We analysed the privacy policies, retention rules and regulatory records of the 10 most-used AI chatbots, then scored how each one handles your data. 9 of them train on your conversations by default and most users have no idea.
- 9/10 use your chats to train AI by default
- 6 platforms have faced fines, bans or formal inquiries
- 1 stores all data in China under intelligence-access law
Covering ChatGPT, Claude, Gemini, Grok, Microsoft Copilot, DeepSeek, Perplexity, Meta AI, Poe and Mistral.
Every figure in this report links to its primary source; the official privacy policy, the regulator’s decision, or first-hand reporting.
Why This Matters
Every day, hundreds of millions of people type things into AI chatbots they would never say out loud: medical symptoms, financial worries, client data, passwords, business strategy. You press enter, you get a useful answer, and the text goes somewhere. Most people have no idea where.
We read the policies that explain it, scored ten of the biggest chatbots, and the single clearest finding is this: 9 of the 10 use your conversations to train their models by default, and on most of them you have to hunt through settings to stop it.
Six of the ten have already faced fines, bans or formal regulatory inquiries. One stores everything in mainland China under a law that compels companies to hand data to the state on request. A US court order recently forced one provider to keep and then hand over conversations users thought they had deleted. None of this is speculation; all of it is in the documents, and all of it is linked below.
Our Research Methodology
We did not survey thousands of people or invent a proprietary index nobody can audit. We did something more defensible: between May and June 2026 we fetched and read the official consumer privacy policy of each of the ten most-used AI chatbots, cross-checked every factual claim against regulators’ decisions and first-hand reporting.
Then, we scored each platform’s default consumer experience across seven weighted factors for a total of 100 points, where a higher score means stronger privacy.
The 10 Chatbots We Analysed
We selected the ten chatbots with the largest global consumer reach across distinct ownership and jurisdictions.
This table is the spine of the report: each row links directly to the company’s official privacy policy, so any claim that follows can be checked against the source. Where a policy is split across pages (Google and Microsoft in particular), we link the page that governs the consumer chatbot specifically.
| Chatbot | Company | HQ / Jurisdiction | Official Privacy Policy |
|---|---|---|---|
| ChatGPT | OpenAI | United States | View Policy |
| Claude | Anthropic | United States | View Policy |
| Gemini | United States | View Policy | |
| Grok | xAI / X | United States | View Policy |
| Microsoft Copilot | Microsoft | United States | View Policy |
| DeepSeek | Hangzhou DeepSeek | China | View Policy |
| Perplexity | Perplexity AI | United States | View Policy |
| Meta AI | Meta Platforms | United States | View Policy |
| Poe | Quora | United States | View Policy |
| Mistral (Le Chat) | Mistral AI | France (EU) | View Policy |
Table 1. The ten chatbots in scope, with direct links to each official privacy policy. Policies fetched and reviewed May-June 2026.
Our Data Sources
Every claim traces to one of four source types:
- The official privacy policies above, fetched directly from each company;
- Regulatory decisions from Italy’s Garante, Ireland’s Data Protection Commission and South Korea’s PIPC, plus the European Data Protection Board;
- First-hand reporting from outlets including CNBC, NPR, TechCrunch and TechRepublic; and
- Independent security research from Wiz, NowSecure and SecurityScorecard.
We avoided aggregators and opinion pieces in favour of primary documents wherever one existed.
How We Scored Them
Scoring the consumer default not the enterprise tier is deliberate, because the consumer app is what the overwhelming majority of people actually use.
Each platform was scored on seven factors, weighted by how much each one determines the size and lifespan of your exposure.
Figure 1. The seven-factor scoring framework. Training-by-default and retention carry the most weight.
Why These Weights
- Training-by-default (25) and retention (20) decide the two things that matter most whether your words become permanent model knowledge, and how long they sit on a server where they can be breached, subpoenaed or reviewed.
- Opt-out availability and regulatory record (15 each) capture whether you have a real choice and whether the company has a track record of breaking the rules.
