Guide8 min read

How to Tell If an AI Tool Is Safe (Privacy Checklist)

To tell if an AI tool is safe, check its privacy policy: default training, opt-out scope, retention, human review, jurisdiction, a DPA and certifications.

By Pierre de ONYRI

Telling whether an AI tool is safe before you paste data into it isn't about brand reputation: it's an evaluation grid. Concretely, you check a series of criteria in its privacy policy and terms — does it train on your inputs by default? is there an opt-out, and does it cover the past? how long is retention? is there human review? where is the data hosted? is it encrypted? does it offer a DPA (and a BAA for health data)? what do the terms say about third-party sharing and the “Share” feature? does it hold certifications like SOC 2 Type II or ISO 27001? This article turns that into a checklist — with, for each criterion, where to find the information and the red flag that should stop you.

The first instinct: read, don't trust

An AI tool's safety can't be guessed from the logo. A Stanford HAI study (lead author Jennifer King), published on October 15, 2025 and based on an analysis of 28 policy documents from the six leading U.S. chatbot players — Amazon (Nova), Anthropic (Claude), Google (Gemini), Meta (Meta AI), Microsoft (Copilot) and OpenAI (ChatGPT) — concludes that all six use users' conversations by default to train their models. In other words, for consumer chatbots, the answer to “does it train on my inputs?” is very often yes. The only way to know for a given tool is to read its documentation — not to assume.

According to the same study (covered by the Stanford Report), the training opt-out is not universal: some providers offer a way to opt out, others don't. Some keep data indefinitely, some let humans review transcripts for training purposes, and only some state that they de-identify data before using it — which still leaves a re-identification risk. Three questions follow: does an opt-out exist, does it cover the past, and is de-identification guaranteed?

The checklist: 9 criteria, where to look, the red flag

Here's the grid to run before pasting data into an AI tool. For each row: the question to ask, and the red flag that should make you back off.

CriterionQuestion to askRed flag
Default trainingDo my inputs feed model training with no action from me?Training on by default, especially on a consumer tier
Opt-outCan I decline it, and does declining also cover the past?No opt-out, or opt-out limited to the future with no deletion of the past
RetentionHow long are conversations kept, even once “deleted”?Vague policy on what happens to deleted chats; indefinite retention
Human reviewCan people read my exchanges?Unbounded human review, outside the scope of the opt-out
JurisdictionWhere is data hosted, under what law, what transfers outside the EU?Opaque or non-EU hosting with no transfer safeguards
EncryptionIs data encrypted in transit and at rest?No mention of encryption in transit/at rest
DPA / BAAIs a Data Processing Agreement (and a health BAA) offered?No DPA for professional use involving personal data
Sharing / “Share” featureWhat do the terms say about content license, third parties and indexing?Public/indexable share links, broad license over your content
CertificationsSOC 2 Type II and/or ISO 27001, with the scope stated?“SOC 2” claimed with no Type II and no scope
Evaluation checklist before pasting data. After the Stanford HAI study (Jennifer King), Article 28 of the GDPR, and Search Engine Land's coverage of share features.

Three criteria that often mislead

A few rows deserve a word, because they're routinely misunderstood — and that's where leaks hide.

  • Retention vs opt-out: these are two different things. Even after opting out of training, many providers retain data (often ~30 days for abuse monitoring), with possible human access, and these processes are frequently excluded from the opt-out. Only a Zero Data Retention regime removes that storage. The tier matters: consumer ChatGPT (Free, Plus, Pro) trains by default — opt-out via Settings → Data Controls → “Improve the model for everyone” — whereas OpenAI states it doesn't train by default on ChatGPT Business/Enterprise or the API (see the OpenAI Help Center, Data Controls FAQ).
  • Certifications: SOC 2 and ISO 27001 don't prove the same thing. ISO 27001 is a certification issued by an accredited body, attesting to an information security management system (ISMS). SOC 2 is an auditor's attestation report on controls assessed against the AICPA's Trust Services Criteria. Crucially, a SOC 2 Type II evaluates the operating effectiveness of controls over a period (several months), whereas Type I only judges their design at a point in time — so demand Type II and its scope.
  • The “Share” feature and the terms: a misunderstood setting can expose everything. In 2025, ChatGPT conversations made public via the “Share” button (the “Make this chat discoverable” option) ended up indexed by Google, and therefore viewable by anyone — a few thousand pages, some revealing names, roles and personal details. OpenAI removed discoverability after the backlash (Search Engine Land, July 31, 2025). Read what the terms and settings allow regarding sharing, content license and indexing.
Diagram: at top, sensitive data (amber) run through a checklist whose boxes stay unchecked (amber crosses) remains exposed; at bottom, anonymized data lets through only tokens (cobalt), every box checked and a validation seal.
After the Stanford HAI study (Jennifer King), Article 28 of the GDPR, and Search Engine Land's coverage of share features. The CNIL's recommendations on chatbots (Article 9, sensitive data) and A&O Shearman's analysis point the same way.

Even a “safe” tool doesn't make pasting safe

You can tick every box and be dealing with a serious tool: that still doesn't make pasting sensitive data inherently safe. Policies and settings can change; an opt-out doesn't always cover the past; abuse monitoring involves human access; a misunderstood share feature can expose everything; and a legal obligation can freeze data that was supposed to disappear. The CNIL, in fact, recommends that chatbots display warnings discouraging the entry of sensitive data and regularly purge irrelevant conversations; “sensitive” data within the meaning of Article 9 of the GDPR (health, biometrics, opinions, sexual orientation…) is subject to strict conditions.

  1. 1Run the checklist: it's good hygiene, and it weeds out the obviously risky tools.
  2. 2Pick the right tier (enterprise over consumer if you handle sensitive data at scale) and opt out of training.
  3. 3But for truly sensitive data, remove it before it leaves the device — that's the only guarantee that doesn't depend on trusting the provider.

That last step ties into our two neighboring guides: “Which AI chatbot is most private?”, which shows that privacy hinges on tier and settings more than on the brand, and “How to anonymize your data before using AI”, which details the move itself. The checklist filters tools; anonymization protects the content whatever tool you end up choosing.

That's exactly what ONYRI Sanitize is for: the engine replaces sensitive data with reversible tokens before sending; detection and the token↔value mapping stay in your browser, and only anonymized text reaches the tool. Whether the tool is “safe” or not, whether it trains, retains or has chats reviewed, it only finds tokens — not your real information.

Frequently asked questions

How do you tell if an AI tool is safe?
By reading its privacy policy and terms rather than trusting the brand. Check nine criteria: does it train on your inputs by default, is there an opt-out (does it cover the past?), what's the retention, is there human review, where is the data hosted, is it encrypted, does it offer a DPA, what do the terms say about sharing and third parties, and does it hold certifications like SOC 2 Type II or ISO 27001. A Stanford HAI study shows the major consumer chatbots train on conversations by default.
Are SOC 2 or ISO 27001 enough to call an AI tool safe?
No, on their own. They're useful but partial signals: ISO 27001 attests to a security management system, SOC 2 is an auditor's report on controls. Demand the detail — a SOC 2 Type II (operating effectiveness over a period) is more probative than Type I, and the scope must be stated. A certification says nothing about default training, retention or sharing: you still need to run the full checklist.
Does a training opt-out make an AI tool safe for sensitive data?
It reduces exposure, but isn't enough. The opt-out is often forward-looking only (it doesn't pull back what was already trained on), and usually stops neither the retention tied to abuse monitoring nor the associated human review. For truly sensitive data, the only provider-independent guarantee is to anonymize it before sending.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next