Privacy & AI

Using AI means making choices about data provenance, retention, and control. Most users never think about it; professionals can’t afford not to.

What happens to your prompt

1. It travels over HTTPS to the provider’s API.
2. It’s logged — typically for 30 days, sometimes longer — for abuse detection.
3. On some tiers it becomes training data for the next model. On business/enterprise/API tiers it usually does not.

Opt-out vs. opt-in

Consumer tiers are usually opt-out (your data is used for training unless you disable it). API and enterprise tiers are opt-in (you have to explicitly allow training). Always check the policy for the exact product you’re using, not what the company did two years ago.

The three-tier privacy stack

1. Cloud frontier models. Most capable. Your data leaves your machine. Appropriate for public or low-sensitivity work.
2. Cloud models with enterprise zero-retention. Signed contracts guarantee no training, deletion on request. The default for most companies.
3. Local models. Ollama + Llama 3 / Qwen / Mistral running on your hardware. Slower, less capable, but data never leaves your machine. Appropriate for sensitive work.

PII and the training-data question

Models have been caught memorizing training data: literal phone numbers, email addresses, chunks of copyrighted text. This is a live legal and ethical question. For your own applications: redact PII before sending to any LLM. It’s five lines of regex and it sleeps you well at night.

The EU / UK angle

GDPR treats prompts as personal data when they reference a living person. The UK’s Online Safety Act adds obligations for AI products accessed by minors. When you build internationally, the strictest jurisdiction’s rule is your floor.