Do OpenAI and Claude Train on Your Chats? What Their Data Policies Really Mean for Your Privacy

Are OpenAI and Claude harvesting your data? Parsing the claims and the policies

The Reddit thread linked below raises a blunt worry: we’re paying for ChatGPT and Claude while they quietly mine our chats, build profiles, and use that data to train models. It’s an important question, and the short answer is nuanced. Both companies do collect some data and offer “memory”-style features – but there are controls, and business plans treat data differently.

Here’s what the post gets right, what’s unproven, and how UK users and teams should respond.

Read the original Reddit discussion

What the Reddit author is worried about

“we’re literally PAYING them… and they’re using our conversations to train their models”

• Training on your chats: concern that everyday prompts and documents feed future model training without clear consent.
• “Memory” and history syncing: fear these features build detailed user profiles.
• Tracking cookies and clipboard monitoring: allegation that ChatGPT tracks cookies it suggests and reads your clipboard when you copy.
• Monetisation: claim that vendors profit twice – from subscriptions and from selling insights from user data.

What OpenAI and Anthropic say in their public docs

Per their published policies, both companies collect usage data and may use user content to improve services, with controls that vary by product tier and settings. Details change over time, so always check the current policy.

• OpenAI policies: Privacy Policy and “How your data is used”.
• Anthropic (Claude) policies: Privacy Policy.

Typical patterns you’ll see in those documents:

• Consumer web apps may use your content to improve models unless you change a setting (opt out) – not disclosed here for your specific account.
• Business/enterprise plans usually promise not to train on your data and offer stricter controls – confirm in your contract and vendor docs.
• API usage often has different rules from the consumer website – again, check the vendor’s current statement.

Key point: how your data is used depends on your plan and your settings. If you’re in the UK and using these tools for work, assume you need to actively configure privacy controls and document your choices.

Do “memory” features mean profiling?

Vendors use “memory” to mean a product feature that stores facts about you (e.g., preferred tone, projects) across chats. That’s separate from model training. “Training” means fine-tuning the underlying model weights on datasets; “memory” is typically stored metadata linked to your account.

Both companies provide toggles for chat history and memory. The exact defaults and scope can change – see the vendors’ help centres. If you’re uncomfortable, disable memory/history or create separate accounts/containers for sensitive work.

Clipboard monitoring and tracking cookies – what’s actually plausible?

The Reddit post claims clipboard monitoring and cookie tracking by ChatGPT. In a browser context, sites cannot freely read your clipboard without a user action and permission via the Clipboard API; silent, continuous clipboard scraping would be a serious security issue. This is not disclosed in the links above.

If you’re worried:

• Use your browser’s devtools Network tab to see what’s sent.
• Use privacy-focused browsers or extensions that block third-party trackers.
• Keep work and personal browsing separate (profiles/containers).

On “tracking cookies that ChatGPT suggests”: not disclosed. If you click links suggested by a chatbot, normal web tracking by the destination site applies. That’s not unique to AI tools, but the risk rises if you paste sensitive content then follow links.

UK perspective: GDPR, lawful basis, and sensitive data

In the UK, UK GDPR and the Data Protection Act 2018 apply. If you process personal data in ChatGPT or Claude, you need a lawful basis (e.g., legitimate interests or contract), and extra safeguards for special category data (e.g., health). The Information Commissioner’s Office (ICO) has guidance for AI and data protection.

• ICO guidance: AI and data protection.
• For businesses: complete a Data Protection Impact Assessment (DPIA) before using generative AI on personal data.
• Check international transfers (where data is processed) and put appropriate safeguards in place.

If you’re in regulated sectors (health, finance, legal), treat consumer AI apps as unapproved unless procurement has vetted them, a Data Processing Agreement is in place, and model-improvement usage is disabled or contractually excluded.

Practical steps to limit training and profiling risks

• Review and change data-improvement settings in your account. Check the vendor’s current controls and opt-out options in their help centre.
• Use business/enterprise tiers when handling client or personal data; these plans typically exclude training on your content – confirm contractually.
• Turn off chat history or “memory” for sensitive work; use private browsing or separate accounts.
• Don’t paste secrets, PII (personally identifiable information), or confidential client materials into consumer chatbots.
• Prefer Retrieval-Augmented Generation (RAG) for sensitive use cases: keep data in your own store and let the model read it at query time without training on it. RAG = the model retrieves relevant documents and uses them in the prompt; the base model weights aren’t changed.
• If you need automation, be mindful of data flow. For example, when connecting AI to spreadsheets or CRMs, restrict scope and avoid pulling personal data by default. See my quick guide to safer integrations: Connect ChatGPT and Google Sheets (with guardrails).
• For teams: log what goes into AI tools, set retention limits, and prepare to honour data subject rights (access, deletion).

Benefits vs risks: a balanced take

It’s fair to be sceptical of “memory” and default data collection. Default-on model improvement for consumer users blurs the line between product and research, and makes trust hinge on settings many people never touch.

Equally, using AI can be genuinely productive for drafting, analysis, and coding – if configured correctly. Business plans, privacy toggles, and RAG workflows can reduce risk substantially.

The strong claims in the Reddit post about clipboard monitoring aren’t substantiated in the sources cited here. The broader concern – that consumer AI products collect and use a lot of behavioural and content data unless you intervene – is valid.

Bottom line for UK users

• If you care about privacy, change the defaults: review memory/history and data-improvement settings.
• For work, treat data protection as a project: DPIA, lawful basis, contracts, and technical controls. Don’t rely on “it’s only a draft”.
• Prefer business plans or APIs with no-training guarantees when handling personal or client data. Confirm the vendor’s current position in their policies: OpenAI, Anthropic.

We shouldn’t be complacent, but we don’t need to panic either. Demand clear defaults, use the controls that exist, and keep sensitive data out of consumer chatbots unless you’ve got the paperwork and settings to match.