A solicitor at a UK professional-services firm is finalising a client memo on a Friday afternoon. She copies the draft into Claude to check clarity before sending. The draft includes the client's full name, the counterparty's name, two disputed contract dates, a settlement figure, and a reference to a related regulatory investigation the client has not yet disclosed publicly.
An IT manager at a regional bank wants a three-paragraph board summary of an internal post-incident report. He opens Claude in his personal browser profile, pastes the report, and asks for a concise executive version. The report names the affected system, the vendors involved, three employees by role and initial, and the nature of the access-control gap that was exploited.
Neither person is being reckless. Both are trying to finish something under time pressure. That is where Claude privacy risk begins: in the everyday decision to paste work context into an AI tool without pausing to consider what that text contains.
The trust question behind the title question
Claude is built around a credible reputation for thoughtfulness. Anthropic's model documentation, usage policies, and public communications emphasise careful and honest AI. That credibility is part of why organisations reach for Claude when they need a reliable tool for sensitive drafting, analysis, and summarisation.
The privacy question, though, is not whether Claude responds carefully. The question is what happens to the text in your prompts: under which terms Anthropic can use it, how long it is retained, and what has gone wrong when vulnerabilities allowed conversation content to leave the platform unexpectedly. Those answers depend on account type, settings, and the security posture of the deployment.
How Claude handles your data
The most important variable is not which Claude model you use. It is which account type and contractual terms govern the session.
| Account | Training default | Data retention | Admin control |
|---|---|---|---|
| Free, Pro, Max (consumer) | On by default since September 2025 | 30 days if opted out; up to 5 years if opted in | No organisation-level control |
| Incognito mode (consumer) | Not used for training | Retained 30 days for safety review | Per-conversation setting, individual only |
| Claude for Work | Contractually excluded from training | Shorter retention under commercial terms | Workspace admin manages members and settings |
| Claude Enterprise | Contractually excluded from training; Zero Data Retention available | Immediate deletion after abuse checks with ZDR | Strongest control: SSO, SCIM, audit logging |
| API (commercial) | Never used for training | API logs deleted after 7 days | Full developer control over prompt handling |
The practical consequence is significant. A prompt submitted from a personal Pro account on September 29, 2025, and the same prompt submitted from a Claude for Work workspace on the same day, have different compliance implications. One is governed by consumer training terms with a five-year retention option; the other is contractually excluded from training under a data processing agreement. Employees using Claude across different contexts often do not know which regime applies to their session.
Six Claude leakage patterns to govern
1. The summarisation paste
The most frequent scenario. An employee pastes a support ticket, client complaint, HR note, legal draft, or intake form and asks Claude to summarise it. The model rarely needs the real name, email address, account ID, health detail, or full transaction history to produce a useful summary. Employees paste the full text because it is faster than reviewing and removing individual fields they consider secondary.
2. Drafting with embedded client context
Employees use Claude to sharpen email drafts, write proposals, and tighten meeting notes. When the draft already includes a client name, deal figure, project codename, or pending regulatory issue, the prompt carries business-sensitive material alongside any personal data in the text. The employee is focused on the writing task, not on the contextual data that came along with it.
3. Personal account used for real work
This is the quietest risk in most organisations. The employee already has Claude open in their personal browser profile, so work content goes there by default. The personal workspace has individual settings, individual training controls, and no central offboarding or audit trail. The organisation has no contractual data protection and no visibility into what was submitted.
4. Code and configuration shared for debugging
Developers and IT teams paste code, configuration files, log excerpts, and system descriptions into Claude for review and debugging. These prompts often include internal API endpoint names, employee email addresses in log lines, environment variable formats, and system architecture details. No credentials need to be pasted directly for the disclosure to matter.
5. Incognito mode understood as zero retention
Incognito mode is genuinely useful: it avoids chat history and model training. Employees who discover it may begin using it for sensitive work on the assumption that the conversation disappears once the tab is closed. Anthropic states that incognito conversations are still retained for 30 days for safety review purposes. That is meaningfully different from zero retention, and employees who have not read the full documentation may not understand the distinction.
6. Project context and knowledge bases in managed workspaces
Claude Enterprise allows organisations to build knowledge bases from uploaded documents, project summaries, and company context that Claude can reference. That capability is genuinely useful for maintaining consistency across a team, but it also means sensitive documents deliberately added to the workspace remain there until explicitly deleted. Employees who leave the organisation do not automatically remove their project uploads, and those files stay in the system.
Each of these situations has already caused real incidents in organisations that considered Claude properly managed.
What is actually at stake
For GDPR purposes, a Claude prompt is a personal data processing event if it contains an identifiable person. The organisation needs a lawful basis under Article 6, a processor relationship documented in a Data Processing Agreement with Anthropic, proportionate data minimisation, and the practical ability to respond to subject access and erasure requests.
Consumer accounts create the hardest compliance problem. If an employee uses a personal Claude account for work without the organisation's knowledge, there is no DPA, no log of what was processed, and no audit trail. The organisation is exposed to liability without having any information to respond with.
For UK organisations, the UK GDPR's requirements for processor contracts and appropriate technical measures apply in the same way as in the EU. The Information Commissioner's Office has consistently treated AI tool adoption without adequate processor agreements as an area of active scrutiny, and the expectation is that organisations can demonstrate what data went where and under what terms.
