
Same model, three sets of rules: a 2026 privacy map for Claude, GPT, and Gemini
The honest answer to "is it safe to put a frontier model in our product?" is: it depends on which door you walked through. The exact same model (Claude, GPT, Gemini) is governed by completely different data terms depending on whether you reach it through the consumer app, the developer API, or a cloud reseller (Bedrock, Vertex, Azure). Most of the confusion in "is it safe?" conversations comes from people comparing a consumer chat window to an enterprise API contract as if they were the same product. They aren't.
The one thing to internalise before anything else: training, retention, and in-use confidentiality are three independent switches. Turning off training does not shorten retention. Short retention does not mean your prompt is encrypted while the GPU is actually crunching it. A provider can be spotless on one and weak on another. Verify all three, separately, per provider. That's the whole job.
Three doors, and behind each one the same three switches, set differently.
TL;DR
- Every major provider's paid/business path contractually excludes training on your data. Every training landmine is on the free/consumer tier, and Anthropic's consumer default flipped to opt-out in late 2025. Retention is a separate story: litigation can freeze even paid standard-API logs (below).
- "30-day deletion" is a default, not a guarantee. Litigation can override it (see the OpenAI/NYT saga below). The only thing that reliably keeps your data out of a discovery order is not storing it, which is what Zero Data Retention (ZDR) buys you.
- On standard endpoints, "we don't look at your prompts" is a policy promise, not math. Confidential computing (GPU TEEs) turns it into a hardware-verifiable guarantee. It exists. The overhead shrinks as models grow, into the single digits and toward zero at frontier scale. It is not the default, so you have to ask.
Do they train on your data?
Anthropic, API and commercial (Claude for Work / Enterprise / Education / Gov, and the API, including Claude Code on a commercial key): No. The Commercial Terms contractually prohibit training on your inputs and outputs. There's no toggle to get wrong.
Anthropic, consumer (Free / Pro / Max, including Claude Code on those accounts): Yes, by default, since late 2025. This is the behavioural change that catches people out. Anthropic announced it on August 28, 2025; the deadline to choose was originally September 28, later extended to October 8, and the toggle defaults to on. To stay out of the training set you have to actively switch off "Help improve Claude" in Privacy Settings. This is the classic shadow-AI trap: an engineer pasting proprietary code into a personal Pro account is quietly opting your IP into a five-year training pipeline.
OpenAI, API / Enterprise / Team / Edu: No. The API has excluded training by default since March 2023; business tiers are governed by the DPA. ChatGPT consumer (Free/Plus) trains by default unless you opt out.
Google, paid Gemini API and Vertex AI: No. But the free Google AI Studio tier: yes. Submitted content can be used to improve models, and human reviewers may read and annotate it. One carve-out: users in the EEA, Switzerland, and the UK get the paid-tier no-training treatment even on the free tier. And don't stop at the developer tools. Google's actual consumer door, the Gemini app, uses your chats to improve Google's services, including training its generative AI models, with human review, unless you turn off the Gemini Apps Activity ("Keep Activity") setting.
The pattern is clean: the business path is safe on training everywhere. The exposure is entirely on the free and consumer tiers, and Anthropic's consumer default flipping to opt-out in 2025 is the one recent change that breaks old assumptions. Govern employee access accordingly.
What do they keep, and for how long?
Anthropic API: inputs and outputs auto-delete within 30 days, unless a Zero Data Retention (ZDR) agreement (nothing stored at all), a legal hold, or a Usage-Policy violation applies. Two numbers worth knowing: policy-flagged content is kept up to 2 years, and the trust-and-safety classifier scores derived from it are kept up to 7 years. Consumer accounts with training left on are retained and de-identified for up to 5 years. Enterprise admins can set custom retention.
OpenAI API: up to 30 days for abuse monitoring, then deleted unless legally required otherwise. Enterprise and Team conversations are admin-controlled; once deleted, they're purged within 30 days.
Google paid / Vertex AI: logged for a limited period for safety, abuse detection, and legal compliance; not used to improve products. Vertex runs under the Google Cloud DPA with EU data-residency options.
The cautionary tale
In May 2025, a judge in The New York Times v. OpenAI ordered OpenAI to preserve ChatGPT and standard API output logs that would normally have been deleted at 30 days. The going-forward part of that order was lifted on September 26, 2025, and OpenAI returned to 30-day deletion, but the logs captured while it was in force (roughly April–September 2025) stayed in storage.
