructure: Google Cloud Platform (Sweden primary, Ireland backup, USA added Feb 2025). Mistral Compute launched June 2025 (18,000 NVIDIA chips in France). Koyeb acquired February 2026 for cloud deployment. €1.2B committed to Swedish AI data centers. 1.4GW Paris AI campus planned (with MGX/Bpifrance/NVIDIA).[5][6]

Data retention:

  • API: 30-day audit logs for operational/abuse monitoring (not used for training)[7]
  • Le Chat: No ZDR available on ANY plan (architectural requirement for conversation history); data deleted only upon manual user action[8]

Pricing: All prices in EUR. Le Chat Free: €0; Le Chat Pro: €14.99/month; Le Chat Team: €24.99/user/month (minimum 2 users, €50/month total); Le Chat Enterprise: custom pricing.[9]

Training opt-out: Post-complaint, Mistral added email-based opt-out (privacy@mistral.ai) for free users as of Feb 6, 2025 policy update, but this is more cumbersome than the one-click button available to Le Chat Pro subscribers. All users (Free, Pro, Team, Enterprise) can opt out.[10][4]

Is Mistral AI GDPR-Compliant?

Short answer: Yes, following Feb 2025 privacy policy update. However, Le Chat is NOT recommended for sensitive data due to (1) no ZDR option, (2) opt-in training by default, and (3) USA processing. La Plateforme API or self-deployment are safer options for GDPR-sensitive workloads.

What applies to all plans

  • EU company - French startup (Paris) subject to GDPR, French DPA (CNIL)[11]
  • EU data hosting - Sweden (primary), Ireland (backup), but USA added Feb 2025[6][1]
  • DPA available - Standard Data Processing Agreement; subprocessor list at trust.mistral.ai[12]
  • Right to opt out - All users can opt out of training (updated Feb 6, 2025)[10][4]
  • Encryption - Data encrypted in transit and at rest, replicated across multiple EU zones[13]
  • SOC 2 - Available to clients on request[13]

What's plan-dependent

Free, Pro, Team:

  • Le Chat only (no API access on Free/Pro; Team includes limited API)
  • Training opt-out available but must be manually enabled
  • No ZDR (data stored until manual deletion)
  • Data may be processed in USA

Enterprise:

  • API access with contractual no-training guarantee
  • Deployment options: on-premises, private cloud, or serverless hybrid
  • Zero retention option available (tokens stored 30 days by default)
  • SOC 2 report access
  • Custom retention policies negotiable
  • ISO 27001 certification in progress (not completed)[14]

Le Chat (Consumer Interface)

What it is: ChatGPT-style conversational interface accessible at chat.mistral.ai.

Training policy: By default, Mistral MAY use information from prompts, feedback, and user experience to improve models. Users can opt out via settings.[10]

⚠️ Important limitation: Zero Data Retention (ZDR) is NOT available on Le Chat for any plan (Free, Pro, Team, Enterprise). This is an architectural requirement - Mistral must store conversation data to provide conversation history functionality.[8]

Data deletion: Conversations are stored until:

  • User manually deletes conversation, OR
  • User deletes entire account

Opt-out process: Settings → disable training on user data (available to all plans as of Feb 6, 2025)[10][4]

Pricing:

  • Le Chat Free: €0/month
  • Le Chat Pro: €14.99/month
  • Le Chat Team: €24.99/user/month (min 2 users)
  • Le Chat Enterprise: Custom

When to use: Personal experimentation, non-confidential brainstorming, research with public information.

When NOT to use: Client data, personal data under GDPR, trade secrets, regulated information, any data requiring ZDR.

EU AI Act: Le Chat is NOT classified as high-risk AI under the EU AI Act. Non-high-risk obligations (transparency, technical documentation) come into force on August 2, 2026.[23]

La Plateforme (API)

What it is: API access to Mistral's models (Mistral Large 2, Mixtral 8x22B, Mistral Small, etc.) for developers and applications.