Beyond regulatory exposure, the downstream consequences are real. A pasted contract draft may include deal terms that should not leave a controlled environment. A post-incident report may expose a security gap before it is fully remediated. An HR note may contain special-category data. Under GDPR Article 83, fines for failing to implement appropriate technical measures can reach 2% of global annual turnover.
Verified incidents
January 2024 - Anthropic customer data exposed via service provider
Anthropic confirmed that one of its service providers accidentally sent a file containing a subset of Anthropic customer information, including open credit balances, to an unintended recipient. Anthropic stated that payment data and conversation content were not involved, and that the incident resulted from human error at the provider rather than a breach of Anthropic's own systems. For organisations relying on Anthropic's data handling, the incident illustrated that supply-chain exposure can affect user data outside Anthropic's direct control. Source: VentureBeat, January 2024.
October 2025 - Prompt injection allows data exfiltration via Code Interpreter
Security researchers disclosed that Claude's Code Interpreter, when given network access, could be manipulated through indirect prompt injection to exfiltrate private conversation content and upload it to attacker-controlled accounts. The attack worked by hiding malicious instructions inside documents or user inputs that Claude was asked to process, causing it to execute code that accessed and extracted chat history. Anthropic initially misclassified the finding before reversing its position and confirming it as a valid vulnerability on October 30, 2025. Source: eSecurity Planet / HackerOne responsible disclosure, October 2025.
March 2026 - "Claudy Day" zero-click attack chain on claude.ai
Oasis Security published a demonstration of a complete attack pipeline against claude.ai that chained invisible prompt injection with data exfiltration to extract conversation history from a default, out-of-the-box session without any user interaction. The researchers named it "Claudy Day" and demonstrated it against a standard claude.ai deployment. The prompt injection component was fixed by Anthropic; additional elements of the chain were being addressed at the time of publication. Source: Oasis Security / TechRadar / Dark Reading, March 2026.
September 2025 - Dark pattern consent interface draws GDPR criticism
When Anthropic updated its consumer terms to make model training opt-in by default, the consent interface came under significant scrutiny. The design presented a prominent black acceptance button alongside a small, pre-activated training toggle that legal commentators described as easy to overlook. Privacy researchers argued the interface constituted a dark pattern that failed GDPR's requirement for freely given, informed, and unambiguous consent. No formal enforcement action had been announced as of May 2026, but the European Data Protection Board's guidelines on deceptive design patterns had already set a clear standard against pre-selected options for data processing consent. Source: The Decoder / AI-Buzz, September 2025.
These four incidents represent different failure modes: supply-chain exposure, platform vulnerability, security research disclosure, and consent-design criticism. None was caused by the AI model responding incorrectly; all were caused by how the surrounding data infrastructure was designed or secured.
Settings that help
Five controls are worth reviewing before Claude is used broadly for work.
1. Audit which account type employees are using Go to claude.ai > profile icon > Account settings to check the account type. If employees are on personal Free, Pro, or Max accounts, the organisation has no contractual data protection. Move work to Claude for Work or Enterprise before any regulated or confidential data is processed.
2. Turn off model improvement on consumer accounts For personal accounts still in use: go to profile icon > Settings > Privacy > Help improve Claude > toggle Off. Conversations started after saving this change are no longer eligible for training. Conversations already included in a training run cannot be withdrawn retroactively.
3. Use Incognito mode for sensitive one-off prompts Start a new chat outside a project and click the ghost icon in the upper-right corner of the screen. The chat does not appear in history, does not create memories, and is not used for model training. Anthropic retains incognito conversations for 30 days for safety purposes. Treat it as a reduced-risk setting, not as zero-retention.
4. Delete conversation history and review retention settings Go to Settings > Data to manage conversation history. On Claude Enterprise, request Zero Data Retention configuration through Anthropic's commercial team, which enables immediate deletion after safety checks. Conversation history deletions via the UI remove entries from history and training eligibility, though a brief safety-retention period may still apply.
5. Obtain Anthropic's Data Processing Agreement for commercial use Anthropic's commercial DPA, updated January 1, 2026, covers standard contractual clauses for international data transfers and is automatically incorporated into Claude for Work, Enterprise, and API commercial terms. Personal consumer accounts are not covered. Before any regulated personal data is processed in Claude, verify the DPA is in place and aligns with your organisation's GDPR processor obligations.
Steps verified in May 2026 with claude.ai, Anthropic Privacy Center at privacy.claude.com, and Anthropic Help Center at support.claude.com, updated through May 2026.
What settings do not solve
Settings determine how Anthropic handles conversation data after it arrives. They do not determine whether a prompt should have contained identifiable data in the first place.
Turning off model improvement does not anonymise a prompt that has already been submitted. Zero Data Retention does not tell an employee that a support thread includes a client's health condition. A Claude for Work workspace does not automatically prevent an HR manager from pasting a full performance-review file when a single anonymised sentence would have served the same purpose.
The gap is the moment before submission, when the text is still on screen and sensitive values can still be removed, replaced with placeholders, or masked. Settings operate downstream of that moment. They cannot act at it.
How BeeSensible helps before the prompt is submitted
BeeSensible checks personal data in browser text fields while the prompt is still being written. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. In Claude, names, phone numbers, IBANs, BSN equivalents, email addresses, payment-card details, and other configured categories can be flagged before the employee presses Enter.
The user sees the highlighted value and can remove it, replace it with a placeholder, or mask it. BeeSensible does not store prompt content. Admins can see data-category patterns across applications without accessing individual conversations.
Claude