For two decades, the privacy conversation has revolved around cookies. We've clicked "Accept All" ten thousand times, vaguely aware that somewhere, an algorithm knows we browsed running shoes at midnight. We understand this trade. It feels manageable. It feels like watching.
Artificial intelligence introduces a different kind of exposure — one that most people haven't begun to reckon with. Not because it is necessarily more malicious, but because it operates at a fundamentally different level: not what you search for, but how you think. This piece is a direct follow-up to last week's article on migrating from OpenAI to Claude, which prompted a wave of questions about what privacy actually looks like at each subscription tier — and whether switching providers changes anything meaningful.
What Cookies Actually Do
The Google-and-cookies model of privacy risk is broad but shallow. It collects behavioral signals: which pages you visited, for how long, what you clicked, where you were when you did it. Aggregated across millions of users and billions of sessions, this creates a surprisingly detailed behavioral profile — your income bracket, likely health concerns, relationship status, political leanings.
But the data is still fundamentally observational. It infers intent from action. Google sees you searched "lower back pain specialist near Amsterdam" — and concludes you have back pain. It never heard you explain it to anyone.
Note on transparency The cookie-based advertising ecosystem, for all its faults, operates inside a relatively mature regulatory framework. GDPR consent requirements, data dashboards, opt-out mechanisms, and deletion rights exist. The rules are imperfect, but they exist. The equivalent infrastructure for AI-generated data is still being written.
This model has a clear commercial logic: your data funds advertising. You are the product, and the transaction — however asymmetric — is broadly understood. The risks are real but legible.
What AI Hears Instead
When you use an AI assistant, you don't click links. You talk. You explain your situation, your constraints, your reasoning, your uncertainties. You describe the project, the colleague who's being difficult, the strategic decision you haven't made yet. You think out loud — because that is precisely what the tool is designed for.
This creates a qualitatively different category of data. Google knows what you looked for. An AI knows why, in your own words, with context you never intended to archive anywhere.
Cookies observe behavior.
AI receives disclosure.
The distinction matters enormously when you consider the kinds of things people say to AI tools: legal strategies, financial projections, personnel concerns, health anxieties, relationship conflicts. Information they would share with a lawyer, an accountant, a therapist — professions with strict confidentiality obligations. AI systems, by default, have none of these.
The Training Problem
On most consumer-tier AI platforms, conversations may be used to improve the underlying model. This doesn't mean your exact words surface verbatim in someone else's response. The process is more subtle — and in some ways more concerning for that reason.
When a model trains on a large corpus that includes your inputs, the patterns, concepts, and even specific details from those inputs can influence how the model responds to similar queries from other users. The information doesn't disappear; it disperses. It becomes part of a shared cognitive substrate with no clear walls between contributors.
An employee who discusses a merger negotiation in detail with an AI tool on a free-tier account is not handing that document to a competitor. But they may be shaping a model that, later, generates suspiciously informed strategic suggestions for someone on the other side of the table. Causality here is probabilistic, not traceable — which makes it both difficult to prove and difficult to dismiss.
How a Language Model Actually Learns
To understand why AI privacy risk is structurally different from cookies, you need a working model of how these systems are built. Not a technical deep-dive — but enough to see what happens to the things you say.
A large language model starts as a vast network of numerical weights — billions of parameters that together represent statistical relationships between words, concepts, and ideas. In pre-training, the model processes an enormous corpus of text: books, websites, code, conversations. It doesn't memorise any of it. Instead, it adjusts its weights billions of times, learning which word or idea is likely to follow another given a particular context. By the end of pre-training, the model has a compressed, mathematical representation of how human thought and language tend to behave.
That base model is then refined. Through a process called Reinforcement Learning from Human Feedback (RLHF), human reviewers rate model outputs. The model learns to produce responses that are more helpful, more accurate, and more aligned with what people actually want. This is where real conversational data — including yours — becomes valuable. Each interaction that gets rated or learned from subtly reshapes the model's weights, nudging future responses in the direction of patterns that worked.
The critical insight is this: nothing is stored as a fact. Your input doesn't sit in a database with your name on it. But the pattern of your thinking — the way you frame problems, the strategies you apply, the reasoning chains you walk through — those can influence the statistical landscape of the model if they are used in training. Not as a record. As a shape.
FIGURE 1 — THE LLM LEARNING PIPELINE
Why Hosted AI Is Not the Same as Local AI
A common misconception is that using a model locally — running something like Llama or Mistral on your own hardware — offers the same quality of experience as Claude or ChatGPT, just with better privacy. The privacy part is largely true. The quality part is not, and understanding why explains a great deal about what you are actually interacting with when you use a hosted AI product.
