Spell-check for privacy
Blog
AI data leakage 10 min read

What happens to your data in Claude? The privacy risks, explained

Claude can be a useful work tool, but account type determines whether Anthropic trains on your conversations. The gap that settings cannot close is the sensitive context employees paste before pressing Enter.

Claude
Turn these notes into a client-safe summary without exposing direct identifiers.
Here is a cleaner summary draft. Review the marked details before sharing it.
Review sensitive details before sharing outside the browser.

The example above is interactive. Click a highlighted value to see your action options.

Quick answer

Claude is not automatically unsafe for business data, but account type matters significantly. Consumer accounts (Free, Pro, Max) have model training turned on by default since September 2025; Claude for Work and Enterprise are contractually excluded from training under commercial terms. The practical risk is the same as with any AI tool: an employee pastes a customer record, HR note, or contract excerpt before policy or settings can intervene.

01

Consumer Claude accounts have model training on by default since September 2025; opt out in Privacy settings

02

Claude for Work and Enterprise exclude conversations from training under commercial terms, not just settings

03

Incognito mode avoids chat history and training, but Anthropic retains incognito data for 30 days

04

Prompt injection vulnerabilities in 2025 and 2026 allowed conversation data to be exfiltrated from claude.ai

05

Under GDPR, pasting identifiable customer, HR, or financial data into any AI tool is a processing event requiring a lawful basis

A solicitor at a UK professional-services firm is finalising a client memo on a Friday afternoon. She copies the draft into Claude to check clarity before sending. The draft includes the client's full name, the counterparty's name, two disputed contract dates, a settlement figure, and a reference to a related regulatory investigation the client has not yet disclosed publicly.

An IT manager at a regional bank wants a three-paragraph board summary of an internal post-incident report. He opens Claude in his personal browser profile, pastes the report, and asks for a concise executive version. The report names the affected system, the vendors involved, three employees by role and initial, and the nature of the access-control gap that was exploited.

Neither person is being reckless. Both are trying to finish something under time pressure. That is where Claude privacy risk begins: in the everyday decision to paste work context into an AI tool without pausing to consider what that text contains.

The trust question behind the title question

Claude is built around a credible reputation for thoughtfulness. Anthropic's model documentation, usage policies, and public communications emphasise careful and honest AI. That credibility is part of why organisations reach for Claude when they need a reliable tool for sensitive drafting, analysis, and summarisation.

The privacy question, though, is not whether Claude responds carefully. The question is what happens to the text in your prompts: under which terms Anthropic can use it, how long it is retained, and what has gone wrong when vulnerabilities allowed conversation content to leave the platform unexpectedly. Those answers depend on account type, settings, and the security posture of the deployment.

How Claude handles your data

The most important variable is not which Claude model you use. It is which account type and contractual terms govern the session.

AccountTraining defaultData retentionAdmin control
Free, Pro, Max (consumer)On by default since September 202530 days if opted out; up to 5 years if opted inNo organisation-level control
Incognito mode (consumer)Not used for trainingRetained 30 days for safety reviewPer-conversation setting, individual only
Claude for WorkContractually excluded from trainingShorter retention under commercial termsWorkspace admin manages members and settings
Claude EnterpriseContractually excluded from training; Zero Data Retention availableImmediate deletion after abuse checks with ZDRStrongest control: SSO, SCIM, audit logging
API (commercial)Never used for trainingAPI logs deleted after 7 daysFull developer control over prompt handling

The practical consequence is significant. A prompt submitted from a personal Pro account on September 29, 2025, and the same prompt submitted from a Claude for Work workspace on the same day, have different compliance implications. One is governed by consumer training terms with a five-year retention option; the other is contractually excluded from training under a data processing agreement. Employees using Claude across different contexts often do not know which regime applies to their session.

Six Claude leakage patterns to govern

1. The summarisation paste

The most frequent scenario. An employee pastes a support ticket, client complaint, HR note, legal draft, or intake form and asks Claude to summarise it. The model rarely needs the real name, email address, account ID, health detail, or full transaction history to produce a useful summary. Employees paste the full text because it is faster than reviewing and removing individual fields they consider secondary.

2. Drafting with embedded client context

Employees use Claude to sharpen email drafts, write proposals, and tighten meeting notes. When the draft already includes a client name, deal figure, project codename, or pending regulatory issue, the prompt carries business-sensitive material alongside any personal data in the text. The employee is focused on the writing task, not on the contextual data that came along with it.

3. Personal account used for real work

This is the quietest risk in most organisations. The employee already has Claude open in their personal browser profile, so work content goes there by default. The personal workspace has individual settings, individual training controls, and no central offboarding or audit trail. The organisation has no contractual data protection and no visibility into what was submitted.

4. Code and configuration shared for debugging

Developers and IT teams paste code, configuration files, log excerpts, and system descriptions into Claude for review and debugging. These prompts often include internal API endpoint names, employee email addresses in log lines, environment variable formats, and system architecture details. No credentials need to be pasted directly for the disclosure to matter.

5. Incognito mode understood as zero retention

Incognito mode is genuinely useful: it avoids chat history and model training. Employees who discover it may begin using it for sensitive work on the assumption that the conversation disappears once the tab is closed. Anthropic states that incognito conversations are still retained for 30 days for safety review purposes. That is meaningfully different from zero retention, and employees who have not read the full documentation may not understand the distinction.

6. Project context and knowledge bases in managed workspaces

Claude Enterprise allows organisations to build knowledge bases from uploaded documents, project summaries, and company context that Claude can reference. That capability is genuinely useful for maintaining consistency across a team, but it also means sensitive documents deliberately added to the workspace remain there until explicitly deleted. Employees who leave the organisation do not automatically remove their project uploads, and those files stay in the system.

Each of these situations has already caused real incidents in organisations that considered Claude properly managed.

What is actually at stake

For GDPR purposes, a Claude prompt is a personal data processing event if it contains an identifiable person. The organisation needs a lawful basis under Article 6, a processor relationship documented in a Data Processing Agreement with Anthropic, proportionate data minimisation, and the practical ability to respond to subject access and erasure requests.

Consumer accounts create the hardest compliance problem. If an employee uses a personal Claude account for work without the organisation's knowledge, there is no DPA, no log of what was processed, and no audit trail. The organisation is exposed to liability without having any information to respond with.

For UK organisations, the UK GDPR's requirements for processor contracts and appropriate technical measures apply in the same way as in the EU. The Information Commissioner's Office has consistently treated AI tool adoption without adequate processor agreements as an area of active scrutiny, and the expectation is that organisations can demonstrate what data went where and under what terms.

Beyond regulatory exposure, the downstream consequences are real. A pasted contract draft may include deal terms that should not leave a controlled environment. A post-incident report may expose a security gap before it is fully remediated. An HR note may contain special-category data. Under GDPR Article 83, fines for failing to implement appropriate technical measures can reach 2% of global annual turnover.

Verified incidents

January 2024 - Anthropic customer data exposed via service provider

Anthropic confirmed that one of its service providers accidentally sent a file containing a subset of Anthropic customer information, including open credit balances, to an unintended recipient. Anthropic stated that payment data and conversation content were not involved, and that the incident resulted from human error at the provider rather than a breach of Anthropic's own systems. For organisations relying on Anthropic's data handling, the incident illustrated that supply-chain exposure can affect user data outside Anthropic's direct control. Source: VentureBeat, January 2024.

October 2025 - Prompt injection allows data exfiltration via Code Interpreter

Security researchers disclosed that Claude's Code Interpreter, when given network access, could be manipulated through indirect prompt injection to exfiltrate private conversation content and upload it to attacker-controlled accounts. The attack worked by hiding malicious instructions inside documents or user inputs that Claude was asked to process, causing it to execute code that accessed and extracted chat history. Anthropic initially misclassified the finding before reversing its position and confirming it as a valid vulnerability on October 30, 2025. Source: eSecurity Planet / HackerOne responsible disclosure, October 2025.

March 2026 - "Claudy Day" zero-click attack chain on claude.ai

Oasis Security published a demonstration of a complete attack pipeline against claude.ai that chained invisible prompt injection with data exfiltration to extract conversation history from a default, out-of-the-box session without any user interaction. The researchers named it "Claudy Day" and demonstrated it against a standard claude.ai deployment. The prompt injection component was fixed by Anthropic; additional elements of the chain were being addressed at the time of publication. Source: Oasis Security / TechRadar / Dark Reading, March 2026.

When Anthropic updated its consumer terms to make model training opt-in by default, the consent interface came under significant scrutiny. The design presented a prominent black acceptance button alongside a small, pre-activated training toggle that legal commentators described as easy to overlook. Privacy researchers argued the interface constituted a dark pattern that failed GDPR's requirement for freely given, informed, and unambiguous consent. No formal enforcement action had been announced as of May 2026, but the European Data Protection Board's guidelines on deceptive design patterns had already set a clear standard against pre-selected options for data processing consent. Source: The Decoder / AI-Buzz, September 2025.

These four incidents represent different failure modes: supply-chain exposure, platform vulnerability, security research disclosure, and consent-design criticism. None was caused by the AI model responding incorrectly; all were caused by how the surrounding data infrastructure was designed or secured.

Settings that help

Five controls are worth reviewing before Claude is used broadly for work.

1. Audit which account type employees are using Go to claude.ai > profile icon > Account settings to check the account type. If employees are on personal Free, Pro, or Max accounts, the organisation has no contractual data protection. Move work to Claude for Work or Enterprise before any regulated or confidential data is processed.

2. Turn off model improvement on consumer accounts For personal accounts still in use: go to profile icon > Settings > Privacy > Help improve Claude > toggle Off. Conversations started after saving this change are no longer eligible for training. Conversations already included in a training run cannot be withdrawn retroactively.

3. Use Incognito mode for sensitive one-off prompts Start a new chat outside a project and click the ghost icon in the upper-right corner of the screen. The chat does not appear in history, does not create memories, and is not used for model training. Anthropic retains incognito conversations for 30 days for safety purposes. Treat it as a reduced-risk setting, not as zero-retention.

4. Delete conversation history and review retention settings Go to Settings > Data to manage conversation history. On Claude Enterprise, request Zero Data Retention configuration through Anthropic's commercial team, which enables immediate deletion after safety checks. Conversation history deletions via the UI remove entries from history and training eligibility, though a brief safety-retention period may still apply.

5. Obtain Anthropic's Data Processing Agreement for commercial use Anthropic's commercial DPA, updated January 1, 2026, covers standard contractual clauses for international data transfers and is automatically incorporated into Claude for Work, Enterprise, and API commercial terms. Personal consumer accounts are not covered. Before any regulated personal data is processed in Claude, verify the DPA is in place and aligns with your organisation's GDPR processor obligations.

Steps verified in May 2026 with claude.ai, Anthropic Privacy Center at privacy.claude.com, and Anthropic Help Center at support.claude.com, updated through May 2026.

What settings do not solve

Settings determine how Anthropic handles conversation data after it arrives. They do not determine whether a prompt should have contained identifiable data in the first place.

Turning off model improvement does not anonymise a prompt that has already been submitted. Zero Data Retention does not tell an employee that a support thread includes a client's health condition. A Claude for Work workspace does not automatically prevent an HR manager from pasting a full performance-review file when a single anonymised sentence would have served the same purpose.

The gap is the moment before submission, when the text is still on screen and sensitive values can still be removed, replaced with placeholders, or masked. Settings operate downstream of that moment. They cannot act at it.

How BeeSensible helps before the prompt is submitted

BeeSensible checks personal data in browser text fields while the prompt is still being written. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. In Claude, names, phone numbers, IBANs, BSN equivalents, email addresses, payment-card details, and other configured categories can be flagged before the employee presses Enter.

The user sees the highlighted value and can remove it, replace it with a placeholder, or mask it. BeeSensible does not store prompt content. Admins can see data-category patterns across applications without accessing individual conversations.

Claude
Turn these notes into a client-safe summary without exposing direct identifiers.
Here is a cleaner summary draft. Review the marked details before sharing it.
Review sensitive details before sharing outside the browser.
Hover or tap a highlighted value to replace, mask, or delete it - before the draft reaches anyone.

This sits alongside Claude for Work controls, organisational policy, and user training. It addresses the part of the risk surface those tools leave open: the composition window, where the text is still editable and a decision can still be made.

Claude's usefulness comes from its ability to work with real, contextual language. That same characteristic is why prompts so often carry more data than the task requires. The goal is not to make employees hesitant about AI tools; it is to make the presence of sensitive data visible at the moment when it can still be acted on. Settings document what happened; BeeSensible operates at the point where the outcome is still open.

FAQ

Common questions

Is Claude safe for company data?

Claude can be used safely when the organisation uses Claude for Work or Enterprise, which contractually exclude training, and when employees know not to paste unnecessary identifiable data. Consumer Claude accounts have model training on by default and should not be used for regulated or confidential work data without an explicit opt-out and a data processing agreement in place.

Does Anthropic train on Claude conversations?

Anthropic trains on consumer conversations (Free, Pro, Max) by default since September 2025. Users can turn off the Help improve Claude toggle in Privacy settings. Claude for Work, Enterprise, and API deployments are contractually excluded from training under commercial terms and do not rely on an individual opt-out toggle to keep data out of training.

Is Claude Incognito mode enough for sensitive work?

Incognito mode prevents chat history and model training, but Anthropic retains incognito conversation data for 30 days for safety purposes. It is a useful personal privacy control, not a substitute for a managed business deployment with appropriate data processing terms and a DPA.

What GDPR risks apply to using Claude at work?

Any prompt containing an identifiable person is a personal data processing event under GDPR. The organisation needs a lawful basis, data minimisation, and appropriate processor terms with Anthropic. Consumer accounts without a DPA leave the organisation without a compliant processor relationship and without visibility into what was processed.

What should employees remove before using Claude for work?

Remove direct identifiers such as names, email addresses, phone numbers, IBANs, national ID numbers, account numbers, health details, HR records, client names, and contract parties. Placeholder text or anonymised descriptions work for most editing, summarisation, and drafting tasks without exposing identifiable data.

See how BeeSensible works

Detect sensitive data before it leaves your team, in any app, in real time.