Choosing an AI provider is partly a privacy decision: does it train on your prompts, how long does it keep them, and will it stand behind GDPR? This tool puts the leading providers side by side on the dimensions that actually decide whether a model is safe to use with real business or customer data.
Why privacy terms differ so much between providers
AI providers operate across radically different product tiers, and the privacy terms often differ as much between tiers as between providers. The free consumer tier of one product and the enterprise API of a competitor can offer more similar privacy postures than the free and paid tiers of the same company. Understanding those differences is what lets you make a defensible procurement decision rather than an assumption.
The five dimensions this tool compares are chosen because they are the ones that actually decide whether you can put real business data into a system:
- Training on your data — whether your inputs are used to improve the model. This is the single most-asked question in enterprise procurement and the one most often misunderstood.
- Retention period — how long inputs and outputs are stored, and whether that differs between free and paid tiers.
- Third-party sharing — whether data flows to sub-processors for moderation, annotation, or service operation, and what controls exist.
- Enterprise/API protections — whether API and enterprise plans carry a data-processing agreement, contractual exclusions from training, and zero-retention options.
- GDPR posture — whether the provider offers a signed DPA, names a legal basis for processing, and has a EU or UK representative.
How it works
Pick two or more providers. The tool builds a comparison table across those five privacy dimensions with a short, plain-language summary in each cell. Where a provider’s consumer tier differs from its API or enterprise tier, the cell calls that out, because the difference is frequently the whole story.
The two distinctions that catch organisations out
Training opt-out ≠ zero retention. Switching off model training on your data means your inputs are not used to improve future model versions. It does not mean they are deleted immediately. A provider may retain inputs for days or weeks for abuse monitoring, safety review, or debugging, even with training opted out. If you need short or zero retention, that is a separate and usually premium setting — confirm it explicitly.
A DPA is the only GDPR artifact that counts. A provider’s website saying “GDPR compliant” is a marketing statement, not a legal commitment. A signed Data Processing Agreement (Article 28 GDPR) is what makes the relationship lawful for EU personal data — it names the sub-processors, sets instructions for processing, and assigns liability. Without it, relying on a provider for EU personal data is a compliance gap, regardless of their public claims.
Tips and notes
- Training opt-out ≠ zero retention. They are separate switches. Confirm both if you need both.
- A DPA is the deciding artifact for EU data — a marketing claim of “GDPR compliant” is not the same as a signed Data Processing Agreement.
- This table is a shortlisting aid, not legal advice. Always verify the live terms on the provider’s own legal pages, and pair this with the Data Residency Checker for region requirements.
- Re-check at renewal. Privacy terms change. A policy reviewed at procurement may look different at renewal, especially for rapidly evolving AI products.