Skip to content

LLM data privacy: how to use AI without your data training someone else's model

Data Privacy
LLM
GDPR
AI Compliance
Enclave

Data privacy when using AI is not an abstract concern: according to Cisco's 2024 Benchmark Study, 48% of organisations are already feeding non-public business information into generative AI tools. When that information includes client records, financial data, or confidential advisory files, the problem stops being technical and becomes legal.

This article explains what actually happens to your data when you use an LLM (a large language model, such as ChatGPT or Claude), what your real options are for deploying AI without losing control, and where to start if your company handles sensitive data.

What happens to your data when you use ChatGPT or another LLM?

The answer depends on which version you use — and the difference is significant.

ChatGPT Free and Plus turn on "Improve the model for everyone" by default. This means OpenAI can use your conversations to train future models. You can disable it in Settings → Data Controls, but it is on by default and most users never change it.

ChatGPT API, Team, Enterprise, and the Healthcare and Edu tiers have not trained on customer data since March 2023, unless you explicitly opt in. OpenAI still retains data for up to 30 days for abuse monitoring. Immediate deletion — known as Zero Data Retention — is only available through specific Enterprise agreements.

The practical problem inside companies is what is called Shadow AI: any employee can open ChatGPT in a browser tab and paste client data, a contract, or a case file without the company knowing or controlling it. The 2023 Samsung incident — where three engineers leaked proprietary source code by pasting it into public ChatGPT — is the most cited example. It is not an isolated one. In 2024, 233 AI-related privacy incidents were recorded, a 56.4% increase year on year, according to the Stanford AI Index 2025.

Why should your company care about AI data control?

Three concrete reasons, not theoretical ones.

Confidentiality and professional privilege. For law firms, advisory practices, family offices, and fintechs, feeding client data into a public tool may breach professional privilege independently of whether the provider trains on that data. The issue is not just training: it is that data leaves your perimeter and passes through third-party servers. A regulator will not distinguish between a "consumer tool" and an "Enterprise tier" if you have no documentation of the data flow.

Hard legal obligations. GDPR Article 28 requires a signed Data Processing Agreement with any external provider that processes your clients' personal data. Without that agreement, using LLMs with client data is technically unlawful. Fines reach up to €20 million or 4% of global annual turnover under GDPR; the EU AI Act adds fines of up to €35 million or 7% of global revenue for the most serious violations.

For companies based in Andorra, the Ley Cualificada 29/2021 — in force since 17 May 2022 — is the local equivalent of GDPR, enforced by the Agencia Andorrana de Protección de Datos (APDA). If your company has clients in the EU, GDPR also applies directly through its extraterritorial scope (GDPR Article 3.2).

Reputational and financial risk. The average cost of a data breach in 2024 was 4.88 million dollars, according to IBM. Trust in AI companies to protect personal data fell to 47% in 2025 (Stanford AI Index). For a fintech or family office in Andorra, a single AI-related data incident can erase years of client trust in days.

If you work in the fintech or financial advisory space, data control is not a secondary concern — it is the central one.

What are your options for deploying AI with real data control?

There is no single answer. Options range from straightforward to fully controlled:

Public cloud with contractual guarantees. Azure OpenAI with EU-DataZone (Sweden Central or Germany West Central regions) guarantees processing exclusively within the EU and commits that your data is not used for training. AWS Bedrock with EU inference profiles (Frankfurt, Ireland, Paris) provides the same assurances for Anthropic's Claude models. Both allow you to sign a GDPR-compliant DPA. One important detail with Azure OpenAI: you must explicitly select the right deployment type — "Global Standard" may route queries outside the EU.

The CLOUD Act residual risk. Microsoft, Amazon, and Google are all US companies. The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows US authorities to request access to data stored on these platforms regardless of which region it sits in. For the most sensitive data, this is a residual risk that no US cloud provider can fully eliminate.

Mistral AI as a European middle option. Mistral is a French company with EU-based servers and a DPA governed by EU law. Its models — Mistral Small 3 7B and Mistral Small 3.1 24B — are highly competitive in quality and remove the US jurisdictional risk entirely. It is a strong intermediate choice for companies that want stronger guarantees than a US cloud but do not want to manage their own infrastructure.

Local deployment (on-premise or on your own machine). Tools like Ollama (MIT open-source) and LM Studio let you run language models directly on your laptop or internal servers. Data never leaves the device. Llama 3.3 8B and Mistral Small 3 7B run at 30–50 tokens per second on a MacBook M2 or M3 with 16 GB of RAM, or on an RTX 4060/4070 GPU. Mistral Small 3.1 24B fits within 16 GB of VRAM. The economic crossover point between cloud and on-premise is roughly 10–30 million tokens per day; below that threshold, cloud API is almost always cheaper once hardware and maintenance are counted in.

OptionData controlUpfront costCapabilityCLOUD Act risk
ChatGPT Free/PlusLowNoneHighYes
OpenAI API / EnterpriseMedium-highLowHighYes
Azure OpenAI EU-DataZoneHighLow-mediumHighResidual
Mistral (EU cloud)HighLow-mediumMedium-highNo
On-premise (Ollama/LM Studio)MaximumMedium-highMediumNo

Where do you start without overspending?

