Privacy & Safety
Does ChatGPT save your conversations? Which AI trains on your data? Which is safe for legal, medical, or HR work? Plain English answers — no legal jargon.
Based on published privacy policies as of 2026 · Not legal advice · Always verify with your provider
| AI / Plan | Privacy rating | Saves chats? | Trains on data? | Human review? | Data location | GDPR | Notes |
|---|---|---|---|---|---|---|---|
| Claude for Work Team / Enterprise | Safe | US | Zero data retention on Enterprise. Anthropic's gold standard for confidential work. | ||||
| ChatGPT Team / Enterprise Team / Enterprise | Safe | US | Data not used for training. 30-day retention window. DPA available. | ||||
| Mistral API API (all tiers) | Safe | EU | French company, EU data residency by default. Best option for EU businesses with strict GDPR requirements. | ||||
| Llama (self-hosted) Open source | Safe | Your servers | Complete privacy — data never leaves your infrastructure. Requires technical setup. | ||||
| Claude Free / Pro Free / Pro | Caution | Opt-out | Possible | US | Conversations may be reviewed for safety. Can opt out of training in settings. Not suitable for client-confidential work. | ||
| ChatGPT Free / Plus Free / Plus | Caution | Opt-out | Possible | US | On by default, conversations stored and may be used for training. Opt out in Settings → Data Controls. Not for sensitive work. | ||
| Gemini Advanced Advanced / Workspace | Caution | Google infrastructure | With Google Workspace: data not used for training. Without Workspace: standard Google data practices apply. | ||||
| Gemini Free Free | Risky | Google infrastructure | Partial | Human reviewers can read conversations. Data used to improve Google products. Avoid for anything confidential. | |||
| Grok All tiers | Risky | Possible | US | Partial | Tied to your X/Twitter account. Less transparent privacy practices than other frontier providers. No enterprise DPA. | ||
| DeepSeek All tiers | Risky | China | Chinese company, data stored in China and subject to Chinese data laws. Banned for government/regulated industry use in many countries. Do not use for any confidential or business data. |
Different jobs have different risks. Here's a plain-English guide by use case.
Attorney-client privilege requires data never leaves your control. Only zero-retention enterprise tiers are appropriate.
HIPAA requires a Business Associate Agreement (BAA). Only OpenAI Enterprise and some cloud providers offer this.
Employee data is sensitive personal data under GDPR and similar laws. Enterprise tiers with DPAs are required.
Financial data is regulated in most jurisdictions. Enterprise tiers with explicit no-training guarantees are the safe choice.
For non-sensitive personal use (writing help, learning, general questions), all paid tiers are fine. Just don't paste sensitive data.
Mistral is a French company with EU data residency — the easiest path to GDPR compliance for EU businesses.
Never paste anything into an AI chat that you wouldn't be comfortable seeing on the front page of a newspaper. Even with enterprise tiers and opt-outs, treat AI as a semi-public space until you have a signed DPA and zero-retention guarantee from your provider. When in doubt — paraphrase, anonymise, or don't use AI at all.
Yes, by default. ChatGPT Free and Plus store your conversations and may use them to train future models. You can opt out in Settings → Data Controls → Improve the model for everyone. ChatGPT Team and Enterprise do not train on your data.
It depends on your work. For general tasks with no sensitive data — drafting, brainstorming, research — ChatGPT Plus is fine. For confidential client work, legal matters, medical data, or HR — you need ChatGPT Enterprise or a zero-retention provider like Mistral.
Claude Pro and ChatGPT Plus have similar privacy practices — both save conversations and can opt out of training. For enterprise use, Claude for Work and ChatGPT Enterprise are both solid. Mistral is the most private mainstream option for EU businesses due to EU data residency.
For personal, non-sensitive use, DeepSeek is fine. For any business, legal, medical, HR, or government data — no. DeepSeek is a Chinese company and data is stored in China, subject to Chinese data laws. It has been banned in several countries for government use.
OpenAI, Anthropic, Google, and Mistral all offer GDPR-compliant options — but the consumer free tiers are not appropriate for personal data processing under GDPR. You need a Data Processing Agreement (DPA) with the provider. Mistral is the easiest option for EU businesses as data stays in the EU by default.
On free tiers, yes — human reviewers can access conversations for safety review and model improvement. On paid consumer plans, it's possible but less common. On enterprise tiers with zero data retention, no. If privacy is essential, use an enterprise plan or self-host Llama.
Claude for Work (Team/Enterprise), ChatGPT Enterprise, or Mistral API for EU companies. For maximum privacy with no third-party involvement, self-host Llama 4 Maverick — your data never leaves your servers.
Go to ChatGPT → Settings → Data Controls → toggle off 'Improve the model for everyone'. This stops your conversations being used for training but doesn't delete past conversations. To delete all history: Settings → Data Controls → Delete all chats.
Newsletter
We track policy updates across all major providers. When something important changes, you'll know.
No spam. Useful updates only. Affiliate disclosures always clearly labeled.
