Privacy · July 2026
Most data leaks through AI come not from hackers but from well-meaning prompts: a client email you “just have summarised”, a quote with a name and a fee on it that you ask ChatGPT to rewrite. Three rules of thumb will keep you clear of the most common mistakes.
Treat everything you type into a public AI tool as though it could end up outside your business. Names, addresses, financial details, health information and anything covered by your duty of confidentiality: leave it out. What does work is the same question with the details anonymised. “Rewrite this email to [client] about [project]” works just as well and leaks nothing.
On the free tiers of many AI tools, your input is used by default to improve the models. You don’t want that for work material. Check your settings today: in ChatGPT it sits under Settings, Data Controls (switch off “Improve the model for everyone”); business plans such as Team and Enterprise don’t train on your data by default. With Claude the same principle applies: check your privacy settings and choose a business plan where you can.
If you use AI routinely in processes that client data passes through, a chatbot or a transcription tool for instance, then under the GDPR you’re responsible for what that tool does with the data. You cover that with a data processing agreement, ideally with an AI addendum setting out which tools may see which data. That’s how I built a fully GDPR-compliant AI chatbot for a client: the same convenience, without the loose ends.
Unsure about your own setup? Email info@kimberleyvanruiven.nl and we’ll walk through it together.