Does ChatGPT train on my data?

On free and Plus consumer accounts, yes — by default, unless you turn off the 'Improve the model for everyone' setting in Data Controls. On ChatGPT's business tiers — Team, Enterprise, Edu and the API — OpenAI states it does not use your business data to train its models by default. So whether ChatGPT trains on your data depends entirely on which tier you use.

Are there GDPR-compliant AI tools?

Yes, but 'GDPR-compliant' describes how a tool is configured and used, not a permanent badge. Look for EU/EEA data residency, a data processing agreement you can sign, a defined retention period, named sub-processors, and no model training by default. Then make sure your own use has a lawful basis. A tool can support compliance, but compliance is ultimately the controller's responsibility.

Is paid AI safer than free AI?

Usually, because paid business and enterprise tiers typically offer retention controls, no model training by default, EU data residency options, and a data processing agreement — protections that consumer free tiers often lack. But paid does not automatically mean safe: a paid tool can still store your data in the US, retain it indefinitely, or fail to offer a DPA. Check the guarantees rather than assuming them.

What should I check before using an AI tool for business?

Run a short checklist: where data is stored (EU/EEA?), how long it's retained, whether your inputs are used for training and whether that's off by default, which sub-processors receive your data, whether a DPA is available, what independent security certifications it holds (such as SOC 2 or ISO 27001), and how you delete your data. Then match those guarantees to how sensitive the data is — generic public-information use needs far less than uploading financials or personal data.

Data & PrivacyUpdated June 2026

How to Choose an AI Tool You Can Trust With Business Data

The first two guides in this series were about where AI goes wrong. This one is the constructive flip side: AI is genuinely useful, it isn't going away, and the businesses that adopt it well will have a real edge. The skill isn't avoiding AI — it's choosing which tools deserve your data. And you don't need a security team to do that. A handful of clear questions separates a tool you can safely hand business data to from one you can't, and most reputable providers answer them openly. Here's the one distinction that matters most, why "free" deserves a second look, and a short checklist you can run against any AI tool before you trust it.

Jump to the checklist See our AI & data stance

The one distinction that matters

Strip away the noise and one question decides most of the risk: does the tool retain or train on what you put in, and where is that data stored? Get a clear answer to that and you've handled the bulk of the decision. Everything else — features, interface, price — is secondary.

In plain English, there are two modes. In training-on-inputs, your prompts and files may be used to improve the underlying model — which means they can be retained and, in effect, absorbed into a system you don't control. In zero-retention / no-training, your data is used only to generate your answer and is then discarded; it never feeds the model. The first is common on consumer tools; the second is what business and enterprise tiers are built to offer.

Add one more layer to the same question — location. Data kept within the EU/EEA stays under GDPR protection; data sent outside it becomes a restricted international transfer that needs a lawful safeguard. Retention, training, and residency: answer those three and you know most of what you need.

Why "free" is rarely free

Free consumer tiers often improve their models using your conversations by default. The business, enterprise, and API tiers of the same products usually flip that: no training by default, a defined retention period, EU data-residency options, and a data processing agreement. The old line still holds — if you're not paying, your data may be the product.

But here's the important caveat: paid doesn't automatically mean safe. A paid tool can still retain your data indefinitely, store it in the US, or fail to offer a DPA. Paying for a business tier buys you the right to ask for guarantees — it doesn't grant them automatically. You still have to check. That's what the checklist below is for.

The checklist to vet any AI tool

Run any AI tool through these seven questions before you trust it with business data. If a provider can't answer them from its website or documentation, treat that silence as your answer.

1. Data residency

What good looks like: Your data is stored — and ideally processed — within the EU/EEA, not transferred outside it by default.

2. Retention period

What good looks like: A specific, short retention window — or zero-retention — rather than "we keep data as long as needed".

3. Training opt-out (off by default)

What good looks like: Your inputs are never used to train models by default — not an opt-out buried in settings you have to find.

4. Named sub-processors

What good looks like: A public sub-processor list naming every third party that touches your data, so you can see where it flows.

5. DPA available

What good looks like: A GDPR data processing agreement you can actually review and sign as the data controller.

6. Security certifications

What good looks like: Independent, current certifications such as SOC 2 Type II or ISO 27001 — evidence, not just assurances.

7. Clear deletion process

What good looks like: A documented way to delete your data and get confirmation, not a vague promise.

Match the tool to the sensitivity of the data

Not every use needs the same scrutiny. The checklist isn't optional the moment real business or personal data is involved — but for genuinely low-risk work, almost any reputable tool is fine. Sort the task first, then choose the tool.

Low risk — most tools are fine

Drafting and rewording generic copy from a non-confidential brief
Brainstorming ideas and outlines
Summarising public information or explaining concepts
General research and "how do I…" questions
Code or formula help with no real company or personal data

High risk — guarantees required

Financial records and management accounts
Personal data — staff or customer
Client, supplier, or partner confidential records
Proprietary source code
Passwords, API keys, or credentials

Why some software deliberately doesn't use AI on your data

When every product is racing to add AI, it's worth saying clearly: not using AI on your data can be the right design decision, not a missing feature. For anything where the answer must be exactly right and auditable — Revenue-rate calculations being a perfect example — a deterministic, rule-based engine is more appropriate than an AI model that produces a plausible estimate. With compliance-critical numbers, "usually correct" isn't good enough.

It's also inherently safer. If your data is never sent to an AI in the first place, there is nothing for an AI to retain, train on, or leak — the entire risk category simply doesn't exist.

In the interest of practising what we preach: we ran this exact checklist against ourselves. Expense.ie calculates mileage and subsistence with a rule-based engine on the current Irish Revenue rates, keeps your data in an EU-hosted database, and never sends it to any AI. You can read the full reasoning in our AI & data stance.

Frequently Asked Questions

Related Resources

Bank Statement Converter Safety

Where your data goes when you convert a statement — and 6 questions to ask.

Read guide

Shadow AI & Staff Data Uploads

Why staff paste data into AI — and a free starter AI policy.

Read guide

T&S Software Buyer's Guide

The criteria that matter, including data residency and GDPR.

Read guide

We held ourselves to this same checklist

Expense.ie calculates your travel & subsistence with a deterministic, rule-based engine on current Irish Revenue rates — data kept EU-hosted, never sent to any AI. See exactly how we handle your data.

See our AI & data stance Create your account