- AI data retention refers to how long a platform stores your conversations, account data, and usage logs after you've sent them
- ChatGPT retains conversations indefinitely by default; deleted chats are kept for 30 days for safety review
- Google Gemini Activity is kept until you delete it; Workspace admins can set retention policies
- The OpenAI API retains inputs/outputs for 30 days by default, then deletes — unless you've enabled zero-retention
- GDPR requires data to be kept "no longer than necessary" — most AI platforms' default retention periods are difficult to justify under this standard
AI data retention is the period during which an AI platform stores copies of your conversations, uploaded files, usage metadata, and account information after they've been submitted. Retention policies determine whether data is accessible to company staff, eligible for training use, and subject to legal holds or regulatory requests.
Why AI data retention matters
When you type something into an AI tool, it doesn’t simply disappear after the response is generated. The platform retains a copy — sometimes for days, sometimes indefinitely. What happens to that copy during the retention period matters enormously.
Retained data can be used in several ways that organizations should understand:
- Model training. Retained conversations may be reviewed and used to improve future versions of the model, depending on the plan and settings.
- Human review. Platform staff — including Trust & Safety teams — can access retained conversations to investigate abuse, improve outputs, or respond to legal requests.
- Legal exposure. Retained data can be subpoenaed, subject to a data breach, or disclosed in response to regulatory investigations. The longer data is retained, the larger the surface area of exposure.
- Breach risk. Data that exists can be lost. Indefinite retention means indefinite exposure to any future security incidents.
This is why the GDPR’s storage limitation principle (Article 5(1)(e)) exists. It requires that personal data be kept “no longer than is necessary for the purposes for which the personal data are processed.” Most consumer AI tools’ default retention periods are difficult to justify under this standard — which creates real compliance exposure for organizations whose employees use those tools for work.
How long major AI platforms retain your data
Retention policies vary significantly across platforms and plan tiers. The table below summarises current defaults for the most widely used AI tools.
| Platform | Conversation retention | After deletion | Zero-retention option? | Notes |
|---|---|---|---|---|
| ChatGPT Free/Plus | Indefinite (while history on) | 30 days | No | Can turn off history = no storage |
| ChatGPT Team | Indefinite | 30 days | No | Admin can delete |
| ChatGPT Enterprise | Configurable | 30 days min | Yes | Best-in-class for enterprise |
| OpenAI API | 30 days default | Purged after 30d | Yes | Zero-data-retention header available |
| Google Gemini (personal) | Until deleted | Deleted on request | No | Activity stored in Google account |
| Google Workspace Gemini | Admin-controlled | Admin-controlled | Yes | Retention policies via Google Vault |
| Microsoft Copilot (free) | Session only | N/A | N/A | No persistent storage for free tier |
| Microsoft 365 Copilot | 30 days | Deleted | No | Subject to M365 retention policies |
| Claude.ai (free/Pro) | Until deleted | Deleted | No | Anthropic may retain for safety/abuse |
| Anthropic API | 30 days | Purged | Yes | Ephemeral flag available for developers |
| Perplexity (free) | Until deleted | 30 days | No | Account deletion removes data |
| GitHub Copilot (individual) | 28 days of suggestions | Purged | No | No prompt retention for enterprise tier |
A clear pattern emerges: consumer and free-tier plans have the least favourable retention defaults. Business and enterprise plans — and developer APIs — offer considerably more control. Organizations whose employees use personal accounts on consumer tiers are operating under the weakest possible privacy protections.
What types of data AI tools actually retain
Most people think of “data retention” as covering only conversation text. In practice, AI platforms retain a much broader range of data:
- Conversation content. The full text of prompts and responses — including any client names, code, documents, or personal information included in prompts.
- Uploaded files. Documents, images, spreadsheets, and other files attached to conversations. These are often retained separately from conversation text and may have different deletion policies.
- Voice and image inputs. For platforms with voice or vision capabilities, audio and image data submitted to the model may be retained.
- Feedback signals. Thumbs up/down ratings, regeneration requests, and which responses you copied — these behavioural signals are retained and used to improve models.
- Usage metadata. Timestamps, session durations, features used, prompt frequency, and similar behavioural data.
- Browser and device fingerprints. Browser type, OS, screen resolution, and IP address — often retained longer than conversation data for fraud and abuse detection.
- Payment data. For paid plans, billing history and payment method metadata (though not raw card numbers) are retained according to financial record-keeping requirements.
- IP logs. Access logs recording which IPs accessed the service and when — often subject to longer legal holds than conversation content.
This breadth matters because even if an employee is careful about what they type, the metadata alone can reveal significant information about how your organization uses AI — and what you were working on when you used it.
GDPR and AI data retention
The GDPR’s storage limitation principle (Article 5(1)(e)) requires that personal data be kept “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” This is one of the six core principles of GDPR — and it applies directly to AI tool use.
When an employee submits personal data to an AI tool — a client’s name, a colleague’s performance review, a customer complaint — the platform’s retention period becomes part of your organization’s data processing footprint. If that platform retains the data indefinitely without a documented legal basis, that’s a GDPR problem for your organization, not just the platform.
There are several mechanisms organizations can use to bring AI retention into compliance:
- Data Processing Agreements (DPAs). A signed DPA with an AI vendor allows you to negotiate shorter retention windows, restrict data use, and establish clear controller/processor relationships. Most consumer AI products don’t offer DPAs — only business plans do.
- Right to erasure (Article 17). EU residents can request deletion of their personal data from AI platforms. All major platforms operating in the EU must provide a mechanism for this. However, platforms can refuse requests under certain exceptions — including legitimate interests such as safety and fraud prevention — which limits how much individual requests solve the systemic problem.
- Business plan negotiation. Enterprise agreements typically allow configurable retention periods. Negotiating shorter windows as part of procurement is more effective than relying on individual deletion requests.
Under GDPR Article 5(1)(e), personal data must not be kept longer than necessary. If an employee submits personal data about a client or colleague to a consumer AI tool with indefinite retention, the organization may bear liability for that retention — even though they don’t control the platform.
What organizations should do
Addressing AI data retention risk requires both policy and tooling. Here are the four most effective actions:
- Use business or enterprise plans with configurable retention. Consumer-tier AI tools give you no control over retention. Enterprise agreements do. If your team uses an AI tool regularly, the business plan isn’t just about features — it’s about the legal baseline you’re operating on.
- Sign Data Processing Agreements before deploying any AI tool for work. A DPA establishes the legal relationship between your organization and the AI vendor, and allows you to negotiate retention limits, restrict data use to service delivery, and document your compliance position.
- Categorize data sensitivity and set clear rules. Not all data carries the same risk. Define which categories of data may never be entered into any AI tool (e.g., special category personal data, M&A information, source code), and communicate these rules clearly to employees.
- Monitor which tools employees actually use. You can’t enforce retention policies for tools you don’t know employees are using. Browser-level monitoring — without reading prompt content — lets you build an accurate picture of your organization’s AI usage footprint before a retention issue becomes a compliance incident.
The goal isn’t to prohibit AI use — it’s to ensure that the tools employees use have retention terms your organization can defend. That requires visibility, policy, and the right tier of commercial agreement with each vendor.