A friend shared a LinkedIn post the other day with a blunt warning: don’t hand over your proprietary data and trade knowledge to an LLM. This came from a discussion at the investor huddle at MASHUP26. Venture capitalists and angels in the room agreed that AI is essential to move faster, but that investors should not rely on LLMs to analyse, qualify or review startup applications, pitch decks and the like.
“Don’t feed your private data to an LLM” is like saying “don’t put your money in a bank.” Which bank? Under which country’s laws? Insured how? The better answer to “is it safe to send confidential data to an AI?” is it depends, and the things it depends on are knowable. This post is my attempt to lay them out for a non-technical audience, particularly investors, who see other people’s most sensitive material for a living.
Not all confidential data deserves the same answer.
When someone says “sending data to an LLM is risky,” they usually collapse five different questions into one.
This is the one that threatens your IP. If a provider trains on your inputs, your confidential deck or data model can influence the next generation of the model that anyone else can then query. Retention affects breach and subpoena exposure; training affects whether your competitive knowledge leaks into a shared model.
The line that matters is consumer versus business more than free versus paid. A paid ChatGPT Plus or Claude Pro subscription is still a consumer product, and those can use your conversations for training (!) unless you opt out (!!) in settings. Upgrading to a pricier consumer plan doesn’t turn training off; a business or API tier does. This is also true of LinkedIn BTW.
Product exceptions matter. Mistral’s API docs say API data isn’t used for training, but its Labs models may train unless ZDR is active. Cohere’s SaaS Platform has a dashboard opt-out for training rather than a blanket no-training default. Read the terms for the specific product, not just the company name.
I’m describing the major providers’ current defaults. Smaller vendors vary, defaults change, and a “thumbs up” on a consumer chat can re-authorise training of that one conversation even after you opt out. Read the terms for the specific tier you’re on, and don’t assume paying bought you privacy.
Zero Data Retention (ZDR) is the promise that the provider does not store your prompts or the model’s answers after your request finishes. Data that is never stored can’t be leaked in a breach, handed to a subpoena, or read by a curious employee. Retention is attack surface, and less of it is better.
Statefulness is separate from training. xAI’s Responses API,
for example, stores previous prompts, reasoning content and model responses on xAI servers
by default for 30 days so you can continue a conversation. You can set store: false, or
use enterprise ZDR. That’s a feature with a retention consequence.
ZDR is rarely a hard requirement. If a provider doesn’t train on your data and deletes it on a sane schedule, most of the risk is already handled, and ZDR trims what’s left. It also isn’t absolute:
So read the specific policy for the specific model and feature you’re using. “Zero” is often “nearly zero,” and the gap can matter if your threat model is strict.
The surface that bites is the personal consumer account people reach for without thinking: the free app, or a personal Plus, Pro or Max subscription. Two things make it risky. First, memory features quietly retain context across conversations. Second, the training default, which leans the wrong way. OpenAI’s and Google’s consumer apps default that sharing on and make you opt out. Anthropic now asks consumer users to choose whether their chats train Claude, and if you allow it, retention extends to five years. Either way, the setting is easy to click through without reading.
The organisational tiers are the safer ground, but “business tier” isn’t one thing. A business or enterprise chat workspace (ChatGPT Enterprise, Claude for Work, Gemini for Workspace) and the raw API both default to no training, yet they differ on everything else. The API is stateless, with short abuse-log retention and an optional ZDR. A business chat workspace keeps conversation history your admins can see, plus memory and connectors. Same answer on training, different answers on retention and on who can read it. Match the surface to the data.
So the case the LinkedIn post gets right is the personal account. Pasting a confidential deck there, with training or memory on, is the genuinely risky move, and a paid Plus or Pro subscription doesn’t change that if you opted in. A business or enterprise deployment with training off carries far less risk.
The provider is rarely the only party in the chain. Analytics vendors, logging tools and infrastructure partners all sit near your data. OpenAI’s worst incident of 2025 wasn’t a model leak, it was a breach at Mixpanel, a third-party analytics vendor, which exposed API account names and emails, no chat logs. It’s a clear reminder that the weak link is often a sub-processor.
This is where the privacy policy earns its keep. It should tell you who the sub-processors are and what they can see. Resellers make this worse: a router like OpenRouter or Vercel’s AI Gateway is only as private as the backend it routes to, and every hop is another place data can rest, log or leak. If sovereignty matters, shorten the chain.
Data residency lets you pin where your data is stored, and sometimes processed, for example inside Canada. It matters for privacy law (Quebec’s Law 25, PIPEDA) and latency. “Available in Canada” often means less than it sounds:
And residency is only worth anything if the model you want actually runs in-region. I listed each provider’s Canadian catalogue with their own CLIs, and the picture is depressing:
ca-central-1) against 121 in its main
U.S. region, but the current frontier is present, all of it Anthropic: the full recent
Claude line (Opus, Sonnet, Haiku, Fable). Claude in Canada means Bedrock.Cerebras is worth watching here. It announced Montréal inference capacity, and Saskatchewan announced a Bell AI Fabric project where Cerebras and CoreWeave are tenants. This weakens the lazy assumption that Canadian AI infrastructure must be slow. It does not prove that a Cerebras API customer can force Canadian routing or Canadian residency for a given request.
