AI

Your Data, Their Rules

Which AI tool should you actually trust with your data? The answer depends on what you're putting in, and what each company is allowed to do with it.

James

4 min read
Share
Your Data, Their Rules
You decide what to type. They decide what to keep.

Which AI tool should you actually trust with your data? The race does not answer this question. Here's what does.

Over the past three weeks, we have covered who the major AI players are, what they believe, and how they are competing. This is the issue that brings it home.

Because the most important question is not which model scores highest on a benchmark or which company is growing fastest. It is this: when you type something into an AI tool, where does that information go, who can see it, and what are they allowed to do with it?

That is a data question. And the answers vary significantly depending on which tool you are using.

Your Input, Their Pipeline

Every AI tool processes your input in order to generate a response. That is unavoidable. The model has to read what you wrote to reply to it. The question is what happens after that.

Depending on the tool and your account settings, your inputs may be stored, reviewed by human contractors for quality improvement, used to train future versions of the model, shared with third parties, or retained indefinitely. Or none of the above. The range is wide.

Most people do not read the terms of service or privacy policies before using these tools. That is understandable. They are long, dense, and written by lawyers. But the decisions buried in those documents have real consequences for anyone using AI with sensitive information.

🚀 MARTY SAYS

"In space, you check your oxygen supply before you leave the airlock. Not after. Data privacy works the same way. The time to understand what a tool does with your information is before you put sensitive information in it."

How the Four Players Handle Your Data

Anthropic / Claude
Anthropic does not use your conversations to train its models by default on paid plans. For free users, data handling depends on your settings. Anthropic has been relatively transparent about its data practices and publishes documentation on how it handles enterprise data. For professional or sensitive use, Claude's enterprise tier offers a Zero Data Retention option, meaning conversations are not stored at all after the response is generated. That is a meaningful level of protection most consumer tools do not match.

OpenAI / ChatGPT
OpenAI has updated its policies multiple times in response to user concerns. By default on free plans, conversations can be used to improve the model. Paid plans offer more control, including the ability to turn off conversation history. ChatGPT's enterprise plan includes stronger data isolation, including a Zero Data Retention option similar to Anthropic's.

There is a recent precedent worth knowing. As part of the New York Times' ongoing copyright lawsuit against OpenAI, a court ordered OpenAI to retain all user conversations indefinitely, including chats users had deleted. OpenAI fought the order and has since returned to its standard 30-day deletion practice for new data. But a limited set of historical user data from April through September 2025 must still be preserved. Zero Data Retention enterprise customers were exempt from the order. The lesson: what an AI company promises about your data can be overridden by a court order in a lawsuit you have nothing to do with. Privacy policies are not the floor. They are the starting point.

The Microsoft relationship adds another layer. When you use Copilot through a Microsoft product, Microsoft's enterprise data terms apply rather than OpenAI's.

Google / Gemini
Google's data practices are the most complex of the four because Gemini is deeply integrated with Google's broader ecosystem. Your Gemini conversations in Google Workspace are subject to your Workspace agreement, typically with strong enterprise protections. Your conversations in the consumer Gemini app may be reviewed by human reviewers and used to improve Google products. Understanding which Google product you are using and what agreement governs it matters.

xAI / Grok
xAI's data practices are the least documented of the four. Grok is integrated with X, and the terms governing your data involve both xAI's and X's privacy policies. The corporate structure has also changed significantly. Following xAI's February 2026 absorption into SpaceX and operation as SpaceXAI, Grok user data now flows through a defense-adjacent corporate structure rather than a standalone AI company. The transparency gap is real. That is not necessarily evidence of bad practices, but a meaningful absence of the kind of documentation the other three provide.

WHERE YOUR DATA ACTUALLY LIVES

Once you submit a prompt, your data exists in one or more of these states:

In transit. Moving between your device and the AI company's servers. Encrypted in most cases, but the company sees it on arrival.

At rest. Stored on the company's servers for a set retention period. Could be 30 days, longer, or indefinite depending on the tool and tier.

In training data. Used to improve future versions of the model. Once a prompt enters training data, it cannot be removed.

The settings page tells you which states apply.

Safe Harbor: Three Things You Can Do This Week

  • Find the data and privacy settings in your most-used AI tool. Look for options to limit data retention or opt out of training data use. Most tools have these — most users have never looked.
  • Establish a personal rule for sensitive information. Before you type something into an AI tool, ask: would I be comfortable if this were reviewed by someone at that company? If not, reconsider.
  • Check whether your organization has an AI usage policy. If it does, make sure you know what it says. If it doesn't, that is information worth flagging.

Next week: we begin Month 4. A new format, new topics, and the first of our current events issues. The AI Players Series has given you the foundation. Now we put it to work.

Read more