- Transparency, deletion reliability and encryption round out the picture.
Scores map to six risk bands, from CRITICAL (below 20) to LOW (78+).
Key Takeaways
The findings a reader should walk away with. Each is sourced in full in the sections that follow.
- 9 of 10 chatbots train on your conversations by default. The lone consistent exception is enterprise and API tiers, not the consumer apps people actually use.
- Paying more buys speed, not privacy. ChatGPT Plus, Claude Pro and Gemini Advanced all default to using your chats for training; premium pricing changes your model, not your privacy.
- 60× allowing training on Claude stretches data retention from 30 days to five years.
- 3 years: Google can keep a Gemini conversation that a human reviewer has seen, even after you delete it.
- Indefinite: DeepSeek and Meta AI set no automatic deletion schedule; your data can persist with no end date.
- A court overrode ChatGPT’s delete button. The New York Times case forced OpenAI to retain conversations users had deleted, and later to hand over 20 million of them.
- No opt-out for US Meta AI users and from 16 December 2025, your AI chats feed Meta’s ad targeting. EU, UK and South Korean users were spared.
- DeepSeek stores everything in China under a state-access law, was banned in Italy, was ordered to destroy transferred data in South Korea, and leaked over a million chat-log lines.
- 6 of 10 platforms have faced regulatory action; fines, bans or formal inquiries between December 2024 and 2025.
- €530M: The largest fine in our dataset, levied on TikTok’s owner ByteDance for sending EU data to China; the same residency risk DeepSeek carries.
- US users have fewer rights than EU users on the identical product, because the US has no comprehensive federal privacy law.
The AI Privacy Leaderboard
Here is the headline asset: all ten chatbots ranked worst to best on the consumer default tier. The gap between top and bottom is enormous; Microsoft’s Copilot baseline scores 79 while DeepSeek scores 8.
Most of the mainstream tools people reach for first, ChatGPT, Gemini, Grok, Meta AI land in the medium-high to high risk band, largely because training is on by default and the opt-out is buried or, for US Meta users, absent.
Figure 2. The AI Chatbot Privacy Leaderboard. Consumer / default-tier score out of 100. Higher is safer.
The Master Scorecard
The same ten platforms across the factors that drive the score. “Retention” and “Opt-out” describe the consumer tier; enterprise and API tiers are stronger and are noted in the individual profiles later.
| Chatbot | Score | Risk Level | Data Retention (Consumer) | Opt-out of Training |
|---|---|---|---|---|
| Microsoft Copilot | 79 | Low | 18 months | Yes (Profile > Privacy) |
| Claude | 74 | Low–Medium | 30 days (opt-out) / 5 years (opt-in) | Yes (Settings > Privacy) |
| Mistral (Le Chat) | 68 | Low–Medium | Until account deletion | Yes |
| Perplexity | 51 | Medium–High | Not clearly stated | Yes (AI Data Usage settings) |
| ChatGPT | 47 | Medium–High | 30 days (subject to legal requirements) | Yes (Data Controls) |
| Gemini | 45 | Medium–High | 18 months; reviewed conversations up to 3 years | Yes (may affect certain features) |
| Grok (xAI) | 37 | High | 30 days after deletion | Available through X account settings |
| Poe | 25 | High | Varies by underlying model provider | No unified opt-out mechanism |
| Meta AI | 21 | High | Indefinite retention | No general U.S. opt-out |
| DeepSeek | 8 | Critical | Indefinite retention | No opt-out available |
Table 2. Master scorecard. CRITICAL = active ban or confirmed state-access risk; HIGH = significant unresolved risk; LOW = strongest available consumer protection.
Who Trains On Your Conversations?
To establish the default behaviour, we recorded whether each platform uses consumer conversations for training out of the box and how hard it is to stop.
Nine of the ten do; on three of them, DeepSeek, Meta AI (US) and Poe, there is no clean way to escape it at all. The remaining six offer an opt-out, but it is on by default and, in Grok’s case, buried inside X’s settings where almost nobody finds it.
