As generative AI tools, like ChatGPT, Gemini and others, become more common in the workplace, many companies are eager to integrate this new technology into their workflows.
In the rush, an important question often gets missed: what happens to your internal files once they’re uploaded to an AI platform?
Especially with free or personal versions, uploaded data is often used by the AI platform or vendor to improve and train the models you’re using, which means your uploaded data, prompts and generated responses are at risk of showing up anywhere and everywhere, even as part of a commercial product.
In this post, we’ll walk through the key usage rights you need to understand, the red flags to look for in AI usage terms and the steps your legal or compliance team should take before sharing company documents with any AI tool.
AI tools are showing up in more business settings every day. But behind the convenience, there are real questions about where the inputted information or documents goes once you hit “submit.”
Unless the AI version you use allows you to turn off data sharing, or is under a business license with strict permissions, the content you enter may be used by the AI vendor. Even if you strip out names, certain patterns or phrases can still reveal business details you do not intend to air outside your organization.
Several companies have already run into problems after employees shared internal data with AI tools.
This kind of exposure can’t be undone. Deletion of a document or conversation from an AI platform does not necessarily mean the underlying data is wiped from the vendor’s systems immediately, or at all, depending on their retention policies. Sharing protected information with a third-party platform may violate NDAs, contracts, data privacy laws and professional ethical obligations. It can also erode trust with clients or partners who expect that their information will be handled with care.
We dive into this more in our blog here: Legal Implications of AI Technologies: 6 Tips to Minimize Risk
Passing content into an AI platform often does more than generate an answer. Your information may also be used to train the large language model (LLM) used by the AI provider. Many of these tools amass user inputs to refine their models—unless you’ve taken steps to opt out. Whether or not that’s allowed depends on the platform’s terms and the type of account you’re using.
By the way, what do you think was used to train these models beginning a few years ago? If you used any free information service including search engines (remember 1-800-GOOG411?) your search terms and browsing habits probably helped train a model.
Every version of each AI platform can vary widely in how user data is handled. Some use every prompt or uploaded document to improve their models, while others restrict that practice, especially for paying customers. The key difference often comes down to which version of the tool you're using and what the terms of service allow. In many instances, the top providers of AI-based tools offer separate terms for standard and enterprise users.
Make sure you’re reading the right one! That’s not always discernible. If you aren’t sure, you’re not alone.
Regardless of the platform you choose to use, do not assume your data is protected by default. If LLM training is permitted, your information and inputs may become part of the model’s broader knowledge.
The legal framework that governs AI use and your data usually lives in two places: the Terms of Service (TOS) and the Privacy Policy or Data Processing Agreement (DPA). These documents define how the provider collects, uses, stores and shares all information, including personal information.
The TOS typically applies to all users and outlines the provider’s general rights. A PP or DPA outlines users’ rights (and your rights) in personal information and memorializes specific privacy and security obligations for controllers and processors.
Look for the following phrases when reviewing user agreements:
These terms indicate whether your data stays secure or is used to train the platform. If anything is unclear or vaguely explained, the tool may not be a safe choice. Being aware of the risks is important if you choose to use a platform with ambiguous terms.
Additional note: If you upload restricted data in breach of the agreement and the platform experiences a data breach, you may have no indemnity from the platform and would likely be forced to cover the cost of any civil claims against you. Typically, AI vendors disclaim liability when customers violate their terms, leaving you fully exposed. To reduce some AI-related risks, look into bringing the AI tool's engine and data stores in-house.
The TOS for some AI platforms include clauses that expose your data in ways that aren’t obvious at first glance.
These loopholes make it essential to review every layer of the platform’s policies, not just the primary contract.
Before uploading any internal content to an AI tool, make sure the platform’s usage terms align with your company’s privacy and confidentiality standards. Certain rights and restrictions should be non-negotiable to maintain control over your data.
When companies use AI tools in business settings, some contract terms are too important to concede. These clauses spell out how your data is handled, who can see it and what the vendor is permitted to do.
Look for a direct statement that your data will not be used to train or improve the model. That restriction should cover both what you upload and what the platform generates in return. Check the definitions of
Example: “Your content will not be used to train or improve any AI models, now or in the future.”
The agreement should also confirm that your company keeps your current IP rights in everything you submit. Without that clause, the vendor may claim broad rights to reuse or repurpose your material.
Example: “Customers retain full ownership of all uploaded content, prompts and outputs.”
Finally, make sure the vendor is only processing your data to deliver the service you signed up for. This prevents your information from being shared, stored or analyzed for other purposes.
Example: “Customer content will be used solely for the operation of the tool and in order to perform obligations under this agreement.”
Agreements that include this kind of precise, restrictive language are better equipped to support enterprise-level privacy and legal standards. Anything less creates uncertainty and increases exposure.
Does your financial services company use AI? Read more about the specific AI concerns in the financial industry.
Before sharing company content with an AI platform, stop and review the essentials. A short internal check can help you avoid unnecessary risk and protect against privacy or compliance issues.
Start by asking the right questions:
For experimental use or testing, always work with redacted content or dummy documents. When practical, consider using enterprise-grade tools with sandboxed environments that keep your data isolated and under your control.
Taking these steps up front protects not only your data, but also your ability to use AI tools responsibly as part of your broader business strategy.
Interested in learning more? Read our blog: AI and the Law: Balancing Technological Innovations with Traditional Legal Values
Final Takeaway: Read the Fine Print or Risk the Fallout
Once your documents are uploaded to an AI platform, you may not be able to get them back or control how they are used. If the terms allow for training, retention or sharing, that content could live on in ways your company never intended.
Do not rely on assumptions or default settings.
Make sure legal and compliance teams review the full terms of service and any related agreements before any internal content is shared.
Need help reviewing your AI platform terms? Review our AI legal services to see how we can help you navigate AI with confidence or contact ZeroDay Law for a risk evaluation and guidance tailored to your business.
Take a look at our additional AI legal resources: