Launch in Days, Not Weeks
Professional one-page website. Only a few slots left this month
When you send client data to an AI API, where does it go? Is it stored? Trained on? Accessible to other users? These aren’t paranoid questions, they’re basic due diligence that most businesses skip. Proper AI data handling isn’t about avoiding AI tools; it’s about knowing what happens to information the moment it leaves your system, and putting guardrails around it before something sensitive gets exposed.
Every time your team pastes text into a chat tool or your website’s AI feature calls a model, the same basic journey happens: your input travels to the provider’s servers, gets processed by the model, generates a response, and, this is the part most people skip past, often gets logged.
Logs are the quiet risk. A provider might not train on your data, but if it’s sitting in a log file for 30 days, that’s still 30 days of exposure to a breach, a subpoena, or an internal access mistake.
The key distinction to understand:
According to Anthropic’s data retention documentation, standard API log retention dropped from 30 days to 7 days in late 2025, and API data is never used for training. OpenAI’s enterprise privacy page states a similar position: API inputs and outputs may be retained for up to 30 days for abuse monitoring, but are not used for training by default. Both offer Zero Data Retention arrangements for qualifying enterprise use cases, where data isn’t stored after the response is returned at all.
The takeaway: default settings on consumer-facing chat tools (the free version of a chatbot your team might paste client names into) are usually far less protective than the API-level enterprise agreements built for business use.
Not all AI tools are equal, and the gap between “consumer” and “enterprise” tiers is bigger than most founders assume.
| Standard/Consumer | Enterprise/API | |
|---|---|---|
| Training on your data | Often yes, unless opted out | No, by default |
| Retention period | Can be indefinite (conversation history) | 7 to 30 days, or zero with ZDR |
| Human review | Possible for safety/quality checks | Limited, usually abuse-only |
| Data residency control | Rarely offered | Sometimes available on enterprise plans |
The practical rule: if a tool is free or low-cost and consumer-branded, assume your inputs could be reviewed or used to improve the product unless you’ve explicitly checked the settings and opted out. If you’re building AI into a business process: a website chatbot, an internal workflow, a client-facing feature: use the API or enterprise tier, read the actual data processing agreement, and don’t rely on marketing copy.
The ICO’s guidance on AI and data protection is the reference point for UK businesses here, it sets out that organisations remain accountable for personal data processed through AI systems, regardless of which provider’s model sits underneath. Using a reputable vendor doesn’t transfer your GDPR obligations away, a point we expand on in AI and GDPR.
The simplest protection is the one businesses skip most often: don’t send what you don’t need.
Practical techniques that work without slowing anyone down:
This is the same discipline as data minimisation more broadly, only collect and process what a task actually requires. It’s not new to AI, but AI makes the temptation to over-share much easier, because pasting a whole document is faster than trimming it.
For most small and medium businesses, cloud API providers with proper enterprise agreements are the right call, the cost and complexity of running models locally rarely makes sense below a certain scale.
That said, there are cases where private deployment matters:
The trade-off is straightforward: private deployment buys you control, but it costs meaningfully more, both in infrastructure and in the engineering time to maintain it. For the vast majority of UK SMBs, the better first step is choosing providers with strong zero-retention options and building good internal habits, not standing up your own model infrastructure.
Most businesses using AI tools have no written policy at all, decisions happen ad hoc, tool by tool, person by person. A short, practical policy closes that gap without needing a legal department.
A working template covers:
This doesn’t need to be a 20-page document. A single page that a new hire can read in five minutes is more useful than a comprehensive policy nobody follows.
If your website includes an AI chatbot, an automated enquiry handler, or any feature that processes visitor or client information, the same principles apply to what you’ve built, not just the tools your team uses day to day. A poorly configured CTA-driven contact flow that quietly logs every enquiry through a consumer AI tool creates exactly the exposure this article is warning about.
At Fernside Studio, when we build AI systems into a client’s site or internal workflow, data handling is part of the build, not an afterthought bolted on later. That means choosing providers with proper enterprise agreements, minimising what gets sent to any model, and being explicit with clients about what’s stored and for how long. If you want a second opinion on how your current AI setup handles data, our advisory sessions are built for exactly that kind of review.
Handling sensitive data through AI systems responsibly isn’t optional, it’s the baseline. If you’re building or reviewing AI features on your website, get in touch and we’ll help you scope it properly.