Some links in this article are affiliate links. We earn a commission at no extra cost to you when you purchase through them. Full disclosure.

After the Heppner ruling established that AI chat logs can be subpoenaed, understanding what each provider retains is no longer optional — it’s a legal necessity.

Every AI provider stores your data differently. Some keep it for 30 days, some indefinitely. Some use it for training, some don’t. The difference between API and consumer access matters enormously.

Provider comparison

Provider	API retention	Consumer retention	Used for training	Delete option	DPA available
OpenAI	30 days (default)	Longer (account-based)	API: No, Consumer: Opt-out	API: Yes	Yes
Anthropic	30 days	30 days	No (by default)	Yes	Yes
Google (Gemini)	Varies by product	Up to 36 months	Workspace: No	Admin controls	Yes
Mistral	30 days	Session-based	No (API)	Yes	Yes (EU-based)
DeepSeek	Unclear	Unclear	Likely yes	Limited	No
Ollama (local)	None (local)	None	No	N/A	N/A

OpenAI

API: Input and output data retained for 30 days for abuse monitoring, then deleted. Not used for model training. You can request zero-day retention for eligible use cases.

ChatGPT (consumer): Conversations stored in your account indefinitely unless you delete them. With “Chat History & Training” disabled in settings, conversations are retained for 30 days for abuse monitoring only and not used for training.

Enterprise: Full admin controls, no training on your data, SOC 2 compliant.

Key action: If you’re using ChatGPT for work, disable “Chat History & Training” in settings. For production apps, use the API with the default 30-day retention.

Anthropic

API: Prompts and completions retained for 30 days for trust and safety, then deleted. Not used for training by default.

Claude.ai (consumer): Conversations retained for 30 days. Anthropic states they do not train on user conversations by default.

Note: Anthropic now requires government ID verification for subscriptions, which means your identity is linked to your chat history.

Key action: For sensitive work, use the API. For maximum privacy, use Claude Code with the API rather than claude.ai.

Google

Gemini API: Retention varies by product and configuration. Google Workspace customers have admin controls over data retention.

Gemini consumer: Google’s privacy policy allows retention for up to 36 months. Data may be used to improve products.

Vertex AI: Enterprise controls, data not used for training, configurable retention.

Key action: For enterprise use, use Vertex AI with explicit data retention settings. Avoid the consumer Gemini app for sensitive work.

The self-hosted option

The only way to guarantee zero data retention by third parties: run models locally.

Self-hosted option	Setup effort	Quality	Cost
Ollama on your machine	5 minutes	Good (8B-70B models)	$0
Ollama on VPS	30 minutes	Good	$20-80/mo
RunPod GPU	15 minutes	Excellent	$50-300/mo

With self-hosted models, your data never leaves your infrastructure. There’s nothing to subpoena from a third party, nothing to retain, and nothing to worry about under GDPR.

What to do right now

1. Audit your AI tool usage. Which providers do your team members use? Consumer or API?
2. Switch sensitive work to API access with explicit retention settings.
3. Create a data classification policy. What’s okay for cloud AI? What requires self-hosted?
4. Review DPAs. If you’re in the EU, ensure you have Data Processing Agreements with each provider.
5. Consider self-hosting for your most sensitive use cases.

For AI product builders

If you’re building products that use AI APIs:

• Document which providers you use in your privacy policy
• Offer data retention controls to your users
• Use API access (not consumer) for all production workloads
• Consider self-hosted models for privacy-sensitive features
• Implement your own retention policy — don’t rely on the provider’s

Related: Can Your AI Conversations Be Subpoenaed? · AI and GDPR · Where Does Your Code Go? · Which AI APIs Are GDPR Compliant? · Self-Hosted AI for Enterprise · Best AI Coding Agents for Privacy