AI and data privacy – how to use AI safely

Millions use AI services daily. Fewer consider what happens to the data they share. Here's what you should know.

Why privacy matters when using AI

When you ask an AI a question, your text is sent to the company's cloud servers for processing. This means everything you write — ideas, drafts, questions — leaves your device and is stored by the provider. Most major AI companies use this data to train and improve their models.

For everyday use — help with emails, general questions, creative writing — this is rarely an issue. But when using AI for work, sharing customer data, or asking sensitive questions, you should know what you're consenting to.

Privacy laws like GDPR apply in principle to anyone processing data about European citizens. In practice, compliance varies significantly among different AI companies.

Which AI services are safest?

Here's a comparison of the privacy policies of the five largest AI services:

Service	Trains on input	GDPR	Data storage	Note
Claude Anthropic	No (API)	Yes	USA	Does not train on API data. claude.ai users can opt out.
ChatGPT OpenAI	Yes (opt-out)	Yes	USA	Trains on conversations by default. Disable in settings.
Gemini Google	Yes (opt-out)	Yes	USA/EU	Uses data for product improvement. Can be disabled.
DeepSeek DeepSeek	Yes	No	China	Chinese company. Data stored in China. No GDPR guarantee.
Mistral Mistral AI	No (API)	Yes	EU (France)	European company, GDPR-certified, does not train on API data.

Mistral and Claude are safest for sensitive data: both are European/GDPR-compliant and do not train on API input. DeepSeek should be avoided for confidential information as data is stored in China.

Tips for safe AI use

Don't share sensitive information

Avoid personal identification numbers, passwords, credit card details, and confidential business data. AI models are not designed to securely store secrets.

Disable training consent

In ChatGPT: Settings → Data Control → disable 'Improve the model for everyone'. In Gemini: Activity settings → disable 'Gemini Apps Activity'. Claude and Mistral do not train on input by default.

Choose European services when important

Mistral AI is based in France and subject to GDPR. For businesses processing personal data about Norwegian/EU citizens, this is a significant advantage over US services.

Read the privacy policy

It's tedious, but takes 5 minutes and gives you clear understanding of what you're consenting to. Particularly important for businesses evaluating AI in their workflows.

VPN and AI – an extra layer of privacy

A VPN (Virtual Private Network) encrypts your internet traffic and hides your IP address. This means AI services won't see your real IP address, and your internet provider won't see which AI services you're using.

VPNs are particularly useful on public WiFi (cafés, hotels, airports) where traffic can be intercepted, and for those wanting an extra buffer between themselves and AI companies. A VPN isn't a complete privacy solution — what you write to the AI service is still stored by them — but it prevents unnecessary exposure along the way.

NordVPN

One of the most recognised VPN services. Norwegian-friendly interface, no-logging policy, and servers in over 60 countries.

Visit NordVPN

EU AI Act — what does it mean for Norwegian users?

The EU AI Act is the world's first comprehensive AI law, coming into force in August 2024. The law applies to all AI services used in the EU/EEA — including Norwegian users of ChatGPT, Claude, and Gemini.

For individuals Minimal direct impact on everyday chat use. The companies behind AI services are responsible for compliance, not end users. You do have the right to know when interacting with AI in public services.

For businesses If you use AI in decision-making processes affecting employees, customers, or credit, this may trigger requirements for documentation and human oversight. High-risk applications (HR, medicine, credit) have the strictest requirements.

European alternatives Mistral AI (France) is already GDPR-certified and better positioned for EU AI Act compliance than US and Chinese players. Mistral Le Chat is a solid choice with European privacy standards.

Chinese services like DeepSeek have no GDPR data processing agreement and store data in China. For Norwegian businesses handling personal data, this is unsuitable — even if the price is tempting.

Frequently asked questions about AI and privacy

Can AI services read what I write?

Yes — everything you write is sent to the provider's servers for processing. Employees can potentially see content flagged for review during security incidents or complaints. The most important thing to know: DeepSeek stores data in China without GDPR guarantees, while Mistral (EU, France) and Claude (does not train on API data) are safest for sensitive information. Never share passwords, personal identification numbers, or confidential business data with any AI service.

Does ChatGPT train on my conversations?

Yes, by default. OpenAI uses conversations for model training. Disable this under Settings → Data Control → 'Improve models for everyone'. ChatGPT Teams and Enterprise include a data processing agreement (DPA) and do not train on content — for businesses in Norway and the EU, these are the only OpenAI products that meet GDPR requirements. API users are exempt from training by default.

Is it safe to use free AI?

For non-sensitive information: yes. But be aware of what 'free' costs in terms of data privacy. Free ChatGPT trains on your conversations by default. Free Gemini does the same. Mistral Le Chat is an exception: a European company, GDPR-certified. A solid free alternative that doesn't monetise your data.

Do I need a VPN to use AI?

Not for regular use, but a VPN provides an extra layer of privacy on public WiFi by encrypting traffic and hiding your IP address. Important: VPNs don't change what AI services store about your conversations — that depends on data processing agreements and provider choices. For real control over your data, choose Mistral (EU) or use Claude/OpenAI via API with a DPA.