AI Stores All Your Prompts for 30+ Days (Even in Privacy Mode)
As an in-house counsel, I frequently advise on the use of generative AI tools in light of data protection, confidentiality, and contractual obligations. After reviewing the terms of the most used AI tools, I discovered that AI providers store data longer than you probably knew.
And the gap between what people think happens and what actually happens is bigger than you’d expect.
The Misconception
A common misconception is that features like privacy modes, temporary chats, or premium subscriptions ensure limited storage or immediate deletion of user inputs and outputs. People see “temporary chat” and think their conversation disappears when they close the window. People pay for premium tiers and assume that means their data gets special treatment.
In practice, this is not the case.
Most major providers—including ChatGPT, Claude, Gemini, Copilot, and Perplexity—retain conversation data for a set period, often around 30 days, to support abuse monitoring, security incident response, and compliance with legal and regulatory obligations. This includes GDPR, the Digital Services Act, NIS2, as well as accountability and audit requirements under standards like ISO 27001.
The 30 days isn’t negotiable. It’s baked into their standard terms. You can turn off training, you can use privacy mode, you can pay for the most expensive tier they offer. Doesn’t matter. Your prompts and outputs are still sitting on their servers for at least 30 days.
The Extended Retention Problem
But here’s where it gets worse. Apart from the standard 30-day retention, most major providers include broad exceptions permitting extended retention where necessary for safety and security investigations (misuse, fraud, policy violations, trust and safety matters) or legal requirements (litigation holds, subpoenas, regulatory inquiries, preservation orders).
These exceptions are intentionally flexible to address unforeseen risks or obligations. Which sounds reasonable until you realize what it means in practice: there’s no legal certainty on actual retention periods.
If your company gets involved in litigation six months from now, and opposing counsel subpoenas the AI provider, those “deleted” conversations from your temporary chat session? Still there. Preserved indefinitely under a legal hold.
If someone at your organization uses the tool for something that triggers a trust and safety review, all prompts from all users at your organization might get flagged for extended retention. You won’t know. You won’t be notified. It just happens.
What Privacy Mode Actually Means
And no, opting out of training, using “temporary chat,” or paying for a premium tier does not change this.
Those settings apply only to model improvement and training. They mean your data won’t be used to make the AI smarter. That’s it. They don’t affect storage, review, disclosure, or retention under legal obligation.
It’s like asking a hotel not to use your feedback to improve their service, while assuming that means they won’t keep your credit card details on file. Two completely different things.
The Encryption Myth
In practice, AI providers generally store prompt and output data encrypted. This protects against external breaches, which is good. But it does not make the data anonymous or inaccessible.
The provider can still access, review, and disclose the content whenever they need to or are required to. Encryption protects the data from hackers. It doesn’t protect it from subpoenas, regulatory inquiries, or internal security reviews.
This is a critical distinction that many people miss. Encrypted storage is a security measure, not a privacy guarantee.
The Risk Perspective
From a risk perspective, the implications are clear:
There is no assurance of prompt deletion upon request. You can’t call up the AI provider and ask them to delete last week’s conversation immediately. They’ll point to their retention policy and say “we’ll delete it in 30 days, or whenever our legal obligations permit, whichever is later.”
Extended retention cannot be contractually excluded. Even if you’re a large enterprise customer with negotiating power, you’re not getting a clause that says “delete all our data within 24 hours upon request.” The providers won’t agree to it because they can’t guarantee it. Legal holds and regulatory obligations override any contract.
Disclosure to third parties, including authorities, remains a risk. If law enforcement shows up with a warrant, or a regulator issues a request under the DSA, or opposing counsel files a subpoena, your data gets disclosed. You might not even find out about it until discovery in litigation.
What This Means for Organizations
For organizations subject to confidentiality obligations—NDAs, MSAs, internal policies, professional privilege, client confidentiality—the practical implication is clear:
Inputting sensitive or confidential information into these tools may not align with your need-to-know restrictions, contractual obligations, or data minimization principles.
That NDA you signed with a potential acquisition target? It probably says you won’t share confidential information with third parties without written consent. Pasting their financials into ChatGPT to analyze them is sharing with a third party. Even if you’re using privacy mode. Even if you’re paying for premium. The AI provider is a third party, and they’re getting that data.
That attorney-client privileged communication you’re working on? If you run it through an AI tool to clean up the language, you’ve potentially waived privilege by disclosing it to a third party. Different jurisdictions handle this differently, but why take the risk?
That employee performance review, that M&A term sheet, that settlement negotiation strategy, that competitive analysis with market-sensitive information? All of it is sitting on someone else’s servers, potentially for 30 days, potentially longer, potentially subject to disclosure you have no control over.
So How Can We Keep Using AI and Not Breach a Contract?
Do not input information that you do not want an external service provider to retain for 30 days or longer.
It’s that simple.
Treat generative AI tools as third parties with inherent retention risks. Because that’s what they are. You wouldn’t email confidential client information to a random consulting firm and expect them to delete it immediately. Don’t paste it into an AI tool and expect any different.
This doesn’t mean you can’t use AI tools. It means you need to be thoughtful about what you put into them. Summarize public information? Fine. Draft a template email? Fine. Analyze anonymized data? Probably fine, depending on your anonymization. Copy-paste a confidential contract for redlining? Not fine.
The rule is simple: if you wouldn’t be comfortable with this information sitting in someone else’s database for a month, potentially longer, potentially subject to disclosure in litigation or regulatory proceedings, don’t put it in the AI tool.
My Take
In the end, I believe generative AI offers significant efficiency and knowledge gains. The productivity benefits are real. The quality improvements are real. The time savings are real.
But these must be balanced against the retention and disclosure risks embedded in provider policies.
Most organizations haven’t done this risk assessment properly yet. They’ve rolled out AI tools to employees without clear guidelines on what can and can’t be inputted. They’ve assumed that privacy mode means privacy. They’ve assumed that premium tiers come with premium data protection.
These assumptions are wrong, and the gap between assumption and reality creates legal exposure.
The fix isn’t complicated. Clear policies. User training. Technical controls if possible (though most organizations don’t have the resources for private deployments). And most importantly, a realistic understanding of what these tools actually do with your data.
You can use AI safely. You just can’t use it blindly.
Upgrade Legal