Training policy: Data submitted via API is NOT used to train models (contractual guarantee).[15]

Retention: API logs stored 30 days for auditing and abuse monitoring, then automatically deleted.[7]

Enterprise ZDR: A zero retention option is available for Enterprise; tokens are stored 30 days by default. Enterprise clients should confirm this in their custom contract.

Data processing: Sweden (primary), Ireland (backup), USA (added Feb 2025) via Google Cloud Platform.[6][1]

Compliance: SOC 2 (on request), ISO 27001 in progress, GDPR compliant.[13][14]

Pricing: Pay-as-you-go or subscription; see mistral.ai/pricing for current rates.

When to use: Production applications, API integrations, automated workflows where contractual no-training guarantee is required.

When NOT to use: If USA processing is unacceptable (consider self-deployment instead).

Self-Deployment (Full Control)

What it is: Deploy Mistral's open-weight models (Mistral 7B, Mixtral 8x7B, Mixtral 8x22B, Mistral Large) on your own infrastructure using vLLM, TensorRT-LLM, or TGI.[16]

Training: Your control - no Mistral cloud involvement.

Retention: Your control.

Data residency: Your infrastructure (EU, on-premises, etc.).

Compliance: Your responsibility.

Pricing: No Mistral fees; only your hosting/compute costs.

Recommended engines:

  • vLLM (Python-only, OpenAI-compatible API)[17]
  • TensorRT-LLM (NVIDIA optimized)[18]
  • TGI (Hugging Face)[19]

Infrastructure management tools: SkyPilot, Cerebrium[16]

When to use: Highly regulated industries, air-gapped environments, complete data sovereignty required, USA processing unacceptable.

When NOT to use: Lack of ML/DevOps expertise, small-scale use cases where API is more cost-effective.

Data Processing Flow

Le Chat (consumer interface)

User submits prompt
  ↓
Mistral servers (EU + USA via Google Cloud Platform)
  ├─ Processed by selected model
  ├─ Response generated
  └─ Conversation stored (no ZDR option)
      ├─ Training opt-out: NOT used for training
      └─ Training opt-in (default): MAY be used for training

Data persists until:
  - User manually deletes conversation, OR
  - User deletes account

Note: Feb 2025 GDPR complaint (CNIL decision pending) led to privacy policy update adding email-based opt-out for free users; one-click button remains exclusive to paid plans.[2][4]

La Plateforme (API)

API request
  ↓
Mistral servers (EU + USA via Google Cloud Platform)
  ├─ Processed by selected model
  ├─ Response returned to client
  └─ Logs stored 30 days (audit/abuse monitoring)
      ├─ NOT used for training (contractual)
      └─ Automatically deleted after 30 days

Enterprise:
  - Tokens stored 30 days by default; zero retention option available
  - On-premises, private cloud, or serverless hybrid deployment options
  - Custom retention policies negotiable

Self-Deployment

API request
  ↓
Your infrastructure (your control)
  ├─ Processed by self-hosted model
  ├─ Response returned
  └─ No Mistral cloud involvement

Data handling: Your responsibility

Recommendations (GDPR-first)

✅ Safe for production (with caveats)

  • La Plateforme API for applications where 30-day audit retention is acceptable and USA processing is acceptable
  • Self-deployment for air-gapped, highly regulated, or EU-sovereignty-required environments

⚠️ Use with caution

  • Le Chat Team/Enterprise only for internal collaboration on non-sensitive data (no ZDR available)
  • API without custom contract if USA processing is a concern (request EU-only processing if available)

❌ Do not use

  • Le Chat (any tier) for client personal data, trade secrets, regulated data, or anything requiring ZDR
  • Any Mistral offering if USA processing is unacceptable and self-deployment is not feasible

DPIA required for

  • Processing personal data via Le Chat (any tier)
  • High-risk processing via API without custom DPA
  • Any use case involving special category data

EU Rollout Checklist (Practical)

1. Choose the right product

  • ✅ API (La Plateforme) for production apps with no-training requirement
  • ✅ Self-deployment for full sovereignty and EU-only processing
  • ❌ Le Chat for sensitive/confidential data (no ZDR, training opt-in by default)

