What Happens to My Data When I Use an AI Service?

28 March 2026

The Journey Your Data Takes

When you type a prompt into an AI service, or send data through an API, here is what typically happens:

1. Transmission. Your data travels from your device to the provider's servers. Reputable providers encrypt this in transit using TLS. If they do not, stop using them immediately.
2. Processing. The AI model processes your input to generate a response. During processing, your data exists in the provider's server memory.
3. Response delivery. The output is sent back to you, again encrypted in transit.
4. Post-processing retention. This is where things diverge significantly between providers.

How the Major Providers Handle Your Data

Here is an honest breakdown of the major providers as of March 2026. Note that policies change, so always verify the current terms for your specific plan tier.

OpenAI (ChatGPT, GPT API)

• Consumer ChatGPT (free and Plus): By default, your conversations can be used to train future models. You can opt out in settings, but many users do not know this.
• ChatGPT Team and Enterprise: Data is not used for training. Conversations are encrypted at rest. Enterprise offers additional data residency options.
• API: Data submitted via the API is not used for training by default. Retained for up to 30 days for abuse monitoring, then deleted.

Microsoft (Azure OpenAI, Copilot)

• Azure OpenAI Service: Your data stays within your Azure tenant. Not used for model training. Not accessible to OpenAI. Processed in your selected Azure region.
• Microsoft 365 Copilot: Processes data within your Microsoft 365 tenant. Subject to your existing Microsoft data processing agreements. Does not train foundation models on your data.
• Consumer Copilot (free): Less clear data protections. Conversations may be reviewed for safety purposes.

Google (Gemini, Vertex AI)

• Vertex AI (enterprise): Customer data is not used to train Google's models. Processed within your selected region. Subject to Google Cloud's data processing terms.
• Gemini consumer: Conversations may be used to improve Google's services, including AI models. You can control this in your Google account settings.

Anthropic (Claude)

• API: Data is not used for model training. Retained for up to 30 days for safety evaluation, then deleted.
• Claude consumer: Free-tier conversations may be used for training. Paid plans offer clearer data protection.

The Hidden Data Risks Most Businesses Miss

Beyond the headline policies, there are subtler risks that catch businesses off guard:

Employee Shadow AI Usage

Your data governance policy is only as good as your employees' compliance with it. Research consistently shows that a significant proportion of employees use consumer AI tools for work tasks without their employer's knowledge. They paste customer data into ChatGPT. They upload contracts to Claude. They feed financial figures into Gemini.

Each of those actions potentially sends your business data to a third party under consumer terms, not enterprise terms.

Prompt Injection and Data Leakage

If you build AI applications that process external inputs (customer messages, uploaded documents, web content), there is a risk of prompt injection attacks causing your system to leak data it has access to. This is not theoretical. It is a documented and actively exploited vulnerability class.

Derived Data and Metadata

Even when a provider does not retain your raw input, the metadata can be revealing. What times you use the service, how many tokens you process, what categories of queries you send. For a competitor or hostile actor, this metadata tells a story.

Sub-Processor Chains

Your AI provider may use sub-processors for infrastructure, monitoring, safety evaluation or content filtering. Your data may pass through these sub-processors even when the primary provider has strong data protection commitments. Always check the sub-processor list.

What UK Law Says

Under UK GDPR, if you process personal data through an AI service, you remain the data controller. Your responsibilities include:

• Lawful basis: You need a legal basis for processing personal data through the AI service (legitimate interest, consent, contractual necessity, etc.)
• Data processing agreement: You need a DPA with your AI provider that covers GDPR requirements
• Privacy notice: Your privacy notice should inform individuals that their data may be processed by AI systems
• Data protection impact assessment: Required for high-risk processing, which many AI use cases qualify as
• International transfers: If your AI provider processes data outside the UK, you need appropriate safeguards (Standard Contractual Clauses, adequacy decision, etc.)

The UK's Data (Use and Access) Act 2025 adds further requirements around automated decision-making, including enhanced rights for individuals to understand and challenge automated decisions.

A Practical Checklist for Your Business

Before adopting any AI service, work through this:

1. Read the data processing terms. Not the marketing page. The actual data processing agreement or terms of service.
2. Check the training policy. Is your data used to train or improve models? Can you opt out? Is the opt-out technical (data genuinely excluded) or just contractual (they promise not to but architecturally could)?
3. Verify data residency. Where is your data processed and stored? Which jurisdiction's laws apply?
4. Review sub-processors. Who else handles your data in the chain?
5. Choose business-tier plans. Consumer plans almost always have weaker data protection than business or enterprise tiers. The price difference is your data protection premium.
6. Implement an acceptable use policy. Tell your employees which AI tools they can use, what data they can input, and what is prohibited.
7. Audit regularly. Providers change their terms. Check quarterly at minimum.

Is This Right For You?

If your business handles any sensitive data (customer information, financial records, employee data, intellectual property), this is not optional. You need to understand what happens to your data in every AI service you use.

If you only use AI for genuinely non-sensitive tasks (grammar checking public-facing content, generating marketing images from generic prompts), the risk is lower but not zero. Establish baseline policies anyway.

If you are in a regulated industry (financial services, healthcare, legal, education), treat this as urgent. Your regulator expects you to have documented controls around AI data processing, and enforcement is increasing.

Frequently Asked Questions

Does ChatGPT use my data for training?

On free and Plus consumer plans, yes by default, though you can opt out in settings. On Team, Enterprise and API plans, your data is not used for training. Always check which plan tier your business is on.

Is my data safe with enterprise AI plans?

Enterprise plans from major providers (Azure OpenAI, ChatGPT Enterprise, Vertex AI) offer significantly stronger data protection than consumer plans, including no training on your data, encryption at rest, and data processing agreements. However, no service is zero-risk. Review the terms and sub-processor lists.

Do I need a DPIA for using AI services?

Under UK GDPR, a Data Protection Impact Assessment is required for high-risk processing. Most AI use cases involving personal data qualify as high-risk. If your AI processes customer data, employee data or makes automated decisions about individuals, you should conduct a DPIA.

Can my employees use free AI tools for work?

Technically yes, but it is risky. Free-tier AI tools typically have weaker data protection and may use your data for model training. Implement a clear acceptable use policy specifying which AI tools are approved and what data can be input.