An IT manager, tired of warning colleagues away from American AI tools, finds what looks like the perfect answer: Le Chat, from the French company Mistral. It is EU-based, the data stays in Europe, and it sidesteps the US CLOUD Act questions that hang over the big US providers. Relieved, he tells the team it is approved - use it freely.
A week later, a support agent pastes a client's full record into the free Le Chat to draft a reply: name, account number, the complaint, a phone number. The data never leaves the EU. It is also, on the free tier, used to train the model and kept until someone deletes it - and it was a client's confidential record that, by any sensible policy, should never have been pasted into a chatbot at all.
Everything the IT manager believed about Le Chat was true. He had simply confused a better answer to one question - where does the data live? - with an answer to a different one: what should we be putting in?
Is Le Chat safe for business data?
On the dimension that gets the most attention, Le Chat is genuinely strong. Mistral is a French company; Le Chat stores data in the EU by default; it falls under EU regulators and the EU AI Act; and as an EU-incorporated provider it is structurally less exposed to the US CLOUD Act than a US firm storing data in Frankfurt. For an organisation that cares about data sovereignty, that is a real and credible advantage, and it deserves to be said plainly.
But jurisdiction answers a specific question: where does the data sit, and who can compel it? It does not answer the question that causes most incidents: what is a person about to type? The free Le Chat tier trains on conversations by default and retains them until deleted. And no model, however European, can decline data a user has already pasted. The European option is better. It is not a licence to paste anything.
How Le Chat handles your data
| Free / Pro (consumer) | Team / Enterprise / paid API | |
|---|---|---|
| Trains on your conversations | Yes, by default | No, by default |
| Retention | Until you delete | Controlled; API ~30 days |
| Data processing agreement | No | Yes |
| Data residency | EU by default | EU by default |
| Suitable for business data | No | Yes, with minimisation |
Free, Pro, and Student Le Chat are opted into training by default. Conversations are kept until you delete the chat or your account. You can opt out, but the default governs - and most users never change it.
Team, Enterprise, and the paid API are opted out of training by default and come with a data processing agreement, subprocessor transparency, and EU residency. This is the business-appropriate tier. Note the exceptions to "EU only": an explicitly chosen US API endpoint hosts data in the US, and data may be temporarily transferred to subprocessors outside the EU under GDPR safeguards.
The headline is simple: Le Chat's jurisdiction is a real advantage, but its data handling still depends on which tier you are on and what you put in.
The biggest privacy risks in Le Chat
1. Mistaking jurisdiction for permission
The defining risk. "It's EU-based and approved" quietly becomes "so I can paste client data." Better data residency lowers one risk and is read as lowering all of them. It does not.
2. The free tier's training default
On the free tier, conversations train the model by default and are kept until deleted. An EU address does not make that categorically safer than a US free tier on this specific point.
3. Over-trust leading to over-sharing
Precisely because Le Chat is the responsible choice, people relax. The same employee who would redact for ChatGPT pastes freely into Le Chat, reasoning that "this one is safe" - which mistakes the platform's compliance for their own.
4. The residency exceptions
"EU by default" has edges: a US API endpoint, temporary subprocessor transfers. For most users these are minor, but a team that assumes "always only in the EU" can be surprised.
5. Open-weight models ship lighter built-in safety
Security researchers have noted that open-weight models (which Mistral publishes) often carry lighter built-in guardrails than tightly controlled hosted services - a reminder that a model's jurisdiction says nothing about its safety behaviour. This is about the open weights, not a measurement of the hosted Le Chat service, but it underlines that "EU-made" and "safe to feed anything" are different claims.
Each of these is a version of the same trap: letting a real advantage on one axis stand in for safety on all of them.
What is actually at stake: consequences
GDPR does not stop applying because a provider is European. Putting a client's or employee's identifiable data into a chatbot is still processing that requires a lawful basis, data minimisation, and - for a business - a processor agreement. On the free tier, with training on by default, that data may also be used to improve a model. EU residency reduces the transfer risk; it does not remove the obligation to minimise.
Fines reach EUR 20 million or 4% of global annual turnover, whichever is higher, and the liability rests with the organisation as controller. The subtler risk with a tool like Le Chat is complacency: an approved, EU-based tool can become the place where data discipline quietly relaxes, precisely because everyone believes the hard part is already handled.
Verified incidents
February 2025 - CNIL complaint over the free tier
A complaint was filed with France's data protection authority, CNIL, alleging that the free version of Le Chat lacked an opt-out, so users could not stop their inputs being used for training without paying - framed as a consent problem under GDPR. Mistral has since introduced a control to object to training, now reflected in its policy. The episode is a useful illustration that even the EU-favoured tool needed a regulator nudge on its free tier. Source: CNIL complaint reporting, February 2025.
2025 - Independent privacy ranking places Le Chat first
In an independent 2025 ranking of generative AI platforms by data privacy, Le Chat was rated the least privacy-invasive of the platforms assessed, mainly for limited data collection. It is a third-party study rather than a regulatory audit, but it supports the genuine point that Mistral collects relatively little. Source: Incogni privacy ranking, 2025.
These are not scandals. They are evidence of the real shape of Le Chat: a strong privacy posture with a free-tier default that still needed fixing, and an honest reminder that "best of the bunch" is not the same as "paste anything."
Settings that help
1. Use a business tier for business data Adopt Le Chat Team or Enterprise, or the paid API, where training is off by default and a data processing agreement applies. Keep client data out of the free consumer tier.
2. Turn off training on the free tier If the free tier is used, opt out of training in the privacy settings (web: the privacy section; mobile: data and account controls). It applies going forward.
3. Keep EU processing where you need it On business tiers, use EU endpoints and, where available, deactivate features involving non-EU subprocessor transfers.
4. Apply data minimisation regardless of tier Treat Le Chat like any AI tool: do not paste more identifiable data than the task needs, even though the data stays in the EU.
Verified against Mistral's documentation current to mid-2026; product names and settings have been evolving, so confirm the live labels.
What settings do not solve
A training opt-out changes what Mistral does with your conversations. EU residency changes where they sit. Neither changes what a person decides to type.
No setting un-pastes the client record already sent to the free tier. No EU data centre makes a patient's identifier appropriate to put into a prompt. The one risk that follows you across every provider - a person sharing more personal data than the task required - is a human decision that jurisdiction cannot touch.
That is the gap a European address does not close: between where the data lives and what a person is about to hand it.
How BeeSensible helps before you send
BeeSensible checks personal data in browser text fields - including the Le Chat prompt - as you type. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. When sensitive content appears in a prompt, BeeSensible marks it inline so the user can see exactly what they are about to share - and delete it, replace it with a placeholder, or mask it before sending.
Le Chat