Every time you type something into an AI tool, you are sharing data with a company. Sometimes that data disappears after your session. Sometimes it is stored for months. Sometimes it is used to train the next version of the model. The difference matters — especially when the data belongs to your employer, your clients, or your patients.
Where Does Your Input Go?
When you send a prompt to an AI tool, several things can happen to it:
- Processing: Your input is processed to generate a response. This always happens — it is how the tool works.
- Storage: Many AI services store your conversations for a period of time, ranging from 30 days to indefinitely. Check the service's data retention policy.
- Training: Some services use your inputs to improve their models. This means your data may influence future responses to other users. Most enterprise plans disable this, but free and consumer tiers often do not.
- Human review: AI companies sometimes have employees review conversations for quality assurance, safety monitoring, or model improvement. Your prompts may be read by a real person.
Four Types of Information to Protect
- Personal information: Names, addresses, phone numbers, social security numbers, dates of birth — yours or anyone else's.
- Financial data: Account numbers, salary information, revenue figures, pricing strategies, investment details.
- Health information: Patient records, diagnoses, treatment plans, medication lists. HIPAA applies to AI tools just as it applies to any other system.
- Workplace confidential: Trade secrets, unreleased product plans, internal strategies, personnel decisions, legal matters.
The Bulletin Board Test
Before you paste anything into an AI tool, imagine that text being posted on a bulletin board in your office lobby. If that thought makes you uncomfortable, do not share it with an AI service. This simple test catches most privacy risks before they happen.
Practical Protection Steps
1. Know Your Organization's Policies
Many organizations now have AI usage policies that specify which tools are approved, what data can be shared, and what requires additional safeguards. If your organization does not have a policy yet, ask. The act of asking often prompts the creation of one.
2. Strip Identifying Details
Instead of pasting a real patient case, change names, dates, and identifying details first. Instead of sharing actual financial data, round numbers or use percentages. You can get useful AI assistance without exposing the real data.
3. Use Business-Grade Tools
Enterprise versions of AI tools (like ChatGPT Enterprise, Microsoft Copilot for business, or Google Workspace AI) typically offer stronger privacy protections: no training on your data, shorter retention periods, and compliance certifications. If your organization has access, use these instead of consumer versions.
4. Never Share Credentials
Never paste passwords, API keys, access tokens, or encryption keys into an AI tool. This sounds obvious, but developers do it frequently when debugging code that contains embedded credentials.
5. Think About the Worst Case
For any piece of data you consider sharing, ask: what is the worst thing that could happen if this information became public? If the answer involves legal liability, regulatory penalties, or harm to another person, do not share it.
Work Data vs. Personal Data
The stakes are different. With personal data, you are making choices for yourself. With work data, you are making choices that affect your organization, your colleagues, and potentially your clients or customers. The standard of care for work data should always be higher.
Privacy is not about avoiding AI. It is about using AI thoughtfully, with awareness of where your data goes and who might see it. That awareness is what separates responsible AI use from risky AI use.