Figure 3. Training-on-by-default status across the ten chatbots, consumer tier.
How Long Your Data Is Kept
To measure exposure over time, we extracted the retention window each policy specifies for the consumer tier. Retention is the quiet multiplier of risk: the longer your conversations are stored, the larger the window for a breach, a subpoena or a human review.
The range is staggering from 30 days at best to indefinite at worst. The starkest single example is Claude, where simply leaving training enabled stretches retention from 30 days to five years.
Figure 4. Data retention windows, consumer tier. Hatched bars indicate indefinite or court-ordered retention.
Where Your Conversations Live
To assess jurisdictional risk, we mapped where each company stores and processes data. Where a company is registered matters more than where you sit: it decides which government can compel access and which privacy law you can invoke.
EU residents have rights to access, deletion, portability and objection under GDPR. US users have no equivalent federal right which is exactly why Meta can deny them an opt-out it grants to Europeans. And DeepSeek argues in its own policy that non-Chinese privacy law may not apply to it at all.
Figure 5. Data residency by jurisdiction. Self-hosting an open-source model (Mistral, or DeepSeek’s weights) is the only option that removes the residency question entirely.
The Privacy Risk Matrix
To show the practical trade-off users face, we plotted mainstream reach and convenience against our privacy-risk score. The uncomfortable truth sits in the top-right cluster: the most convenient, most reach-heavy tools, ChatGPT, Gemini, Meta AI, also carry the most privacy risk. The genuinely safer options either trade away some convenience (Mistral) or live behind an enterprise tier (Copilot).
Figure 6. Convenience vs privacy risk. Bubble colour reflects the leaderboard risk band.
Regulators Are Already Acting
To test whether these risks are theoretical, we compiled the documented enforcement record. They are not theoretical: enforcement accelerated sharply through 2024 and 2025, and the fines are large.
Cumulative GDPR penalties since 2018 now exceed €7 billion, with Ireland’s Data Protection Commission lead regulator for most US tech firms’ EU operations, responsible for the largest share.
Figure 7. Selected fines and actions against AI and data platforms, December 2024–2025.
| Company | Regulator | Action | Reason |
|---|---|---|---|
| OpenAI (ChatGPT) | Italy – Garante | €15 million fine | Unreported breach, insufficient legal basis for training data, and inadequate age verification measures. |
| DeepSeek | Italy – Garante | Banned (January 2025) | Concerns over data storage in China and inadequate transparency regarding user information. |
| DeepSeek | South Korea – PIPC | Corrective Order | Transferred user prompt data overseas without obtaining proper consent. |
| Grok / X | Ireland – DPC | Formal Inquiry | Investigation into the use of public EU user posts for AI training without a clearly established legal basis. |
| Meta | Ireland – DPC | €251 million fine | Data breach affecting approximately 29 million accounts and security-by-design concerns. |
| TikTok (ByteDance) | Ireland – DPC | €530 million fine | Transfer of EEA user data to China and failures in transparency obligations. |
| Replika (Luka) | Italy – Garante | €5 million fine | Lack of lawful basis for data processing and insufficient age verification controls. |
Table 3. The documented enforcement record. Each reason links to reporting or the regulator’s own decision.
The Us Is The Outlier: There is no comprehensive federal privacy law; states such as California, Virginia and Colorado have their own frameworks, but enforcement is patchy and penalties far lower. That gap is precisely why US users receive fewer rights and fewer opt-outs than Europeans using the identical product.
Seven Findings The Data Surfaces
The numbers above point to seven stories worth telling in full. Each is built on primary sources, linked inline.
1. Paying More Does Not Buy You More Privacy
This is the most expensive misconception in AI right now. ChatGPT Plus, Claude Pro and Gemini Advanced all default to using your conversations for training unless you turn it off.