The model weights themselves are only one component of the system. When you interact with Claude or ChatGPT, you are not just talking to a transformer network. You are talking to a full inference stack: safety classifiers that screen inputs and outputs in real time, system prompts that shape the model's behaviour, retrieval systems that pull in current information, feedback loops that continuously refine responses, and enormous compute infrastructure optimised for low latency at scale. None of that comes with the weights.
A local model running on a consumer GPU is the engine without the car. It can run. But it lacks the scaffolding that makes the hosted experience coherent, contextually aware, and reliably safe. The gap in quality you notice when comparing a local 7B model to Claude Opus is not just model size — it's the absence of everything that wraps the model in a production environment.
The privacy trade-off is therefore not simply "local = safe, hosted = exposed." It is: local gives you the weights but none of the refinement infrastructure; hosted gives you a far more capable, continuously improved system — and in doing so, creates the conditions under which your data can contribute to that improvement, whether you intend it to or not.
FIGURE 2 — LOCAL vs HOSTED INFERENCE STACK
What Leaks Without Leaking: An M&A Example
Consider a business broker — let's call him Thomas. He specialises in the acquisition of owner-operated logistics companies, typically businesses with €2–8 million in revenue, aging ownership, and underinvested digital infrastructure. He has spent fifteen years developing a mental model for identifying which of these businesses are undervalued, how to structure offers that the seller will accept, and how to present the acquisition to a buyer network. This is his edge. It is worth money.
Thomas uses an AI assistant extensively. He asks it to help him model valuation scenarios, draft first-contact emails to business owners, pressure-test his negotiation logic, and identify blind spots in his deal structure. He uses a consumer-tier subscription. He has not opted out of training. His conversations are detailed, domain-specific, and strategically rich.
None of what Thomas types is a trade secret in the legal sense. He doesn't share client names or deal terms. He frames everything as hypotheticals. He believes — reasonably — that he hasn't handed anything sensitive to the platform.
But here is the mechanism that matters. Each time Thomas works through a reasoning problem with the AI — "given an EBITDA of X and this ownership profile, here is how I would approach the offer structure" — and receives a response that he refines, corrects, or validates through continued dialogue, that exchange demonstrates a pattern of reasoning that works. If that exchange enters the training pipeline, it doesn't teach the model Thomas's deal. It teaches the model a class of thinking about logistics company acquisitions — the heuristics, the sequencing, the framing — that now becomes available to anyone who asks similar questions.
A competitor who has never thought carefully about owner psychology in family-run logistics businesses might now receive, via the model, a response that reflects exactly the kind of nuanced, experience-derived insight that Thomas spent fifteen years developing. Not because his data leaked. Because his thinking pattern was good enough to teach the model something it didn't already know well — and the model, in learning it, made it available to everyone.
The mechanism in plain terms The model does not store your conversation. It stores the statistical residue of patterns it found useful. A well-reasoned strategy, a novel framing, a domain-specific heuristic — these don't disappear when your chat window closes. They potentially become part of how the model reasons about that problem class for everyone who follows. The more specific, original, and effective your thinking, the more it has to teach — and the more valuable it is to a training pipeline.
The Value You Give Up Without Persistent Context
None of this is an argument against using AI. It is an argument for using it consciously. And part of that consciousness means understanding what the hosted model's memory actually does for you — because the privacy risk and the quality benefit are two sides of the same coin.
The reason Claude or ChatGPT feel qualitatively different from a local model running on your laptop is not just model size or compute. It is context. A hosted AI that knows you asked a similar question last month, that has learned from millions of similar conversations, that maintains a running understanding of your project's constraints and your preferred way of thinking — that AI gives meaningfully better answers. Not because it is cleverer. Because it is better oriented. Context is what turns a language model into a useful thinking partner rather than a sophisticated autocomplete.
Strip that away — run a local model with no persistent memory, or use an API without sending any context — and you get a stateless system. It answers the question in front of it, nothing more. For many queries that is fine. For complex, iterative professional work, it is a significant degradation. You spend more time re-establishing what you're doing, re-explaining your constraints, and re-orienting the model on every new request.
