When you use an AI tool for your business, your data is processed by the provider’s servers — and what happens next depends entirely on which provider you chose and which plan you’re on. Some providers use your inputs to train future models by default. Others never do. A 2025 Cisco survey found that 92% of businesses are concerned about AI data privacy, yet only 35% have reviewed their AI vendors’ data policies. The gap between concern and action is where risk lives.
Key Takeaways
- Major AI providers have very different data policies — some train on your data by default, others never do
- Business and enterprise tiers almost always offer stronger privacy protections than free or personal plans
- GDPR and CCPA apply to AI data processing, and non-compliance carries significant fines
- A data processing addendum (DPA) is your most important legal protection when using AI tools
- You can protect customer data with practical steps that don’t require a legal team
What Happens to Your Data When You Use AI Tools
Every time you enter text, upload a file, or connect an AI tool to your business software, a data transaction happens. Here’s what’s typically involved:
- Input processing — Your prompt or data is sent to the provider’s servers, processed by the AI model, and a response is generated.
- Temporary storage — Most providers temporarily store your inputs and outputs for abuse monitoring and debugging. Retention periods vary from 0 to 30 days.
- Training usage — Some providers feed your inputs back into future model training. This is the most important policy to check.
- Third-party sharing — Some providers share data with sub-processors (cloud hosting, content moderation services). This is usually disclosed in their privacy policy.
AI Provider Data Policies: Who Trains on Your Data
Here’s what the major AI providers do with your business data as of early 2026. Policies change frequently, so verify before signing up.
OpenAI (ChatGPT, GPT API)
- Free/Plus plans: Your data may be used for model training by default. You can opt out in settings, but this is not the default.
- Team/Enterprise plans: Data is not used for training. Period. This is contractual.
- API: Data submitted through the API is not used for training by default (since March 2023).
- Retention: API inputs retained for 30 days for abuse monitoring, then deleted. Enterprise has zero-retention options.
Anthropic (Claude)
- Free/Pro plans: Conversations may be used to improve models, with the ability to opt out.
- Business/Enterprise: No training on your data. Contractual commitment.
- API: Not used for training by default. 30-day retention for trust and safety.
Google (Gemini)
- Free Gemini: Google may use conversations to improve products and train models.
- Google Workspace with Gemini: Workspace data is not used for training Gemini models. Covered by existing Workspace data processing terms.
- Vertex AI (API): Customer data is not used for model training.
Microsoft (Copilot)
- Free Copilot: Microsoft may use prompts and responses to improve models.
- Copilot for Microsoft 365: Your data stays within your Microsoft 365 tenant. Not used for training foundation models.
- Azure OpenAI Service: Your data is not used for training. Covered by Azure data processing terms.
Provider Comparison Summary
| Provider | Free Tier Trains on Data? | Business Tier Trains on Data? | API Trains on Data? | DPA Available? |
|---|---|---|---|---|
| OpenAI | Yes (opt-out available) | No | No | Yes (Team+) |
| Anthropic | Yes (opt-out available) | No | No | Yes (Business+) |
| Yes | No (Workspace) | No (Vertex) | Yes | |
| Microsoft | Yes | No (M365 Copilot) | No (Azure) | Yes |
The pattern is clear: free tiers have weaker protections. Business and API tiers are where the real privacy commitments live. For any serious business use, the $20-30/month per seat cost for a business tier is the baseline investment. See our guide to choosing the right AI tools for your specific needs.
GDPR Basics for SMBs Using AI
If you serve any customers in the European Union — even if your business is based in the US — the General Data Protection Regulation (GDPR) applies to how you process their data, including through AI tools.
What GDPR Requires for AI Usage
- Lawful basis for processing — You need a legal reason to process customer data through AI (consent, legitimate interest, or contractual necessity).
- Data minimization — Only process the minimum customer data necessary for the AI task. Don’t dump entire customer records into an AI tool when you only need a name and email.
- Right to explanation — If AI makes automated decisions about customers (credit scoring, application filtering), they have the right to know how the decision was made.
- Data Processing Agreement — You need a DPA with your AI vendor that specifies how they handle EU resident data.
- Data transfer safeguards — If data leaves the EU (most US-based AI providers), adequate transfer mechanisms must be in place (typically Standard Contractual Clauses).
Penalties: Up to 4% of global annual revenue or 20 million euros, whichever is higher. For a business doing $2 million in revenue, that’s an $80,000 maximum fine. Enforcement is real — over 2,000 GDPR fines have been issued since 2018.
CCPA Requirements for AI Data Processing
The California Consumer Privacy Act (CCPA) and its amendment, the CPRA, apply if you do business in California or collect data from California residents and meet certain thresholds (annual revenue over $25 million, or data on 100,000+ consumers).
What CCPA Requires
- Disclosure — Tell customers what personal information you collect and how you use it, including through AI processing.