Premium pricing buys faster models and higher limits, not privacy. The only tiers that reliably exclude your data from training are enterprise and API, which cost far more and require technical setup. If you pay $20 a month for a consumer Pro plan and use it for client work, your client data is on the same privacy track as a free user’s.
2. Deepseek Sends Your Data To China And A Law Lets The Government Read It
DeepSeek’s privacy policy states plainly that it processes and stores personal data in the People’s Republic of China. Under China’s 2017 National Intelligence Law, companies operating there can be compelled to assist state intelligence work without notice or external oversight.
This is not theoretical. In April 2025, South Korea’s regulator found that DeepSeek had transferred user prompt content to a Chinese cloud platform without consent and ordered the data destroyed. Italy banned the app in early 2025. And security firm Wiz found a publicly exposed DeepSeek database over a million log lines including plaintext chat history and API keys sitting open on the internet.
3. ChatGPT Could Not Delete Your Data Even When It Wanted To Because A Court Said So
In the copyright case brought by The New York Times, a US court issued a preservation order in May 2025 forcing OpenAI to retain consumer ChatGPT conversations, even deleted and temporary ones, even for paying users.
OpenAI fought it, calling it an overreach that conflicted with its privacy commitments. The going-forward order ended on 26 September 2025, but conversations from April–September 2025 remain in legal limbo, and in November 2025 the court ordered OpenAI to hand 20 million de-identified conversations to the plaintiffs.
The lesson is structural: once your data sits on a third-party server, a legal hold can override any privacy promise. Separately, Italy’s Garante fined OpenAI €15 million in December 2024 for an unreported breach and an inadequate legal basis for training.
4. Meta AI Has No Opt-Out For Us Users And Now Feeds Your Chats To Its Ad Engine
Meta AI is embedded across Facebook, Instagram, WhatsApp and Messenger, and you cannot remove it. From 16 December 2025, Meta began using interactions with Meta AI to personalise content and ads. There is no opt-out for US users, the EU, UK and South Korea were excluded from the launch because they have stronger data-protection laws.
The more you talk to Meta AI, the more your conversations shape what you are sold. As one expert told NPR, regulators are playing “Whack-A-Mole” with apps while no comprehensive US law forces the issue.
5. Gemini’s Human Reviewers Can Read Your Conversations And Keep Them For 3 Years
Google’s own Gemini Apps privacy hub states that conversations reviewed by human reviewers are kept separately and are not deleted when you delete your activity, they are retained for up to three years.
Google explicitly advises users not to share confidential information with Gemini, but the reason why a human may read it and keep it for years is buried deep in the documentation. A conversation you have today could be read by a reviewer and held until 2029, even if you delete it tomorrow.
6. Claude Changed Its Privacy Policy In 2025 And Most Users Missed It
Anthropic built its reputation partly on privacy: originally it did not train on consumer data and deleted it after 30 days. That changed. In an August 2025 announcement, Anthropic told Free, Pro and Max users their conversations would be used for training unless they opted out, with an effective date of 28 September 2025.
If training is on, retention extends from 30 days to five years, a 60× increase. The opt-out lives in Settings > Privacy > ‘Help improve Claude’. To Anthropic’s credit, the change was documented publicly, deleted chats are excluded from training, enterprise and API data was never included, and the company states it does not sell user data.
7. Poe Is Not One Chatbot, It Is A Privacy Black Box
Poe, built by Quora, lets you chat with ChatGPT, Claude, Gemini and others through one interface. But when you use Poe to talk to Claude, your data does not travel under Anthropic’s privacy policy, it passes through Poe’s systems first, then to the underlying model under separate terms.
Poe’s own Privacy Center confirms it shares the contents of your chats with OpenAI, Anthropic, Google and Meta, and that its Memory feature carries details from one provider’s bots over to others. You are subject to at least two policies per conversation, with no visibility into which model is handling your data. There is no unified opt-out, and Poe scores lowest of all on transparency.
The Ten Chatbots, One By One
A condensed profile of each platform’s consumer tier. The chatbot name links to its official privacy policy.
