Can I Use ChatGPT With Client Data? The Honest Business Owner's Guide

Your team is using ChatGPT to draft client proposals, analyse contracts, and summarise meetings. The efficiency gains are real. So is the legal exposure. Here's what you are actually risking and what to do about it.

Key Takeaways

The free tier of ChatGPT stores and may use your conversations for model training. If your team is inputting client data into the free tier, that data may be used to train OpenAI's models — almost certainly not what your client agreed to.
ChatGPT Enterprise and API access have different data handling terms that can be configured to not train on your data — but these require a paid subscription and specific settings to be activated.
If client data is protected by a confidentiality agreement, using it in commercial AI tools without the client's knowledge likely breaches that agreement — regardless of whether OpenAI handles it appropriately.
Professional obligations — legal professional privilege, medical confidentiality, financial adviser duties, accountant-client privilege — apply regardless of what tool is used. AI tools do not create exceptions to these obligations.
The practical framework: categorise your data (public, internal, confidential, regulated), decide which categories can go into which AI tools, document this in a one-page AI acceptable use policy, and train your team.

"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"

Can I use ChatGPT with client data? The honest answer

Whether you can use ChatGPT with client data depends on which subscription tier you use and what your professional and regulatory obligations require. Free and Plus tiers use conversations for model training by default. Enterprise and Team tiers do not train on your data and offer a Data Processing Agreement. The same pattern applies to Claude, Copilot, and Gemini. For regulated professionals — lawyers, accountants, financial advisors, healthcare providers — the enterprise tier with a DPA is the minimum acceptable configuration.

The tier distinction matters

Consumer/free tier (ChatGPT Free, ChatGPT Plus). OpenAI's terms for consumer tiers historically permitted use of inputs and outputs for model training. Users can opt out via settings, but the default has varied. Even where training is disabled, data may be retained for abuse monitoring and safety. This tier is not appropriate for client data in professional services, legal, financial, healthcare, or any context where confidentiality obligations apply.

Business tier (ChatGPT Team). OpenAI states that business data is not used for training. Data Processing Agreement available. More appropriate for professional use but verify the specific terms.

Enterprise tier (ChatGPT Enterprise). OpenAI explicitly commits: data is not used for training; SOC 2 Type II compliance; data encryption at rest and in transit; admin controls. This tier is designed for professional use with confidential data. Enterprise agreement includes DPA.

The same applies to other tools

Claude (Anthropic): Free and Pro tiers have different data handling than Team and Enterprise. Team tier states no training on business data. Enterprise tier adds additional security commitments. Microsoft Copilot: data handling depends on whether you're using Copilot within Microsoft 365 (covered by your existing Microsoft enterprise agreement) or the consumer Copilot product (different terms). Google Gemini: similar tiered distinction between consumer and Workspace Enterprise.

What your obligations require

Legal professional privilege / attorney-client privilege. Inputting privileged communications into AI tools risks waiver. If the tool's terms permit data access by vendor staff or sub-processors, privilege may be waived. Enterprise tiers with appropriate contractual protections mitigate but don't eliminate this risk. Multiple bar associations have issued guidance; the consensus is that practitioners must understand the tool's data handling before using it with privileged material.

Confidentiality agreements with clients. Most professional services contracts include confidentiality obligations. If your confidentiality agreement restricts sharing client information with third parties, inputting that information into an AI tool constitutes sharing with the vendor. The vendor's terms may permit further use. Enterprise agreements with no-training commitments and DPAs address this but must be verified.

Data protection law. GDPR, UK GDPR, PDPA, DPDP Act, Australian Privacy Act — if client data constitutes personal data, you need lawful basis for processing. The AI vendor is typically a data processor. You need a DPA. Consumer-tier AI tools rarely offer adequate DPAs for professional use.

Regulatory obligations. FCA, APRA, MAS, HIPAA, SEC — regulated industries have specific obligations regarding data handling that apply to AI tool use. Most regulators expect enterprise-tier tools with appropriate contractual protections for regulated data.

The practical answer

Don't put client data into free or consumer-tier AI tools. For professional use: use an enterprise or business tier with contractually binding no-training commitment and DPA. Verify the specific terms for the tier you're using — don't assume from vendor marketing. Establish an AI policy that specifies which tools are approved for which data categories. Train staff on what data can go where. When in doubt, anonymise or use synthetic data.