AI Foundations · Module 4 · Lesson 2 of 3
Retention and sharing: where your input goes after you send it
"The AI tool" is not one uniform policy — different products and account tiers from the same company can have different training and retention defaults, and a sent input can still travel further through shared links, integrations and screen-sharing.
By the end, you can
- Explain, in plain language, that different AI products and account tiers can have different data-retention and training defaults, so "the AI tool" is not one uniform policy (AF-4).
- Identify at least one question to ask about a specific AI tool's retention and training defaults before sending an input that has already passed Lesson 1's necessity check (AF-4).
- Give one example of a sharing risk that comes from how a conversation or output travels afterwards, separate from the AI vendor's own training policy (AF-4).
Before you start
This is Module 4, Lesson 2 of 3. It assumes Lesson 1's classification habit — this lesson starts from an input that has already been trimmed to what the task actually needs. The question here is different: once that trimmed input is sent, where does it go, and for how long? This lesson does not require coding or technical setup.
The same company, two different defaults
It is tempting to think of "does the AI tool keep my data" as a single yes/no fact about a vendor. It usually isn't — the honest answer depends on the specific product and account tier, not the company name alone. Anthropic's own privacy documentation makes this concrete with two different pages describing two different products. For its consumer product, Claude.ai, Anthropic lists three separate conditions under which chats and coding sessions will be used, including to improve its models. The first is a user choice: **"You choose to allow us to use your chats and coding sessions to improve Claude"** — through a specific, named setting, **"Model Improvement in your Privacy Settings."** The second is not controlled by that setting at all: conversations **"flagged for safety review"** may be used or analyzed **"to improve our ability to detect and enforce our Usage Policy, including training models for use by our Safeguards team"** — regardless of whether Model Improvement is switched on or off. The third is explicitly opting in to training some other way, such as joining its Trusted Tester Program. The same page adds that **"Your Incognito chats are not used to improve Claude, even if you have enabled Model Improvement in your Privacy Settings."** For its commercial products — the API and Claude for Work — the same company states a different default entirely: **"We will not use your chats or coding sessions to train our models, unless you choose to participate in our Development Partner Program."**
Two products, one company, two different pictures: on the consumer product, routine training use requires an opt-in — but a safety-flagged conversation may still be used for the vendor's Safeguards-team models regardless of that setting, so the toggle governs the routine case, not every case; the commercial product is not used for training by default unless an organisation separately opts into a named partner program. Neither arrangement is described here as good or bad — the point is that "AI tools all work the same way" is false even within a single vendor, and a privacy toggle's label does not necessarily cover every path an input can take. The only reliable way to know which conditions apply is to read the specific product's own policy for the product and account tier actually in front of you. That check has to be external, too: NIST frames an AI system itself as something that "generate[s] outputs such as predictions, recommendations, or decisions" — retention and training defaults are not part of that generation step, they are a separate product and account setting, so nothing about how fluent or careful a model's output looks tells you anything about what happens to your input afterwards.
"Not used for training" is not the same as "not kept"
Even a product that is not used for training may still retain what you send — meaning it is stored for a period, potentially reviewable by staff or automated safety systems, and potentially subject to legal or law-enforcement requests during that window. OWASP's generative-AI security guidance treats retention and training as two separate things a responsible AI product should document, recommending teams **"maintain clear policies about data retention, usage, and deletion"** and **"allow users to opt out of having their data included in training processes."** Notice that this recommendation names retention and deletion alongside training as distinct commitments — a product can honestly satisfy one without the other. A practical retention check before sending anything sensitive asks two separate questions, not one: *is this used for training*, and, separately, *how long is it kept, and who can see it while it is kept*.
Sharing risk that has nothing to do with the vendor's policy
A well-chosen product and tier controls what the vendor does with an input. It does not control everything that happens to a conversation or its output afterwards. Three sharing risks sit outside any vendor's training or retention policy entirely: a **shared link** — some AI chat tools let a conversation be turned into a link anyone with it can open, which is easy to send to the wrong person or leave accessible longer than intended; a **connected integration** — a tool linked to email, a shared drive or a calendar can pull in more context than the person typing realises, carrying sensitive material into the conversation without a deliberate paste; and **screen-sharing** — a sensitive AI conversation left open and visible during a video call or a shared screen, exposing it to an audience the conversation was never meant for. None of these three is a training or retention question at all — they are about who else can see the conversation, independent of what the vendor itself does with it.