Then a magistrate judge ordered OpenAI in November 2025 to produce 20 million de-identified ChatGPT logs in discovery, and in January 2026 the district judge affirmed that order over OpenAI's privacy objections.
Three groups were never swept up: ZDR API customers, ChatGPT Enterprise, and ChatGPT Edu, because that data was never stored in the first place. (EEA, Swiss, and UK users were also exempt from the preservation.)
The lesson isn't "OpenAI is careless." It's that "30-day deletion" is a default, not a shield against litigation. When a court orders preservation, your provider's retention policy is whatever the court says it is. The only control that reliably keeps your data out of that net is not having it stored, which is exactly what ZDR is for.
The "plaintext on the GPU" problem
Inference needs full, plaintext access to both your prompt and the model weights. That's just how the math works. Privacy-preserving cryptography like homomorphic encryption is nowhere near fast enough to run a frontier model. So at the moment of computation, your data is decrypted in the provider's GPU memory.
TLS protects it in transit. Disk encryption protects it at rest. In use is the gap. On a standard endpoint, "we don't look at your prompts" is a policy promise, not a cryptographic guarantee, and how much it's worth is exactly how much you trust the provider's internal controls. (Anthropic's own confidential-inference white paper, co-authored with Irregular (formerly Pattern Labs), states the plaintext requirement outright.)
Confidential computing
The fix that actually exists is a hardware Trusted Execution Environment (TEE). NVIDIA H100/H200 "confidential computing" mode, paired with CPU TEEs (AMD SEV-SNP, Intel TDX), keeps data encrypted in memory and decrypts it only inside a hardware-isolated enclave that the OS, the hypervisor, and even the cloud operator can't read. Remote attestation lets your client cryptographically verify that the expected, audited code is running before it sends anything.
One buyer's litmus test cuts through the marketing: who terminates the encryption, the provider's front door or the enclave itself? In the weak version, TLS ends at the provider's load balancer, which forwards plaintext into the TEE; that protects the model weights but not your inputs from the provider. In the strong version, your client verifies the attestation and encrypts under the enclave's key, so only the attested enclave can ever decrypt. Both get sold as "confidential inference." Ask which one you're buying.
The overhead is small enough to ship: published H100 benchmarks put average LLM-inference overhead in the single digits, often near zero for large models at long sequence lengths, with bigger hits (double digits) on short-sequence, throughput-bound workloads. The encryption tax is paid per byte crossing the CPU–GPU boundary, not per computation, so it shrinks as models grow. NVIDIA's Blackwell generation (the first TEE-I/O capable GPU, with encrypted NVLink for multi-GPU enclaves) is designed to eliminate even that residual cost.
Who actually runs it today:
- Apple Private Cloud Compute is the largest publicly documented production TEE-based ML deployment, and the one with real verifiable transparency; Apple publishes every production build image for researchers to inspect. And as of WWDC 2026, PCC is expanding beyond Apple's own data centres for the first time, onto Google Cloud: Blackwell confidential computing plus Intel TDX plus Google's Titan chip, with published binaries and independent third-party attestation. That extends the verify-dont’t-trust model across vendors, not just within one.
- Anthropic has published the system design (SEV-SNP/TDX plus H100/H200 CC mode) in a joint white paper with Irregular (formerly Pattern Labs). Whether it is commercially available, and to whom, is not publicly documented. Treat any "confidential inference" availability as something to confirm directly with your account team.
- Specialist clouds (Phala, Nillion, and others) sell confidential LLM inference as a product, and the hyperscalers now sell the raw ingredient: Azure and Google Cloud both offer confidential GPU VMs off the shelf.
Be honest with your tech leads about what this buys you: a TEE converts some trust into hardware-verifiable assurance, but you still trust the silicon vendor (NVIDIA, Intel, AMD), the attestation PKI, and the enclave build pipeline. Side channels sit explicitly outside the vendors' threat models. It reduces the trust you have to extend, but it doesn't zero it.
The map
The reseller door
Claude on Bedrock, Vertex, or Azure Foundry is governed by that cloud's data terms, not Anthropic's, and Anthropic's ZDR does not extend there. So you don't reach for Anthropic's controls; you reach for the host cloud's: KMS-managed keys, VPC isolation, per-region retention settings.