The obvious workaround is to send your context with every request. Include your background, your project details, your preferred framing — in the question itself, every time. This works. But it has a direct cost, and that cost compounds. In API-based systems, you pay per token — roughly per word. Every request that includes thousands of tokens of context is charged for those tokens before your actual question even begins. As your context grows richer and more detailed, so does the cost of every single inference call. A reasonably thorough professional context document can run to tens of thousands of tokens. At scale, the economics become difficult to ignore.
Prompt caching: cost solution with a privacy surface of its own Both Anthropic and OpenAI offer prompt caching via their APIs — a mechanism that stores a static context prefix server-side so it does not need to be reprocessed on every request. On the Anthropic API, cached tokens are billed at 0.1× the standard input rate: a 10x cost reduction. Latency also drops significantly — up to 85% for long prompts. The cache persists for 5 minutes by default, extendable to 1 hour. For stable context — system instructions, knowledge files, project background — caching makes the economics of API-based AI substantially more viable. But it is not privacy-neutral. The cache is stored server-side in provider infrastructure. From February 2026, Anthropic isolates caches at workspace level — different organisations cannot access each other's caches, and cache hits require 100% identical prompt segments. But the content still transits and resides in provider systems for up to an hour, subject to the same Commercial Terms as the rest of your API traffic. It is not used for training, but it is held. For genuinely sensitive context, this matters.
FIGURE 3 — CONTEXT DELIVERY: COST, QUALITY & PRIVACY SURFACE
The deeper point is this: the privacy risk of hosted AI and the quality benefit of hosted AI are produced by the same mechanism. The model is helpful because it has context. The question is not whether to use context — removing it degrades the product — but who controls it, where it lives, and what happens to it when the conversation ends. That is precisely the question the subscription tier table later in this article is designed to help answer.
Enterprise AI contracts typically include provisions for model isolation: guarantees that your data won't be used in training, that your queries are processed in a segregated environment, that retention periods are contractually capped. These provisions exist precisely because the risk is real — and because buyers sophisticated enough to ask for them understand that without them, the default is something else entirely.
Consumer users almost never ask. They accept terms of service that, buried in legalese, describe training practices their intuition would reject if stated plainly. The asymmetry between what users assume and what they've agreed to is arguably larger with AI than it ever was with cookies — partly because the interface is more intimate, partly because the stakes per disclosure are higher.
| Dimension | Google / Cookies | AI (non-isolated) |
|---|---|---|
| Data type | Behavioral signals | Intentional, cognitive disclosure |
| Depth | Wide but inferred | Narrow but explicit |
| Transparency | Relatively high | Low for consumers |
| Business model | Advertising | Subscriptions / API |
| Regulatory maturity | Established (GDPR) | Emerging, incomplete |
| Risk per session | Low–moderate | Potentially high |
| User awareness | Moderate | Very low |
A Different Kind of Calculus
None of this means AI tools are more dangerous than the surveillance advertising ecosystem, taken in full. Google's reach across search, maps, email, video, and mobile operating systems represents an extraordinary concentration of behavioral data. The comparison is not straightforward.
What it does mean is that the familiar mental model — the one where you imagine a marketer knowing your shopping preferences — is badly suited to understanding AI privacy risk. The relevant mental model is closer to imagining someone reading your journal. Or sitting in on your meetings. Or reviewing your drafts.
The risk isn't that an algorithm infers you might be interested in a new product. The risk is that your strategic thinking, expressed in the most direct and unguarded form, enters a system whose retention policies, training practices, and downstream uses you cannot meaningfully audit.
What Informed Use Looks Like
The appropriate response is not paranoia, but precision. Knowing what you're sharing — and with which tier of service — changes the calculus immediately. An API-based deployment with explicit no-training terms is a different environment from a free consumer app. Enterprise agreements with data processing addenda are different again.
Treating every AI interaction as a potential archival event is a reasonable professional heuristic. Not because every provider behaves badly, but because the informed user understands that the comfort of a conversational interface is not evidence of a private one.
A Gap Anthropic Should Close
One thing stands out in this landscape that deserves to be said plainly. Anthropic has made what I consider the right call in refusing unchecked access to its models by the US government — a principled position on responsible deployment that sets it apart. The irony is that the same company appears to have made a significant commercial misstep in the opposite direction: there is currently no genuinely safe tier available for smaller businesses.
The entry point for contractually protected, isolated AI use at Anthropic is Enterprise — 20 seats minimum, custom pricing, annual contract. For a five-person consultancy handling client data, or a ten-person legal practice that needs AI assistance, that threshold is simply out of reach. The gap between consumer and enterprise is a chasm, and nothing in between credibly bridges it.