So your model choice quietly picks your cloud, and one of the three big providers can’t keep current-model inference in Canada at all. Deep coverage isn’t the same as a strong security record, either: the cloud with the most Canadian models here also carries the weakest track record.
Residency also doesn’t answer the harder question of jurisdiction. Under the U.S. CLOUD Act, American authorities can compel a U.S.-incorporated company to produce data it controls, even if that data physically sits in a datacentre in Montréal. Provincial law, including Law 25, can’t override U.S. jurisdiction over an American company. Storing your bytes in Canada does not put them beyond the reach of a foreign government if the company holding them is foreign. For a sovereignty assessment, identify the legal entity operating the service and the governments that can compel it. For the stricter version, Canada’s own AI compute program defines sovereign AI compute as a Canadian-located, Canadian-governed system where data residency, operational control and decision-making authority stay in Canada. For businesses, that means Canadian-operated infrastructure or open models you run on infrastructure you control if foreign legal compulsion is in scope. Everything else is a spectrum of how much you trust the operator and its home government.
Most serious providers now offer a no-training path. Don’t stop at the provider name. The defaults differ across consumer chat, business chat, APIs, routers, “preview” models and private deployments.
| Provider | API / platform training | Chat / workspace training | ZDR | Residency / Canada |
|---|---|---|---|---|
| OpenAI | No by default | ChatGPT consumer opts out; Business/Enterprise no | Yes, on request | At-rest only; inference defaults to U.S. |
| Anthropic | No | Claude consumer must choose; Work no | Yes, except 30-day hold on Mythos-class | Via AWS Bedrock only |
| Google (Vertex AI) | Paid no; free Gemini API may train | Gemini consumer opts out; Workspace no | Yes | Montréal: Gemini 2.5 only, unusably old; Toronto: none |
| AWS Bedrock | No | Amazon Q: Pro/Business no, Free opts out | Yes (not stored) | All Anthropic Claude models |
| Azure AI Foundry | No, without your permission | Copilot consumer opts out; M365 no | Yes | All OpenAI GPT models |
| xAI | API no without explicit permission; Responses stores 30 days by default unless store: false | Grok consumer can train unless you opt out | Enterprise only (!) | U.S. company; not Canada-specific |
| Mistral | API no; Labs may train unless ZDR | Vibe (ex-Le Chat): free tier trains unless you opt out; Team/Enterprise no | Scale plan, stateless API only; not Vibe | EU by default; U.S. endpoint available; no Canada claim |
| Cohere | SaaS can train unless you opt out; private/cloud deployments do not send prompts/outputs to Cohere | N/A | Approved customers; Model Vault can avoid retaining prompts/responses | Canadian company; residency depends on deployment |
| OpenRouter | Account setting; off routes around trainers | N/A | Opt-in setting | “Sovereign” options, not Canada-specific |
| Vercel AI Gateway | Opt-in filter (off by default) | N/A | Opt-in setting | Routes to provider regions |
The last two, OpenRouter and Vercel, are routers rather than model operators, and their no-training and ZDR behaviour is a setting you turn on. They’re a convenient way to enforce one policy across many models at once, but they add a hop, and you inherit both their posture and their backend’s.
I care about the operator’s security record as much as its settings. The provider has to keep keys, logs, analytics vendors, support tooling and IAM policies under control.
My bias is that I spent 16 years at Google, I know a bit about its internal security. I trust Google’s security engineering, and Amazon’s, more than most. Both have deep, boring security cultures, the kind you want.
These were stolen keys, sloppy vendors and provider-side permission mistakes: operational security failures, not “the AI ate our secrets.” That should reframe what you worry about.
The smaller, inference-only players? Time will tell. Lower maturity usually means less security investment, which warrants a few harder questions before you trust them with anything sensitive.
The “go slow to go fast” framing in that LinkedIn post is right, even if the blanket ban isn’t. Ban AI outright and your team doesn’t stop using it. They paste the deck into their personal ChatGPT account, where the defaults are worst. A ban you can’t enforce is worse than a policy you can.
What I’d actually do, whether you’re a founder guarding your IP or an investor handling other people’s:
Connected tools deserve their own line in the policy. An MCP server, Slack app, Notion AI connector, Google Drive connector, GitHub app or code interpreter changes the data flow. OpenAI’s data controls say data sent to MCP servers or over third-party network connections is subject to those services' own retention and residency policies; the ChatGPT Slack app can search Slack content the user can access and may take actions when enabled. Slack’s native AI says customer data stays in Slack-controlled infrastructure and is not used to train LLMs, but that’s Slack’s product, not a blanket promise for every AI app inside Slack. Notion says Notion AI does not use Customer Data to train models by default, but its connectors can ingest external apps and store embeddings for search. None of these integrations are ZDR by definition. Treat integrations as sub-processors plus permissions: approve them, scope them, log them.
For the specific worry in that investor room, should a VC run a founder’s confidential deck through an LLM, my answer is: yes, with training off, on a business or enterprise account, and without unmanaged connectors. How you configure it decides the risk more than which tool you pick.
The founders you’re funding already use these tools! The useful question isn’t whether your portfolio touches AI, but whether they touch it on a personal account or a business one.
I write from a security and engineering background, not a legal one. Think I got a provider detail wrong? Want to talk to me? Tell me on Bluesky or Twitter or email me.