ChatGPT: Score 47 / 100 (Medium-High Risk)
Training is on by default for consumer accounts; opt out via Settings > Data Controls. Normal retention is 30 days after deletion, but the NYT preservation order overrode that for April–September 2025 data, which remains held.
Italy’s €15M fine and the ongoing litigation make this a textbook case of how external legal pressure can defeat a privacy setting. Enterprise and API tiers (with Zero Data Retention) were excluded throughout and remain the safe path for sensitive work.
Claude: Score 74 / 100 (Low-Medium Risk)
Since 28 September 2025, Free/Pro/Max accounts default to training; opt out in Settings > Privacy to keep the 30-day window instead of five years.
Anthropic documents its changes on a dated page, excludes deleted chats from training, never trained on enterprise/API data, and states it does not sell data, the clearest policy we reviewed. The catch is “shadow AI”: employees using personal accounts for work put company data on the consumer track.
Gemini: Score 45 / 100 (Medium-High Risk)
On by default unless Gemini Apps Activity is off, which also disables useful integrations, a deliberate privacy-versus-functionality trade. The standout risk is the 3-year retention of human-reviewed conversations, which survives deletion. Workspace Enterprise is a different, compliant product; the consumer app is deeply tied to Google’s ad-funded ecosystem.
Grok: Score 37 / 100 (High Risk)
Training is on by default for X users, with the opt-out buried in X > Settings > Privacy and Safety > Grok. After the xAI–X merger, your posts, your in-app Grok interactions and your direct chats are all potential training data. Ireland’s DPC opened a formal inquiry in April 2025 into Grok’s use of EU data. A Private Chat mode exists for sessions you do not want retained.
Microsoft Copilot: Score 79 / 100 (Lowest Risk)
Microsoft 365 commercial Copilot is the strongest baseline we reviewed: tenant-isolated data, no external model training, admin-controlled retention, and SOC 2 / ISO 27001 certification.
Consumer Copilot is weaker; closer to the industry average but still offers training opt-out and identifier removal. See the Microsoft privacy statement for the per-product detail.
DeepSeek: Score 8 / 100 (Critical Risk)
All data is stored in China; there is no training opt-out; researchers found weak 3DES encryption with hardcoded keys; South Korea ordered transferred data destroyed; Italy banned the app; and Wiz found an exposed database of chat history.
The policy itself argues non-Chinese privacy law may not apply. Avoid anything sensitive; if the capability is needed, self-host the open-source weights.
Perplexity: Score 51 / 100 (Medium Risk)
Training is on by default for consumer accounts; opt out in Settings > AI Data Usage. Consumer retention is not clearly stated. Because Perplexity routes some queries through OpenAI and Anthropic APIs, your data can pass through multiple companies’ systems, a layering it does not prominently disclose. The Sonar API offers Zero Data Retention; consumers do not get that guarantee.
Meta AI: Score 21 / 100 (High Risk)
Indefinite retention, training on both public posts and AI chats, and from December 2025, ad personalisation driven by your Meta AI conversations, with no US opt-out. Meta has drawn multiple large fines (€251M in Ireland; €479M in a Spanish court).
Its privacy policy notes it may even use data about non-users who appear in others’ posts. WhatsApp and Messenger are end-to-end encrypted; AI interactions are not.
Poe: Score 25 / 100 (High Risk)
A wrapper around multiple models with no unified opt-out and no transparency into which model handles a given query. Poe’s Privacy Center states it shares chat contents with OpenAI, Anthropic, Google and Meta, so every conversation is subject to at least two privacy policies.
For meaningful control, use the underlying models through their own apps instead. Lowest transparency score in the study.
Mistral (Le Chat): Score 68 / 100 (Low-Medium Risk)
A French company, incorporated in the EU and subject to GDPR by default, a structural advantage. Training is on by default with an opt-out; Le Chat retains conversations until account deletion, API data for 30 rolling days.