What makes this more troubling is the direction of travel. The Team plan — which might have been positioned as a genuine small-business tier — has moved in the wrong direction since late 2025. Rather than strengthening its privacy posture, Anthropic reclassified Team under consumer-adjacent terms, effectively stripping it of the isolation expectations a business user would reasonably assume. A plan that sits between Pro and Enterprise in the pricing hierarchy is now closer to Pro in its privacy architecture than it is to Enterprise. That is a meaningful regression, not a footnote.
The business case for fixing this is obvious. A proper SMB tier — contractual no-training, basic audit logging, data residency, without a 20-seat floor — would serve an enormous market that currently has no good answer. The fact that Google Workspace provides this from a single seat, and ChatGPT Business from two, makes the gap even harder to explain. Whether this reflects a deliberate prioritisation of enterprise revenue, a product philosophy that sees small teams as individual users rather than businesses, or simply an oversight, it is a gap that needs to close sooner rather than later.
Cookies taught us to read the fine print on data collection. AI requires us to read the fine print on what we choose to say.
What You're Actually Signing Up For
Abstract privacy risk becomes concrete when mapped against the actual subscription tiers that hundreds of millions of people are using today. The table below covers every current plan across Google (Gemini/Workspace), X/xAI (Grok), OpenAI (ChatGPT), and Anthropic (Claude), with the lowest applicable entry price per user and the actual data isolation status at each tier.
Two things stand out immediately: first, paying more does not automatically mean better privacy — the jump from consumer to business tier is what matters, not the jump from free to paid. Second, "opt-out" is not the same as "off by default." Platforms where training is on unless you act require users to know a setting exists, find it, and change it. Most never do.
| Provider | Plan | Price / user / mo | Min. seats | Min. monthly spend | AI training on data | Isolation level | Confidential data? | Notes |
|---|---|---|---|---|---|---|---|---|
| Gemini Free | $0 | 1 | $0 | On by default | None | ✗ Not safe | Opt-out via "Gemini Apps Activity"; disabling removes chat history; 72-hr backend retention regardless of opt-out | |
| Gemini Advanced (Google One) | $19.99 / mo | 1 | $19.99 | On by default | None | ✗ Not safe | Consumer product — same training exposure as Free; opting out removes chat history; includes 2 TB storage | |
| Workspace Business Starter | $7 / user / mo | 1 (max 300) | $7 | Off — contractual | Business | ⚠ No sensitive data | No training by contract; shared infrastructure; no ZDR; suitable for non-regulated business data only | |
| Workspace Business Standard | $14 / user / mo | 1 (max 300) | $14 | Off — contractual | Business | ⚠ No sensitive data | No training; SOC 2, ISO 27001; shared infrastructure; max 300 users on self-serve; not for regulated sectors | |
| Workspace Enterprise | Custom (?$26+ / user) | None — contact sales | Custom | Off — contractual | Enterprise | ✓ Safe | EKM; DLP; data regions; HIPAA-eligible; admin AI controls per group; sales-led contract | |
| X / xAI | X Free (Grok limited) | $0 | 1 | $0 | On by default | None | ✗ Not safe | Trains on prompts + public posts; opt-out via Settings ? Privacy ? Grok; also disables personalisation; feedback overrides opt-out; 2026 ToS grants X broad reuse licence |
| X Basic | $3 / mo | 1 | $3 | On by default | None | ✗ Not safe | Same X data policy as Free; opt-out available but limited; minimal Grok access | |
| X Premium | $8 / mo | 1 | $8 | On by default | None | ✗ Not safe | Opt-out available; X still trains on public posts regardless; no isolation at any price point on the X platform | |
| X Premium+ | $40 / mo | 1 | $40 | On by default | None | ✗ Not safe | Highest Grok limits on X platform; same data policy as all other X tiers | |
| SuperGrok / SuperGrok Heavy (grok.com) | $30 / mo · $300 / mo | 1 | $30 | On by default | None | ✗ Not safe | Standalone app; xAI privacy policy (narrower than X's); opt-out via Settings ? Data ? Improve the Model; Private Chat exempt from training | |
| Grok Business (from Dec 2025) | $30 / user / mo | 1 (self-serve) | $30 | Off — contractual | Business | ⚠ No sensitive data | No training on org data; SOC 2; GDPR/CCPA; 90-day audit logs; Google Drive connector; shared multi-tenant infrastructure | |