On the flip side, that's often the feature. If you already run on AWS or Google Cloud with a signed DPA, EU data-residency regions, and your own KMS keys, routing Claude through Bedrock or Vertex lets you reuse all of it and back the model with keys you control today. The trade is straightforward: you get your cloud's compliance surface and lose Anthropic's ZDR.
One thing to check rather than assume: customer-managed keys on Anthropic's first-party API. The reseller route gives you KMS-backed keys now; for Anthropic direct, confirm current support with them before you design around it. This is exactly the kind of detail that changes quarter to quarter.
And the reseller door isn't only a Claude story. Azure OpenAI runs Microsoft's own abuse monitoring: flagged prompts and completions can be stored for up to 30 days and reviewed by authorised Microsoft employees, unless you're approved for "modified abuse monitoring," an exemption gated to managed customers meeting Microsoft's Limited Access criteria. Same OpenAI weights as the first-party API.
ZDR
Zero Data Retention is the control that matters most for sensitive workloads.
Anthropic ZDR applies to eligible APIs and any product using a commercial-org API key, Claude Code included. Inputs and outputs aren't stored. Two caveats worth knowing: trust-and-safety classifier results are still retained, and policy-flagged sessions can be kept up to 2 years. It does not cover claude.ai chat, Cowork, or third-party/MCP integrations. And on Claude Code Enterprise, turning ZDR on automatically disables anything that needs server-side storage: Claude Code on the Web, cloud sessions from the desktop app, published Artifacts, and /feedback.
One trade-off that didn't exist a year ago: Anthropic's newest model class (its Mythos-class "Covered Models") requires limited data retention as part of Anthropic's safety programme, which means those models are not available to ZDR organisations at all. ZDR is no longer a free lunch on model selection: you may be choosing between maximum retention protection and the frontier model. Check the covered-model list.
OpenAI ZDR covers eligible enterprise endpoints; you have to qualify and request it. When it's on: not logged, excluded from abuse-monitoring logs, no human review.
One distinction is worth nailing down: ZDR is not confidential computing. ZDR means "we don't store it." A TEE means "we can't read it while we process it." You can have either without the other. High-sensitivity workloads want both.
Compliance baseline
All three carry SOC 2 Type II and ISO 27001, and offer a GDPR DPA with Standard Contractual Clauses. Anthropic additionally holds ISO 42001 (AI management system). Google's Vertex AI adds ISO 27017/27018 and reached FedRAMP High (March 2025); Claude on Vertex is now authorised for FedRAMP High and IL-2.
HIPAA BAA (for health data) is available from Anthropic (eligible services only; web search, for instance, is excluded), OpenAI (enterprise/API), Google Cloud (Vertex), Azure OpenAI, and AWS Bedrock (which covers Claude).
EU data residency comes via Vertex AI EU regional endpoints or Bedrock EU inference profiles.
What to actually do
- Never send customer or proprietary data through consumer/free tiers. API and commercial tiers only. Then go audit for personal Pro/Plus/AI-Studio accounts.
- Sign a DPA. For regulated data, get a BAA on an eligible service or endpoint (check the eligibility list; coverage has holes).
- Treat training-opt-out, retention, and in-use as three separate switches. Verify each, per provider. Don't assume one implies another; it doesn't.
- For sensitive workloads, pursue ZDR, and budget for it. It's gated by spend and approval, not a free toggle. And check the model list: the newest frontier models may be excluded under ZDR.
- If you need a cryptographic in-use guarantee, not just a contractual one, ask the vendor explicitly about confidential inference / TEE plus remote attestation, and ask where the encryption terminates. It's emerging, not universal: availability from frontier providers isn't publicly documented, so confirm with your account team. Most standard endpoints don't offer it.
- Pin your model and your endpoint. A cloud-hosted route (Bedrock/Vertex) is often the cleanest path to EU residency and to reusing compliance you already have, at the cost of inheriting that cloud's data terms.
- Don't treat "30-day deletion" as litigation-proof. A legal hold can override it (see OpenAI/NYT).
If you take one thing away: the model is not the decision. The door is. Pick the endpoint deliberately, verify the three switches, and write the answers down. They'll change, and the next person who asks "is it safe?" deserves better than a shrug.
Follow Our Progress!
We are excited to be realizing our vision above with a full Axoflow product suite.
Sign Me UpFighting data Loss?

Book a free 30-min consultation with syslog-ng creator Balázs Scheidler