- Opt-out right — Customers can opt out of the “sale” or “sharing” of their personal information. Some AI data processing may qualify as “sharing” under CCPA.
- Data deletion — Customers can request deletion of their personal information, including data you’ve sent to AI providers.
- Non-discrimination — You can’t provide worse service to customers who exercise their privacy rights.
Practical implication: If a customer requests data deletion, you need to be able to tell your AI vendor to delete their data too. Make sure your vendor supports this before you start processing customer data through their tools.
How to Write a Data Processing Addendum
A Data Processing Addendum (DPA) is a legal agreement between your business and your AI vendor that specifies how customer data is handled. Most major AI vendors have standard DPAs you can sign. But you should understand what’s in them.
Key Sections Every DPA Should Include
- Scope of processing — What data, for what purpose, for how long.
- Sub-processors — Who else gets access to your data (cloud hosting providers, content moderation services).
- Data security measures — Encryption, access controls, incident response procedures.
- Data retention and deletion — How long data is kept and what happens when the agreement ends.
- Breach notification — How quickly the vendor will notify you of a data breach (72 hours is the GDPR standard).
- Audit rights — Your right to verify the vendor’s compliance with the agreement.
- International transfers — How cross-border data transfers are handled (Standard Contractual Clauses, adequacy decisions).
Most small businesses don’t need to draft a DPA from scratch. Request the vendor’s standard DPA and review it against this checklist. If key sections are missing, that’s a red flag about the vendor’s data maturity.
Practical Steps to Protect Customer Data
You don’t need a privacy lawyer on retainer. These steps cover the fundamentals and take less than a week to implement.
Audit Your Current AI Data Flows
Make a simple spreadsheet listing every AI tool your business uses. For each tool, document: what customer data it accesses, where that data is stored, whether the vendor trains on your data, and when the vendor’s DPA was last reviewed. This inventory alone puts you ahead of most small businesses. Our automation guide covers how to set up AI workflows with data protection built in.
Implement Data Classification
Not all data needs the same level of protection. Create three tiers:
- Public — Can go into any AI tool (marketing copy, public product descriptions, general questions).
- Internal — Business-tier AI tools only (financial projections, employee information, strategic plans).
- Restricted — Requires specific approved tools and processes (customer PII, health records, financial account numbers).
Update Your Privacy Policy
Your website’s privacy policy should disclose that you use AI tools to process customer data. You don’t need a 20-page rewrite. Add a section that covers: which types of AI tools you use, what customer data they may process, how that data is protected, and how customers can exercise their privacy rights.
Set Up Data Anonymization for AI Workflows
When you need AI to analyze customer data — support ticket trends, buying patterns, feedback analysis — anonymize the data first. Remove names, email addresses, and account numbers before sending data to AI tools. Many AI tasks work just as well with anonymized data. The customer insight you need from “John Smith at [email protected] complained about shipping” is the same as “Customer complained about shipping.”
Train Your Team
A 30-minute training session covering what data can go into AI tools, what can’t, and who to ask covers 90% of the risk. Do this once, refresh it when you add new AI tools, and make it part of onboarding for new employees.
When Professional Setup Makes a Difference
If your business handles sensitive data at scale — healthcare records, financial data, children’s information, or data from EU residents — the cost of getting privacy wrong significantly exceeds the cost of getting it right the first time. A professional AI deployment includes data flow mapping, vendor assessment, DPA review, and privacy-by-design configuration that’s hard to DIY without domain expertise. Schedule a call to see if your situation warrants it.
Frequently Asked Questions
Does ChatGPT use my business data to train its models?
On the free and Plus plans, yes — by default. On Team and Enterprise plans, no. If you’re using the API, no. The distinction is critical: if you’re entering customer data on a free plan, you’re contributing to model training unless you manually opt out in settings.
Do I need to comply with GDPR if my business is in the US?
If you collect or process data from EU residents — even through your website — yes. GDPR applies based on where the data subject is located, not where your business is based. For a US small business with occasional EU customers, practical compliance means having a DPA with your AI vendors and including GDPR disclosures in your privacy policy.
What’s a Data Processing Addendum and do I need one?
A DPA is a legal agreement specifying how your AI vendor handles your data. If you process any customer personal data through AI tools, you should have one. Most major AI vendors offer standard DPAs — you just need to sign them. It’s free and typically takes 10 minutes.
Can AI tools comply with data deletion requests?
Most business-tier AI tools support data deletion requests, but the implementation varies. Some delete data within 24 hours, others within 30 days. API-only tools typically retain data for abuse monitoring (usually 30 days) and then auto-delete. Check your vendor’s specific policy and include this in your DPA review.
What’s the biggest privacy mistake small businesses make with AI?
Using free-tier AI tools for business data. Free plans almost always have weaker privacy protections, longer data retention, and may use your data for training. The $20-30/month per user cost of a business plan is the single most impactful privacy investment you can make.
