AI Guides
A practical privacy and security checklist for evaluating AI tools before sharing your data, code, or business information.
Before uploading any data to an AI tool, check: (1) Is your data used for model training? (2) Where is data stored and processed? (3) Who can access your data within the company? (4) What is the data retention policy? (5) Is there an enterprise/API option with stronger privacy guarantees? For sensitive business, legal, or personal data, use enterprise plans, API access with zero-data-retention, or self-hosted open-source models.
Before typing or uploading anything into an AI tool, verify: (1) Data usage for training — does the provider use your inputs to improve their models? If yes, your data may become part of future model knowledge. (2) Data storage location — which countries do your data pass through? (3) Access controls — can the provider's employees read your data? (4) Retention — how long is your data kept? (5) Deletion — can you delete your data, and is it actually removed? (6) Encryption — is data encrypted in transit and at rest?
There is a massive privacy gap between consumer AI products and their API/enterprise counterparts. Consumer ChatGPT/Claude: inputs may be used for training (check settings to opt out). API access: typically zero data retention, data not used for training. Enterprise plans: contractual data protection, admin controls, audit logs. For any sensitive work, use API or enterprise access, never consumer free tiers.
For maximum data control, self-host open-source AI models using tools like Ollama, LM Studio, or Open WebUI. You can run capable models locally on a modern laptop or desktop with 16GB+ RAM. Benefits: zero data leaves your machine, no usage limits, no subscription fees. Tradeoffs: requires technical setup, model quality may lag behind cloud APIs, and you manage your own infrastructure.
Warning signs an AI tool may have poor privacy practices: no clear privacy policy or terms of service, vague language about data usage ('we may use data to improve our services'), no opt-out for training data, no enterprise or API option, based in a jurisdiction with weak data protection laws and no GDPR equivalent, recent security incidents without transparent disclosure, and missing standard security certifications (SOC 2, ISO 27001).
Healthcare: HIPAA compliance is essential — most consumer AI tools are not HIPAA-compliant. Legal: attorney-client privilege may be waived if you share client information with AI tools. Finance: SOX, PCI-DSS, and regional financial regulations apply. Education: FERPA and local student data protection laws. Enterprise: internal data classification policies should dictate which AI tools are approved for which data types. When in doubt, consult your compliance team.
Organizations should create a simple AI tool usage policy: Tier 1 (approved for all data): enterprise/self-hosted tools with contractual protections. Tier 2 (approved for non-sensitive data): API-access tools with zero-data-retention. Tier 3 (approved for public information only): consumer AI tools where data may be used for training. Tier 4 (prohibited): tools with unclear privacy practices or in prohibited jurisdictions. Communicate tiers clearly and make approved tools easy to access.
Quick answers to common questions on this topic.
ChatGPT's free tier may use conversations for training unless you opt out in settings. ChatGPT Plus, Team, Enterprise, and API do not train on your data by default. Always check your account settings and the current privacy policy, as these terms change.
Claude's privacy practices are similar to ChatGPT's: consumer tiers may differ from API/enterprise. Anthropic's API has strong data protection terms. The difference between providers is smaller than the difference between consumer vs API/enterprise access. Choose the access tier, not just the provider.
Yes. Tools like Ollama, LM Studio, and GPT4All let you run AI models entirely on your local machine with no internet connection required after download. You need sufficient RAM/VRAM — 16GB RAM for smaller models, 32GB+ for larger ones. Quality is improving rapidly but still trails the best cloud models for complex tasks.
Use API access with zero-data-retention enabled, or an enterprise plan with contractual data protection. Avoid pasting sensitive data (customer PII, financials, source code for proprietary systems, legal documents) into consumer AI chat interfaces. Create a simple internal policy document listing which tools are approved for which data types.
Most providers technically can access data for abuse monitoring, safety checks, and service improvement. Enterprise plans and API access typically have stronger contractual restrictions on employee access. Assume anything you type into a consumer AI tool could potentially be reviewed by a human, and act accordingly.
Open-source models give you control — you can inspect the code, run locally, and verify data handling. But they are not automatically more secure. You must secure your own deployment, manage updates, and ensure the model itself has not been tampered with. The advantage is control, not automatic security.
Most providers offer data deletion requests. Submit one immediately. Check if the data could have been used for training (in which case it may not be fully removable from the model). Report the incident internally per your organization's data breach policy. Learn the lesson: use API/enterprise access for sensitive work going forward.
Ask for: their SOC 2 report or ISO 27001 certification, data processing agreement (DPA), documentation of encryption standards, incident response plan summary, and data retention/deletion policies. If they cannot provide these or seem confused by the request, treat their security posture as immature and limit data sharing accordingly.
More guides and insights about AI tools.