The nuance: Le Chat runs on Microsoft Azure and Google Cloud, so data can be processed outside the EU depending on configuration. Its MIT-licensed open models can be self-hosted, which is the strongest privacy guarantee available. See the Mistral privacy policy.
What You Can Do Right Now
Specific, verified actions for each platform. None of these are hypothetical, they are the actual settings paths as of mid-2026.
| Platform | Action |
|---|---|
| ChatGPT | Settings > Data Controls > turn off “Improve the model for everyone”. Use Temporary Chat for sensitive sessions. Businesses: use Enterprise or API with Zero Data Retention. |
| Claude | Settings > Privacy > turn off “Help improve Claude” (reverts to 30-day retention). If you accepted the Sep 2025 terms without checking, training is on now. For work, use Claude for Work or the API. |
| Gemini | Google Account > Data & Privacy > turn off Gemini Apps Activity (limits some features but stops training). For sensitive work, use Workspace Enterprise only. |
| Grok | X > Settings > Privacy and Safety > Grok > uncheck the training box. Use Private Chat mode for anything you do not want retained. |
| Microsoft Copilot | Consumer: Profile > Privacy > turn off “Help improve Copilot”. Enterprise: confirm with IT that commercial data protection is enabled. |
| DeepSeek | Do not enter sensitive, personal, or professional information because there is no opt-out. If the capability is required, self-host the open-source model. |
| Perplexity | Settings > AI Data Usage > toggle off. For business use, use Enterprise Pro or the Sonar API with Zero Data Retention. |
| Meta AI | EU: submit the objection form. US: there is no effective opt-out, avoid using Meta AI features and review public-post settings. |
| Poe | No unified opt-out exists. Access models through their own platforms instead of through Poe. |
| Mistral | Le Chat: disable training in account settings. For maximum privacy, self-host the MIT-licensed open model. |
Table 4. Practical opt-out and protection steps per platform.
One-Page Summary Of Citable Findings
All findings are drawn from official privacy policies, regulators’ decisions or first-hand reporting, each linked in the body above. Attribute to: SERP Forge, The 2026 AI Chatbot Privacy Report.
- 9 of the 10 most-used AI chatbots train on user conversations by default; the consistent exception is enterprise / API tiers, not consumer apps.
- Only enterprise and API tiers reliably exclude data from training, paying for a consumer Pro plan does not protect privacy.
- Allowing training on Claude increases retention from 30 days to five years (a 60× jump); Google retains human-reviewed Gemini conversations for up to three years even after deletion.
- Six of the ten platforms have faced fines, bans or formal regulatory inquiries between December 2024 and 2025.
- DeepSeek stores all data in China under a state-access law, was banned in Italy, was ordered to destroy transferred data in South Korea, and suffered an exposed database of over a million chat-log lines.
- Meta AI offers no opt-out for US users and, from December 2025, uses AI-chat interactions for ad targeting, a right EU, UK and South Korean users were spared.
- US users have fewer privacy rights than EU users on the identical product, because the US has no comprehensive federal privacy law.
Sources & Limitations
Produced by SERP Forge’s research team, June 2026.
Method: we fetched and read the official consumer privacy policy of each of the ten chatbots, scored the default consumer tier across seven weighted factors (training-by-default 25, retention 20, opt-out 15, regulatory record 15, transparency 10, deletion 10, encryption 5), and cross-checked every factual claim against primary sources.
Primary sources include the official policies of OpenAI, Anthropic, Google, xAI, Microsoft, DeepSeek, Perplexity, Meta, Quora (Poe) and Mistral; regulatory decisions from Italy’s Garante, Ireland’s DPC and South Korea’s PIPC; the European Data Protection Board; and reporting from CNBC, NPR, TechCrunch, TechRepublic, Euronews and others, plus security research from Wiz, NowSecure and SecurityScorecard.
Limitations: scores reflect the consumer / default tier and the policies as published at the time of review; policies and regulatory status change frequently. This document is informational and not legal advice, verify the current policy before making compliance decisions.