2. Review DPA and subprocessors

  • Request DPA from Mistral (standard available)
  • Review subprocessor list at trust.mistral.ai[12]
  • Note: Google Cloud Platform is primary subprocessor (EU + USA as of Feb 2025)[1]

3. Configure training opt-out

  • Le Chat: Enable opt-out in user settings (available to all plans)[10]
  • API: No-training guarantee is contractual (verify in agreement)[15]

4. Document data flows

  • Where data is processed: EU (Sweden/Ireland) + USA
  • Retention periods: API 30 days, Le Chat until manual deletion
  • Training policies: API no training, Le Chat opt-out required

5. Request compliance documentation

  • SOC 2 report (available to clients on request)[13]
  • ISO 27001 status (in progress, not completed)[14]
  • DPA and Standard Contractual Clauses (if USA transfer concerns)

6. Assess USA transfer impact

  • Feb 2025 change allows USA processing without notification
  • If unacceptable: negotiate EU-only processing or use self-deployment

7. Implement data minimisation

  • Only submit necessary data to API/Le Chat
  • Strip PII before submission where possible
  • Use pseudonymisation for identifiers

8. User rights management

  • Le Chat: Users can delete conversations manually
  • API: Request deletion procedures from Mistral for 30-day logs
  • Document how to handle GDPR subject access requests

Procurement Q&A

Q: Is Mistral AI a European company?

A: Yes. Mistral AI is a French startup headquartered in Paris (15 rue des Halles, 75001 Paris), founded April 2023, valued at €6 billion as of June 2024.[11][20]

Q: Where is data stored and processed?

A: Primary hosting in Sweden via Google Cloud Platform, with backup in Ireland. As of February 2025, Mistral added USA to GCP processing locations without prior notification.[6][1] Mistral is also building a €1 billion data center near Paris.[5]

Q: Does Mistral use my data to train models?

A: Depends on product:

  • La Plateforme API: NO. Contractual guarantee that API data is not used for training.[15]
  • Le Chat: MAY use data for training UNLESS you opt out. Opt-out is now available to all plans (Free, Pro, Team, Enterprise) as of Feb 6, 2025 privacy policy update.[10][4]

Q: Is Zero Data Retention (ZDR) available?

A: Le Chat: NO ZDR on any plan (architectural limitation for conversation history).[8]

API: 30-day audit log retention. Enterprise ZDR contracts may be available but are not publicly documented - contact Mistral sales directly.

Self-deployment: Full control over retention.

Q: What was the Feb 2025 GDPR complaint about?

A: A French lawyer filed a complaint with the CNIL (French data protection authority) alleging that only Le Chat Pro subscribers (EUR 14.99/month) had a one-click opt-out button to disable training on their data, while free users were required to email privacy@mistral.ai — a more cumbersome process that violates GDPR Article 12 (right to easy exercise of data subject rights). CNIL has NOT yet issued a decision. Post-complaint, Mistral updated its privacy policy on Feb 6, 2025, adding email-based opt-out for free users, but the disparity in ease of opt-out between free and paid users persists.[2][3][21][4]

Q: What compliance certifications does Mistral have?

A:

  • ✅ SOC 2: Available to clients on request[13]
  • ⚠️ ISO 27001: In progress (not yet completed)[14]
  • ✅ GDPR compliant: French company subject to GDPR
  • ❌ HIPAA: Not mentioned in public documentation

Q: Can I restrict data processing to EU only?

A: Not by default as of Feb 2025 (USA processing added).[1] Options:

  • Contact Mistral Enterprise sales to negotiate EU-only processing
  • Use self-deployment for full control over data location

Q: How long is data retained?

A:

  • API: 30 days (audit logs only, then automatic deletion)[7]
  • Le Chat: Until user manually deletes conversation or account[8]

Q: What models are available for self-deployment?

A: Mistral 7B, Mixtral 8x7B, Mixtral 8x22B, Mistral Large (123B parameters). All available under permissive open-weight licenses.[20][16]

Q: What is Mistral's relationship with Microsoft Azure?