| Grok Enterprise / Enterprise Vault | Custom pricing | Contact sales | Custom | Off — contractual | Enterprise / Isolated | ✓ Safe | SSO, SCIM; Vault = isolated data plane, customer-managed encryption keys (CMEK), fully separated from shared stack | |
| OpenAI | ChatGPT Free | $0 | 1 | $0 | On by default | None | ✗ Not safe | Training on by default; opt-out via Settings ? Data Controls; feedback overrides opt-out for that conversation |
| ChatGPT Go | $8 / mo | 1 | $8 | On by default | None | ✗ Not safe | Ad-supported tier; same training default as Free; opt-out available; thumbs feedback loophole applies | |
| ChatGPT Plus | $20 / mo | 1 | $20 | On by default | None | ✗ Not safe | Identical training policy to Free despite paid status; opt-out available but not default; thumbs feedback overrides opt-out | |
| ChatGPT Pro | $200 / mo | 1 | $200 | On by default | None | ✗ Not safe | No privacy upgrade over Plus; higher usage limits only; thumbs feedback loophole applies | |
| ChatGPT Business (ex-Team) | $25 / user / mo (annual) | 2 | $50 / mo | Off — contractual | Business | ⚠ No sensitive data | Min. 2 seats; no training per DPA; SAML SSO; SOC 2 Type 2; shared infrastructure; not suitable for regulated data | |
| ChatGPT Enterprise | Custom (?$60 / user) | ?150 (not officially published) | ?$9,000 / mo | Off — contractual | Enterprise | ✓ Safe | ~150 seats minimum per community reporting; SCIM; EKM; HIPAA; ZDR option; dedicated instance | |
| Anthropic | Claude Free | $0 | 1 | $0 | On by default | None | ✗ Not safe | On by default since Oct 2025; opt-out = 30-day retention; opt-in = 5-year retention; incognito chats exempt |
| Claude Pro | $20 / mo | 1 | $20 | On by default | None | ✗ Not safe | Consumer terms — same training policy as Free; paying does not improve privacy standing | |
| Claude Max 5x / 20x | $100 / mo · $200 / mo | 1 | $100 | On by default | None | ✗ Not safe | Higher usage volumes only; consumer terms apply in full; no privacy distinction from Free or Pro | |
| Claude Team | $25 / user / mo (annual) | 5 | $125 / mo | Off — contractual | Shared | ✗ Not safe | No training by contract — but shared infrastructure, no dedicated instance, no audit logs, no ZDR. No training ? isolated. | |
| Claude Enterprise | Custom (?$60 / user) | 20 (confirmed) | ?$1,200 / mo | Off — contractual | Enterprise | ✓ Safe | Min. 20 seats confirmed; SSO/SCIM; audit logs; compliance API; ZDR available; usage billed separately at API rates | |
| Anthropic API | Pay-per-token (from $1 / MTok) | None | Usage-based | Off — by policy | API-isolated | ✓ Safe | Commercial Terms; no training by policy; 7-day log retention; applies equally via Bedrock and Vertex AI |
No training ? isolated The verdict column reflects two distinct thresholds. "Not safe" means training is on by default — your data actively enters the model pipeline unless you act. "Not for sensitive data" means no training by contract, but infrastructure is shared: no dedicated instance, no data residency, no audit logs, no zero data retention. Suitable for general professional use, not for data subject to legal privilege, regulatory obligation, or confidentiality agreements. "Safe" means both thresholds cleared: contractual no-training plus isolated infrastructure, audit logs, and ZDR options. That level only exists at Enterprise tier. X/xAI consumer plans clear neither threshold.
Start With the Right Assumptions
The first step in using any technology responsibly is understanding what it actually does — not what the interface suggests, not what the marketing implies, not what you assumed because you're paying for it. AI is no different, except that the gap between assumption and reality is currently wider than it has been for any consumer technology in recent memory.
We are all going to get things wrong with this. Individual users, organisations, and the providers themselves. The regulatory environment is visibly struggling to keep pace with the rate of development, and the frameworks that will eventually govern AI data practices are still being written. That is not a reason for paralysis. It is a reason for honesty about what we know and what we don't.
What you can control, right now, is where you start. Not with the assumption that paying more means being protected. Not with the assumption that a consumer interface is a private one. Not with the assumption that switching providers solves the structural problem rather than shifting it.
There is an old adage that applies here with some force. You probably know the one — it starts with "to assume makes...". If not, feel free to look it up. Google it, or ask your AI. Just considering the above - be aware on what they might remember from that question ;-)