A worked example: choosing a tier for an unreleased roadmap paragraph
A manager wants help polishing a paragraph describing an unreleased product roadmap for an internal slide deck. The paragraph has already passed Lesson 1's check — it is trimmed to only what the task needs, no more. The remaining question is this lesson's: where should it be sent?
Pasting it into a personal, free-tier consumer chatbot account means checking that product's specific training default rather than assuming one — and even where training is off, the input is still retained for some period under that product's own policy, plus whatever this manager's own device, browser extensions or screen-sharing habits might expose. Using the organisation's licensed commercial-tier account instead — the kind covered by a business agreement with the vendor, which typically comes with contractual retention and data-handling terms — is the safer default for content like this, precisely because Anthropic's own documentation above shows commercial and consumer defaults are not the same thing. If only a personal consumer account is available, the safer move is not to assume it is fine because "it's the same company's model" — it is to check that specific product's current settings, or ask the organisation's IT or data-protection contact before sending unreleased business content through it at all.
Accessibility notes
This lesson is text-first, with no images, audio, video or downloadable artifacts. The practice exercise's model answer sits behind a native disclosure control that is reachable and operable by keyboard and correctly announced by screen readers. The knowledge check uses native radio-button inputs with a visible question and options, and posts its result to a live status region so assistive technology announces the outcome without a page reload.
Practice
Choosing where to send a client contract draft
A freelance photographer is using an AI tool to help tidy the wording of a wedding photography contract before sending it to a new client. The draft already only contains what the task needs — service dates, deliverables and payment terms — after applying Lesson 1's classification check. The photographer has two options: a free, personal account on a consumer AI chatbot app installed on their phone, or a paid, business-tier account through the same AI company that came with a signed data-processing agreement when the photographer set up their studio's software.
- Name the two separate questions this lesson says to ask about retention, rather than treating 'does it train on my data' as the only question.
- Which of the two account options is the safer default for this task, and why, based on this lesson's worked example?
- Name one sharing risk from this lesson that would apply even if the photographer chose the safer account option.
- Write one sentence explaining why 'it's the same AI company either way' is not a good enough reason to skip checking which specific product and tier is being used.
Compare with a bounded first version
The two separate retention questions: is this input used to train the model, and, separately, how long is it kept and who can access it while it is kept. The business-tier account with a signed data-processing agreement is the safer default, for the same reason as the roadmap example: a commercial or business tier typically carries different, often stricter, training and retention defaults and contractual terms than a personal consumer account from the same company. A sharing risk that would still apply either way: if the photographer generates a shareable link to the AI conversation to show a business partner, or leaves the conversation open during a screen-share, the client's contract details could be seen by someone the photographer never intended, regardless of which account tier was used. One company can still have two different defaults for two different products, exactly as Anthropic's own consumer and commercial pages state different rules for the same organisation — so the specific product and tier must always be checked, not assumed from the company name.
Knowledge check
Try the idea
Low-stakes practice only. This does not score, block progress or create a learner record.Sources and limits
This lesson synthesises the sources below into a practical learning model. It is not a security standard, legal advice or a guarantee that any particular agent design is safe.
- Is my data used for model training? — Anthropic Privacy Center. Lists three conditions under which Anthropic's consumer Claude.ai chats are used, including in training — the Model Improvement opt-in, conversations flagged for safety review (used for Safeguards-team models regardless of that setting), and explicit program opt-ins — and states that Incognito chats are excluded from Model Improvement use.
- How do you use personal data in model training? — Anthropic Privacy Center. States that Anthropic's commercial products, including the API and Claude for Work, are not used to train models by default.
- LLM02:2025 Sensitive Information Disclosure — OWASP Gen AI Security Project. Recommends maintaining clear policies on data retention, usage and deletion, and allowing users to opt out of having their data used for training — the basis for treating "used for training" and "retained at all" as two separate questions.
- Artificial Intelligence Risk Management Framework 1.0 — NIST AI Resource Center. Frames an AI system as an engineered system that generates outputs — retention and sharing behaviour is a property of the specific product and account setting, not something the system's own reasoning decides or discloses.