AI Confidence

Privacy Rules by Vendor

How the major AI platforms handle your data — by plan tier. Last updated: February 23, 2026.

Informational only — not legal advice. Vendor policies change frequently; always verify current terms directly with each vendor and consult qualified legal counsel for compliance decisions.

ChatGPT

OpenAI

Free
Free
Critical Risk
TrainingOpt-out available
Contractual no-trainingNo
Retention controlfixed
Human reviewlikely
CertificationsNone

Consumer-grade. Conversations may be used to train models by default. Users can opt out in Settings → Data Controls but there is no contractual guarantee. Staff and contractors may review chats for safety/abuse.

Plus / Pro
Plus / Pro
High Risk
TrainingOpt-out available
Contractual no-trainingNo
Retention controlfixed
Human reviewlikely
CertificationsNone

Still consumer-grade. Training opt-out available in settings but not contractually guaranteed. OpenAI can change the policy at any time. No business-level controls or compliance certifications.

Team / Business
Team / Business
Medium Risk
TrainingNo
Contractual no-trainingYes
Retention controlfixed
Human reviewlikely
CertificationsSOC 2 Type II, GDPR-align

Data is not used for model training by default. SOC 2 Type II certified. However, third-party contractors can still review conversations for abuse monitoring without explicit permission. Retention is fixed at ~30 days.

Enterprise
Enterprise
Low Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2 Type II, GDPR-align, HIPAA-ready (with BAA), ISO 27001, FedRAMP (select)

Contractual no-training guarantee. Admin-configurable retention. Human access only with explicit customer permission (except legal obligations). HIPAA-ready with BAA. SOC 2, GDPR alignment, some FedRAMP offerings.

Claude

Anthropic

Free
Free
High Risk
TrainingOpt-out available
Contractual no-trainingNo
Retention controlconfigurable
Human reviewlikely
CertificationsNone

Consumer-grade. Following 2025 policy changes, data retention increased significantly. Training opt-out is available but requires manual verification. No business-level compliance guarantees or admin controls.

Plus / Pro
Pro
High Risk
TrainingOpt-out available
Contractual no-trainingNo
Retention controlconfigurable
Human reviewlikely
CertificationsNone

"Pro" is still a consumer account — not a business plan. Following 2025 policy changes, retention can extend up to 5 years for some data. Opt-out available but no contractual guarantees. Solo practitioners should note the lack of enterprise protections.

Team / Business
Team
Medium Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2 Type II, GDPR (DPA available)

Contractual "no training on customer data" guarantee. Admin-controlled data retention. SOC 2 Type II, SAML SSO, SCIM, audit logs. DPA available for GDPR compliance. Commercial Terms of Service with explicit confidentiality.

Enterprise
Enterprise
Low Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2 Type II, GDPR (DPA), HIPAA-ready (with BAA), ISO 27001

Contractual no-training guarantee. Admin-controlled retention with option to disable chat history entirely. HIPAA-ready with signed BAA. Fine-grained RBAC, audit logs, client-side encryption option, SSO/SCIM.

Gemini

Google

Free
Gemini App (Free)
Critical Risk
TrainingYes (default)
Contractual no-trainingNo
Retention controlfixed
Human reviewlikely
CertificationsNone

Consumer product. Data may be used to improve Google AI models. Human review by Google staff for quality and safety. No business-level security guarantees. Not appropriate for business or confidential data.

Plus / Pro
Gemini Advanced
Critical Risk
TrainingYes (default)
Contractual no-trainingNo
Retention controlfixed
Human reviewlikely
CertificationsNone

Still a consumer product despite the premium price. Data may be used to improve models. Human review possible. No business controls, workspace isolation, or DLP. Not suitable for confidential business data.

Team / Business
Gemini in Google Workspace
Medium Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, GDPR, HIPAA (with BAA)

Business-grade. Data is not used to train models outside the customer domain. Respects existing Google Workspace permissions. Includes DLP controls, IRM, comprehensive audit logs, and AI classification. SOC 2, ISO 27001.

Enterprise
Gemini Enterprise
Low Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 42001 (AI), FedRAMP High, HIPAA (with BAA), GDPR, BSI C5

Highest tier. Adds data sovereignty controls, CMEK/CSE, External Key Manager, VPC Service Controls. ISO 42001 (AI management), FedRAMP High for government. Full HIPAA compliance support. Regional processing options.

Grok

xAI

Free
Free (X users)
Critical Risk
TrainingOpt-out available
Contractual no-trainingNo
Retention controlunknown
Human reviewunknown
CertificationsNone

Consumer tier with very limited public documentation on data handling. xAI claims data is not used for training, but documentation and independent validation are limited. Treat as high-risk for any business data.

Plus / Pro
Premium+
High Risk
TrainingNo
Contractual no-trainingNo
Retention controlunknown
Human reviewunknown
CertificationsNone

xAI states data is not used for training on all tiers, but limited public documentation and no independent audits. Newer platform with less established track record. Not suitable for confidential business data.

Team / Business
Business
Medium Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2, GDPR, CCPA

Launched January 2026. No training on business data. SOC 2, GDPR, CCPA compliant. Centralized admin controls, usage analytics, SSO. However, platform is newer with limited enterprise deployment history.

Enterprise
Enterprise (Vault)
Medium Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2, GDPR, CCPA

Launched January 2026. Enterprise Vault provides premium isolation with dedicated infrastructure, customer-managed encryption keys, and isolated data planes. Custom SSO, SCIM, RBAC. Note: platform is still relatively new and maturing.

Perplexity

Perplexity

Free
Free
Critical Risk
TrainingYes (default)
Contractual no-trainingNo
Retention controlfixed
Human reviewlikely
CertificationsNone

High risk. Data is used for model training by default. Broad tracking including cookies, IP addresses, device info, and search history. No end-to-end encryption. Third-party analytics active. Not suitable for any business data.

Plus / Pro
Pro
Critical Risk
TrainingOpt-out available
Contractual no-trainingNo
Retention controlfixed
Human reviewlikely
CertificationsNone

Training opt-out available but tracking and third-party analytics remain active. No contractual guarantees for business use. GDPR compliance not met by default. Not suitable for confidential business data.

Team / Business
Enterprise Pro
Medium Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2 Type II, GDPR (claimed), HIPAA (claimed, unverified)

No training on enterprise data (guaranteed). SOC 2 Type II. GDPR and HIPAA compliance claimed but not independently verified. Configurable retention. Tracking/cookies still present. Limited sub-processor transparency.

Enterprise
Enterprise Pro
Medium Risk
TrainingNo
Contractual no-trainingYes
Retention controlconfigurable
Human reviewrestricted
CertificationsSOC 2 Type II, GDPR (claimed), HIPAA (claimed, unverified)

Same as Team/Business tier — Perplexity currently maps enterprise customers to the Enterprise Pro offering. Claims compliance but lacks independent verification for GDPR and HIPAA. Treat with caution for regulated data.

Check how these rules apply to your specific setup

Get a personalised risk assessment based on your tools, data, and industry.

Informational only — not legal advice. Vendor policies change frequently; always verify current terms directly with each vendor and consult qualified legal counsel for compliance decisions.