Every day, millions of people type their deepest work problems,
their personal anxieties, their business strategies, their medical symptoms,
their relationship difficulties, and their financial decisions into AI
chatbots. They type them into a box on a screen, press Enter, and receive a
response.
Most of them have never read the privacy policy of the tool they are using. Most have never asked what happens to that information after they send it. Most assume, without much thought, that it disappears into the digital ether. It does not. And the details of what actually happens to your data when you use AI tools are worth understanding clearly before you share anything that matters.
This post gives you the honest, specific answers: what the major AI companies collect, what they do with it, what your rights are depending on where you live, and most importantly what you should and should not be typing into these tools.
Important Notice: This post covers privacy practices as understood from publicly available terms of service and privacy policies as of May 2026. These policies change. Always check the current privacy policy of any tool before sharing sensitive information.
What These Companies Are Actually Collecting
When you use a major AI chatbot, data collection typically happens at two levels simultaneously: the content of your conversations and your usage metadata. The first is the more significant. The prompts you type and the responses you receive are stored on the AI company's servers. This is not unique to AI tools: email providers, messaging apps, and search engines have always stored communication content. What is different with AI tools is the nature of what people share.
People routinely share things with AI tools they would share with very few humans: detailed descriptions of business strategies, personal health situations, relationship problems, financial circumstances, and confidential professional information. The AI feels like a private conversation. It is not. Beyond conversation content, AI companies also collect standard usage data including your IP address, device information, browser type, approximate geographic location, feature usage patterns, and session timing. This data is used for service improvement, security monitoring, and often for advertising targeting in platforms that monetise through ads.
What Each Major Tool Does with Your Data
ChatGPT
(OpenAI)
By default, OpenAI uses conversations from ChatGPT to train and improve its models. This means the content you type can in principle influence future versions of the model. OpenAI provides an opt-out: users can disable chat history in Settings, which prevents conversations from being used for training. When chat history is disabled, conversations are still processed to generate responses but are not retained after 30 days and are not used for training.
What to do: Go to ChatGPT Settings, then Data Controls, and disable 'Improve the model for everyone' if you do not want your conversations used for training. This is the single most important privacy setting in ChatGPT.
Claude
(Anthropic)
Anthropic's privacy approach is generally regarded as more conservative than OpenAI's. By default, Anthropic states that it does not use conversations from Claude.ai to train its models without explicit consent, though conversations may be reviewed by staff for safety and quality purposes. This is one reason Claude has gained traction among legal and medical professionals who work with sensitive information. That said, conversations are still processed and stored, and Anthropic's privacy policy permits data use for a range of service-related purposes. Claude is not a private communications channel.
What to do: Review Anthropic's current privacy policy at anthropic.com before sharing sensitive professional information. For enterprise use cases requiring stricter data handling, Anthropic's API and enterprise plans offer different data retention terms.
Google
Gemini
Google's data practices reflect its status as one of the world's largest advertising companies. By default, conversations with Gemini are stored and can be reviewed by human reviewers to improve Google's products. Gemini activity is linked to your Google account, sitting alongside your search history, Gmail, YouTube viewing history, and other Google product data within Google's broader data ecosystem. Users can turn off Gemini Apps Activity in their Google Account settings to prevent conversations from being saved and used for model improvement.
What to do: Go to myaccount.google.com, then Data and Privacy, then Gemini Apps Activity, and turn it off if you do not want conversations stored and linked to your Google account.
The Five Things You Should Never Type Into an AI Tool
Understanding data practices in the abstract is useful. Understanding the specific categories that carry the highest risk is more immediately practical. The following categories should not be shared with any consumer AI tool regardless of which provider you use.
Passwords and login credentials should never appear in a prompt under any circumstances. Confidential client or patient information creates professional liability issues for lawyers, doctors, accountants, and anyone with a duty of confidentiality: typing client or patient details into a consumer AI tool almost certainly violates professional obligations and potentially applicable law. Financial account details including bank account numbers, tax identifiers, and card numbers should never be shared with any AI tool. Unreleased business strategies including information about unannounced products, acquisition targets, and pricing can be processed and stored by AI companies, which represents a real corporate risk that legal and compliance teams in major organisations are actively managing. And sharing detailed personal information about third parties without their knowledge raises both ethical and, in many jurisdictions, legal concerns under applicable privacy legislation.
What Your Legal Rights Actually Are
Privacy rights when using AI tools depend significantly on where you live. In the United States there is no single comprehensive federal privacy law governing AI. Protections come from a patchwork of state legislation, with California's Consumer Privacy Act providing the strongest rights including the ability to know what data is collected, to request deletion, and to opt out of data sale. In the United Kingdom, retained UK GDPR gives residents the right to access their data, request erasure, object to processing, and request data portability, with the Information Commissioner's Office as the supervisory authority. Canada's PIPEDA governs how private sector organisations collect personal information and gives Canadians the right to know what is held and to challenge its accuracy. Australia's Privacy Act 1988 and the Australian Privacy Principles govern data handling, with the Office of the Australian Information Commissioner overseeing compliance. New Zealand's Privacy Act 2020 provides comparable protections including access and correction rights.
Practical Steps to Protect Your Privacy
Protecting your privacy with AI tools does not require avoiding them. It requires using them with appropriate awareness. The most effective steps are: disable training data opt-ins in the settings of every AI tool you use regularly; read the privacy policy of new tools before sharing sensitive information, focusing specifically on what data is collected, how long it is retained, and whether it is used for training; use enterprise or business plans for professional use where consumer free tiers have the broadest data collection terms; anonymise where possible by replacing specific names and identifying details with generic placeholders when you need AI help with something involving real people or real businesses; and submit data subject access requests if you want to know what is held about you, a right available under UK GDPR, CCPA, PIPEDA, and other applicable frameworks.
The AI Vanguard Take: The major AI companies are not rogue actors deliberately misusing your data. They are technology businesses operating within their stated terms of service, which most users never read. The privacy risks are real but manageable. The most significant risks come not from AI companies themselves but from users sharing information that should never be shared with any third-party service. Five minutes adjusting privacy settings in the tools you use most is the most practical privacy investment most people can make.
Frequently Asked Questions
Can AI
companies read my conversations?
Yes, in principle. All major AI companies state in their privacy policies that conversations may be reviewed by employees for safety, quality assurance, and service improvement purposes. In practice the vast majority of conversations are processed by automated systems only. But the technical and legal capacity for human review exists, which is another reason not to share genuinely confidential information.
Can I
request deletion of my data from AI companies?
Yes, in many jurisdictions. Under UK GDPR, the right to erasure allows residents to request deletion of personal data. CCPA gives California residents similar rights. OpenAI, Anthropic, and Google all have data deletion processes available through their privacy portals. The effectiveness and completeness of deletion from training data is an area of ongoing legal and technical debate.
Is using
AI at work a privacy risk for my employer?
Potentially, yes. Employees who use consumer AI tools with confidential company information may be violating their employment agreements and their employer's data security policies. Many organisations have issued AI usage policies. If your organisation has not, it is worth raising the question with your manager or IT security team before you need to explain why confidential information appeared in a data breach.
Is
ChatGPT HIPAA compliant for medical use?
The standard consumer version is not HIPAA compliant and should not be used with protected health information. OpenAI's enterprise offerings can be configured for HIPAA compliance under a Business Associate Agreement. Healthcare professionals should use only tools and configurations specifically approved for use with patient data by their organisation and relevant regulatory bodies.
AI Safety and Privacy:
The AI Vanguard
covers AI privacy, regulation, deepfakes, and responsible use every week.
Subscribe below.