A: Strategic partnership launched 2024. Mistral models (Large 2, Mixtral, Nemo, etc.) available via Azure AI Foundry as Model-as-a-Service (MaaS) or real-time endpoints. Azure deployment is governed by Microsoft's DPA and compliance framework (separate from Mistral's own cloud).[20][22]

Notes & Caveats

⚠️ Feb 2025 USA expansion: Mistral expanded Google Cloud Platform subprocessor to include USA processing (in addition to EU) without prior notification to customers. This change also coincided with a notification policy update - Mistral now only notifies of subprocessor additions/replacements, not modifications.[1]

⚠️ No Le Chat ZDR: Zero Data Retention is architecturally impossible on Le Chat because conversation history requires persistent storage. This applies to ALL plans including Enterprise.[8]

⚠️ ISO 27001 in progress: ISO 27001 certification is listed as "in progress" and not yet completed as of Oct 2025.[14]

⚠️ Training opt-out required: Unlike some competitors, Mistral's default posture for Le Chat is opt-IN for training. Users must actively opt out.[10]

✅ EU company advantage: As a French company, Mistral is directly subject to GDPR and French DPA (CNIL) oversight, which may provide stronger enforcement compared to non-EU vendors.

✅ Open-weight models: Mistral's commitment to open-weight models (Mistral 7B, Mixtral) enables self-deployment, giving enterprises full control over data and eliminating cloud vendor risk.

⚠️ GDPR complaint history: A French lawyer filed a complaint with CNIL in Feb 2025, alleging that only Le Chat Pro subscribers had a one-click opt-out button (violating GDPR Article 12), while free users had to email privacy@mistral.ai. CNIL has NOT yet issued a decision. Post-complaint, Mistral added email-based opt-out for free users (Feb 6, 2025 policy update), but the opt-out remains more cumbersome for free users than for paid subscribers. CNIL issued guidance on GDPR legal bases for AI training in June 2025. The episode demonstrates reactive rather than proactive privacy posture.

✅ Not subject to US CLOUD Act: As a French company incorporated under French law, Mistral is not subject to US government data access demands under the CLOUD Act, unlike US-based AI vendors.

✅ Mistral Compute (June 2025): Launched own compute infrastructure with 18,000 NVIDIA chips in France, reducing dependence on Google Cloud Platform.

✅ Koyeb acquisition (Feb 2026): Mistral's first acquisition adds cloud deployment capabilities for European customers.

✅ Le Chat privacy ranking: Le Chat topped an independent AI privacy ranking (Feb 2026), recognising its training opt-out and EU hosting.

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Mistral AI in production environments - especially when personal data, trade secrets, or regulated information are processed.

WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation.

Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Key areas requiring direct verification with Mistral:

  • Enterprise Zero Data Retention availability and pricing
  • EU-only processing options and pricing
  • ISO 27001 completion timeline
  • Custom DPA terms for highly regulated industries

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • https://mistral.ai/static/doc/fr-politique-de-confidentialite.pdf - Mistral AI Privacy Policy (February 6, 2025)
  • https://www.lefigaro.fr/secteur/high-tech/rgpd-mistral-ai-accuse-d-exploiter-illegalement-les-donnees-personnelles-de-ses-utilisateurs-20250212 - Le Figaro: Mistral AI GDPR Complaint
  • https://help.mistral.ai/en/collections/789666-trust-security-compliance - Mistral AI Trust, Security & Compliance
  • https://help.mistral.ai/en/articles/347617-do-you-use-my-user-data-to-train-your-artificial-intelligence-models - Mistral AI: Training on User Data Policy
  • https://help.mistral.ai/en/articles/156194-does-mistral-ai-exploit-users-data-to-train-its-models - Mistral AI API Training Policy
  • https://trust.mistral.ai/ - Mistral AI Trust Center and Subprocessors
  • https://docs.mistral.ai/deployment/self-deployment/overview - Mistral AI Self-Deployment Documentation
  • https://sifted.eu/articles/mistral-privacy-policy-gdpr-news - Sifted: Mistral privacy policy update and GDPR complaint coverage
  • https://legal.mistral.ai/ai-governance/ai-systems/le-chat - Mistral AI: Le Chat EU AI Act classification and governance

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy