Spell-check for privacy
Blog
AI data leakage 10 min read

Le Chat is the European option - and it still can't fix the paste

Mistral's Le Chat is the GDPR-friendly choice: a French company, EU data residency, no US CLOUD Act exposure by structure. All of that is real and genuinely valuable. None of it changes what an employee chooses to type into the box.

Le Chat
Turn these notes into a short, client-safe summary.
Voici un résumé. Review the marked details before sharing it.
Processed in the EU. Review sensitive details before sharing.

The example above is interactive. Click a highlighted value to see your action options.

Quick answer

Mistral's Le Chat is a genuinely strong privacy choice on jurisdiction: a French company, EU data residency by default, and structurally less exposure to the US CLOUD Act. That is real and worth crediting. But jurisdiction governs where data sits and who can compel it - not what enters the prompt. The free Le Chat tier still trains on conversations by default and keeps them until deleted, and an EU-hosted model still ingests whatever an employee pastes. The European option is better; it is not a reason to paste anything.

01

Mistral is a French/EU company with EU data residency by default - a real jurisdictional advantage

02

The free Le Chat tier trains on conversations by default and keeps them until you delete them

03

Team, Enterprise, and paid API tiers are excluded from training by default and offer a data processing agreement

04

EU hosting does not change what an employee types - data minimisation still applies

05

A 2025 CNIL complaint over the free tier's missing opt-out has since been addressed with a control

An IT manager, tired of warning colleagues away from American AI tools, finds what looks like the perfect answer: Le Chat, from the French company Mistral. It is EU-based, the data stays in Europe, and it sidesteps the US CLOUD Act questions that hang over the big US providers. Relieved, he tells the team it is approved - use it freely.

A week later, a support agent pastes a client's full record into the free Le Chat to draft a reply: name, account number, the complaint, a phone number. The data never leaves the EU. It is also, on the free tier, used to train the model and kept until someone deletes it - and it was a client's confidential record that, by any sensible policy, should never have been pasted into a chatbot at all.

Everything the IT manager believed about Le Chat was true. He had simply confused a better answer to one question - where does the data live? - with an answer to a different one: what should we be putting in?

Is Le Chat safe for business data?

On the dimension that gets the most attention, Le Chat is genuinely strong. Mistral is a French company; Le Chat stores data in the EU by default; it falls under EU regulators and the EU AI Act; and as an EU-incorporated provider it is structurally less exposed to the US CLOUD Act than a US firm storing data in Frankfurt. For an organisation that cares about data sovereignty, that is a real and credible advantage, and it deserves to be said plainly.

But jurisdiction answers a specific question: where does the data sit, and who can compel it? It does not answer the question that causes most incidents: what is a person about to type? The free Le Chat tier trains on conversations by default and retains them until deleted. And no model, however European, can decline data a user has already pasted. The European option is better. It is not a licence to paste anything.

How Le Chat handles your data

Free / Pro (consumer)Team / Enterprise / paid API
Trains on your conversationsYes, by defaultNo, by default
RetentionUntil you deleteControlled; API ~30 days
Data processing agreementNoYes
Data residencyEU by defaultEU by default
Suitable for business dataNoYes, with minimisation

Free, Pro, and Student Le Chat are opted into training by default. Conversations are kept until you delete the chat or your account. You can opt out, but the default governs - and most users never change it.

Team, Enterprise, and the paid API are opted out of training by default and come with a data processing agreement, subprocessor transparency, and EU residency. This is the business-appropriate tier. Note the exceptions to "EU only": an explicitly chosen US API endpoint hosts data in the US, and data may be temporarily transferred to subprocessors outside the EU under GDPR safeguards.

The headline is simple: Le Chat's jurisdiction is a real advantage, but its data handling still depends on which tier you are on and what you put in.

The biggest privacy risks in Le Chat

1. Mistaking jurisdiction for permission

The defining risk. "It's EU-based and approved" quietly becomes "so I can paste client data." Better data residency lowers one risk and is read as lowering all of them. It does not.

2. The free tier's training default

On the free tier, conversations train the model by default and are kept until deleted. An EU address does not make that categorically safer than a US free tier on this specific point.

3. Over-trust leading to over-sharing

Precisely because Le Chat is the responsible choice, people relax. The same employee who would redact for ChatGPT pastes freely into Le Chat, reasoning that "this one is safe" - which mistakes the platform's compliance for their own.

4. The residency exceptions

"EU by default" has edges: a US API endpoint, temporary subprocessor transfers. For most users these are minor, but a team that assumes "always only in the EU" can be surprised.

5. Open-weight models ship lighter built-in safety

Security researchers have noted that open-weight models (which Mistral publishes) often carry lighter built-in guardrails than tightly controlled hosted services - a reminder that a model's jurisdiction says nothing about its safety behaviour. This is about the open weights, not a measurement of the hosted Le Chat service, but it underlines that "EU-made" and "safe to feed anything" are different claims.

Each of these is a version of the same trap: letting a real advantage on one axis stand in for safety on all of them.

What is actually at stake: consequences

GDPR does not stop applying because a provider is European. Putting a client's or employee's identifiable data into a chatbot is still processing that requires a lawful basis, data minimisation, and - for a business - a processor agreement. On the free tier, with training on by default, that data may also be used to improve a model. EU residency reduces the transfer risk; it does not remove the obligation to minimise.

Fines reach EUR 20 million or 4% of global annual turnover, whichever is higher, and the liability rests with the organisation as controller. The subtler risk with a tool like Le Chat is complacency: an approved, EU-based tool can become the place where data discipline quietly relaxes, precisely because everyone believes the hard part is already handled.

Verified incidents

February 2025 - CNIL complaint over the free tier

A complaint was filed with France's data protection authority, CNIL, alleging that the free version of Le Chat lacked an opt-out, so users could not stop their inputs being used for training without paying - framed as a consent problem under GDPR. Mistral has since introduced a control to object to training, now reflected in its policy. The episode is a useful illustration that even the EU-favoured tool needed a regulator nudge on its free tier. Source: CNIL complaint reporting, February 2025.

2025 - Independent privacy ranking places Le Chat first

In an independent 2025 ranking of generative AI platforms by data privacy, Le Chat was rated the least privacy-invasive of the platforms assessed, mainly for limited data collection. It is a third-party study rather than a regulatory audit, but it supports the genuine point that Mistral collects relatively little. Source: Incogni privacy ranking, 2025.

These are not scandals. They are evidence of the real shape of Le Chat: a strong privacy posture with a free-tier default that still needed fixing, and an honest reminder that "best of the bunch" is not the same as "paste anything."

Settings that help

1. Use a business tier for business data Adopt Le Chat Team or Enterprise, or the paid API, where training is off by default and a data processing agreement applies. Keep client data out of the free consumer tier.

2. Turn off training on the free tier If the free tier is used, opt out of training in the privacy settings (web: the privacy section; mobile: data and account controls). It applies going forward.

3. Keep EU processing where you need it On business tiers, use EU endpoints and, where available, deactivate features involving non-EU subprocessor transfers.

4. Apply data minimisation regardless of tier Treat Le Chat like any AI tool: do not paste more identifiable data than the task needs, even though the data stays in the EU.

Verified against Mistral's documentation current to mid-2026; product names and settings have been evolving, so confirm the live labels.

What settings do not solve

A training opt-out changes what Mistral does with your conversations. EU residency changes where they sit. Neither changes what a person decides to type.

No setting un-pastes the client record already sent to the free tier. No EU data centre makes a patient's identifier appropriate to put into a prompt. The one risk that follows you across every provider - a person sharing more personal data than the task required - is a human decision that jurisdiction cannot touch.

That is the gap a European address does not close: between where the data lives and what a person is about to hand it.

How BeeSensible helps before you send

BeeSensible checks personal data in browser text fields - including the Le Chat prompt - as you type. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. When sensitive content appears in a prompt, BeeSensible marks it inline so the user can see exactly what they are about to share - and delete it, replace it with a placeholder, or mask it before sending.

Le Chat
Turn these notes into a short, client-safe summary.
Voici un résumé. Review the marked details before sharing it.
Processed in the EU. Review sensitive details before sharing.
Hover or tap a highlighted value to replace, mask, or delete it - before the draft reaches anyone.

Message content is not stored. The user makes every decision.

For Le Chat, this is the piece that jurisdiction cannot provide. Choosing an EU-based, business-tier tool is the right structural decision - it handles where data lives and who can compel it. BeeSensible handles the part that remains: the client name beside an account number that a person is about to paste, regardless of how European the destination is. The two work together - better jurisdiction, plus awareness at the keyboard.

Le Chat is a genuinely good answer to "where should our data live?" It was never meant to answer "what should we put in?" That question stays with the person typing - and the most useful thing you can do is make sure they can see the sensitive part before they send it.

FAQ

Common questions

Is Mistral's Le Chat safe for business data?

Le Chat has a real jurisdictional advantage: Mistral is a French company with EU data residency by default and a data processing agreement for business tiers, which makes it a strong GDPR-aligned choice. But the free tier trains on your conversations by default and retains them until you delete them, and EU hosting does not change what an employee pastes. For business use, the Team, Enterprise, or paid API tiers - with training excluded and a DPA - are the appropriate choice, combined with normal data minimisation.

Does Le Chat keep my data in the EU?

By default, Le Chat data is hosted in the EU - a genuine advantage over US-based providers. There are exceptions to be aware of: if you explicitly use a US API endpoint your data is hosted in the US, and data can be temporarily transferred to subprocessors outside the EU under GDPR safeguards. Enterprise customers can deactivate features involving non-EU transfers. 'EU by default' is accurate; 'always only in the EU' is not.

Does the free version of Le Chat train on my conversations?

Yes, by default. On the free, Pro, and Student tiers, your inputs and outputs can be used to train Mistral's models unless you opt out, and conversations are kept until you delete the chat or your account. The Team, Enterprise, and paid API tiers are opted out of training by default. So 'EU-based' does not automatically mean 'not used for training' - that depends on your tier and settings.

Is Le Chat better for GDPR than ChatGPT or Gemini?

On jurisdiction, plausibly yes: an EU-incorporated provider is structurally less exposed to the US CLOUD Act, offers EU data residency by default, and falls under EU regulators directly. That is a real, if legally untested, advantage. But GDPR compliance also depends on having a processor agreement, minimising the personal data you process, and a lawful basis - none of which the provider's location decides for you. Better jurisdiction is a strong start, not the whole answer.

What's the catch with an EU-based AI like Le Chat?

There isn't a hidden catch - the catch is the same one every AI tool has: the model still receives whatever a person types. EU hosting protects where the data lives and who can compel it; it does nothing to stop an employee pasting a client's account number or a patient's details into the prompt. Data minimisation is a controller-side decision that no provider's jurisdiction can make for you.

Which Le Chat tier should a business use?

Use Le Chat Team or Enterprise, or the paid API - these are excluded from training by default and come with a data processing agreement, subprocessor transparency, and EU data residency. Avoid running business or client data through the free consumer tier, which trains by default and retains conversations. Then apply normal data minimisation regardless of tier.

See how BeeSensible works

Detect sensitive data before it leaves your team, in any app, in real time.