The most common mistake is trying to solve data privacy all at once with expensive infrastructure. César García recommends two concrete steps before touching any server.

Classify your data by sensitivity. Not everything your company handles needs the same level of protection. A practical framework:

  • Public or non-sensitive internal data (website content, FAQs, generic documentation): compatible with any public cloud tool.
  • Confidential internal data (internal processes, drafts, operational data without personal identifiers): requires a signed contract (DPA) with the provider, preferably a cloud with EU data residency guarantees.
  • Client or regulated data (personal data, financial records, advisory files, health data): requires a signed DPA, contractually guaranteed EU residency, and full audit traceability. For the most sensitive cases, local or private deployment.

Set governance before you deploy. Governance is not bureaucracy: it means knowing which AI tools are authorised, who can use them with what type of data, and keeping a log of what was queried and when. Without it, you cannot demonstrate to the APDA or an external auditor that you handled the data with due diligence. The minimum set: an inventory of authorised tools, a data-tier usage policy, and query traceability.

A technical approach worth highlighting is RAG (Retrieval-Augmented Generation): instead of pasting full documents into a prompt, you build a local index of your documentation and the model receives only the relevant fragments for each query. Original documents never leave your system. This architecture is particularly useful for advisory firms, law practices, and fintechs that want their AI to "know" contracts or internal regulations without exposing them. Smart Growth's internal document consultation service implements exactly this pattern.

An AI diagnostic — two to four weeks of structured assessment — is enough to map what data you hold, which use cases have the best return, and what level of control you actually need. Doing this before buying infrastructure saves both money and regulatory risk.

How does Enclave solve this?

Enclave is the private ChatGPT that César García and Smart Growth have built for companies that cannot — or should not — use public tools with sensitive data.

It works across three layers:

Data control. Enclave is deployed on Azure OpenAI with EU-DataZone, AWS Bedrock with EU profiles, or open-source models on the client's own infrastructure. Data does not leave the agreed perimeter. No training on your data. No transfer to unauthorised third parties.

Internal knowledge. Through RAG, Enclave connects to your documentation: internal policies, contracts, compliance manuals, regulatory filings. Employees ask in plain language and get answers with precise citations from source documents. For an advisory firm, this means the assistant "knows" the case file without the case file leaving the office.

Full traceability. Every query is logged: who asked, what they asked, what the AI answered, and which document fragment it used. This is not an optional extra — it is the audit log that the APDA or any external auditor can review. It is built in from day one.

For companies handling particularly sensitive data — such as those in the fintech and family office sector — Enclave closes the gap between wanting to use AI and being able to do so without regulatory exposure.

For more context, the post on AI for fintechs: privacy and compliance covers sector-specific use cases in depth, and the piece on private ChatGPT for businesses goes into more technical detail on the architecture.

In summary

Using AI with sensitive data is entirely feasible — it is a matter of choosing the right architecture. What is not acceptable is pasting client data into public ChatGPT and assuming that "no training" means no risk. GDPR, Andorra's Ley 29/2021, and the EU AI Act all require more than that.

The options are well defined: cloud with contractual guarantees (Azure OpenAI EU-DataZone, AWS Bedrock EU, Mistral), local deployment for the most sensitive data, or RAG as an architecture that keeps documents inside your perimeter. The starting point is always classifying your data and establishing governance before touching any tool.

Enclave makes this concrete: a private ChatGPT, with your data under your control, full traceability from day one, and deployment on EU infrastructure.

Frequently asked questions

Does ChatGPT use my conversations to train its models?
It depends on which version you use. ChatGPT Free and Plus enable model training on your data by default — you can turn it off in Settings → Data Controls. The API, Team, Enterprise, and Edu versions have not trained on customer data since March 2023, unless you explicitly opt in.
Is it legal to use AI with client data under GDPR?
It can be, but it requires a signed Data Processing Agreement (DPA) under GDPR Article 28 with the model provider. Without that agreement, using LLMs with personal client data is technically a GDPR violation. OpenAI Enterprise and platforms like Azure OpenAI allow you to sign a DPA.
What is a private LLM deployment?
Running the language model on your own infrastructure — on-premise servers or a private cloud — so that queries never leave your perimeter. Tools like Ollama (open-source) let you run models like Llama 3.3 or Mistral locally, at no API cost and with zero data transfer to third parties.
Do I need my own servers to have real control over my data?
Not necessarily. For most businesses, the most practical option is Azure OpenAI with EU-DataZone or AWS Bedrock with EU inference profiles: processing guaranteed within the EU, no training on your data, and a signable DPA. On-premise makes economic sense only at very high volumes — roughly 10 to 30 million tokens per day.
Does GDPR apply to companies using AI outside the EU?
Yes, extraterritorially. Under GDPR Article 3.2, any company offering goods or services to EU residents is subject to GDPR regardless of where it is based. The EU AI Act carries the same extraterritorial reach. Andorra has its own equivalent law — Ley Cualificada 29/2021, in force since May 2022 — enforced by the APDA supervisory authority.