# Privacy and confidential data: what not to paste
In early 2023, Samsung engineers pasted internal source code into ChatGPT to help debug it. Within weeks, the company discovered three separate leaks of confidential data, including proprietary code and meeting notes. Samsung's response was blunt: a company-wide ban on ChatGPT. The lesson cost them nothing in fines, but it cost them control over their own secrets.
That is the core problem with AI tools. They are so easy and helpful that you forget you are sending information to someone else's computer.
When you type into ChatGPT, Claude, or Gemini, your words travel to servers owned by OpenAI, Anthropic, or Google. The chat window feels private, like a notes app. It is not.
Depending on your settings and plan, what you paste can be:
"Used for training" is the scary one. In theory, fragments of sensitive text could influence what the model says to someone else later. The bigger, more realistic risk is simpler: your confidential data now lives on a server outside your company's control, and you cannot pull it back.
Here is a rule you can actually remember.
Before you paste, ask: would I email this to a random vendor I just met?
If the answer is no, do not paste it without protecting it first.
These are the categories that get people in trouble:
A concrete example. Do not paste this:
> "Summarize this support ticket: Customer Jane Doe, jane.doe@gmail.com, card ending 4412, complained that..."
Paste this instead:
> "Summarize this support ticket: Customer [NAME], [EMAIL], card ending [REDACTED], complained that..."
The AI still does the work. The sensitive parts never leave your building.
This is the part most people get wrong. The free version and the business version of the same tool treat your data very differently.
On the free tiers and most personal subscriptions, providers have historically used conversations to improve their models, with settings you have to find and toggle yourself.
As of 2026:
The takeaway: on consumer plans, you are responsible for checking the switches, and defaults change over time.
This is where the safety actually lives. Business tiers (ChatGPT Enterprise and Team, Claude for Work/Enterprise, Gemini for Google Workspace) generally promise:
This is why the right corporate response to the Samsung problem is usually not "ban AI." It is "give people an approved enterprise tool so they stop using personal accounts in secret." A ban just pushes employees to paste company secrets into ChatGPT on their phones, where you have zero visibility.
Always confirm specifics with your provider's current terms. A good starting point is OpenAI's Enterprise privacy page, which spells out their business commitments.
🎬 [VIDEO: "Is ChatGPT Safe? Privacy and Data Risks Explained" - youtube.com - a clear walkthrough of how AI chat data is stored, what gets used for training, and how to change your settings]
You do not need to be technical to work safely. You need a few habits.
Swap real values for placeholders. The AI does not need the real name to write a polite reply.
If you have ChatGPT Enterprise or Gemini in Workspace, use it instead of your personal login. The difference in data protection is enormous.
Two minutes in Settings. Do it once for every AI tool you use.
If you are processing many records, do not redact by hand. A short script can strip the obvious identifiers before anything reaches the AI. Here is a simple Python example that removes emails and phone numbers from text:
import re
def redact(text):
# Replace email addresses
text = re.sub(r'\b[\w.-]+@[\w.-]+\.\w+\b', '[EMAIL]', text)
# Replace phone numbers (simple US-style pattern)
text = re.sub(r'\b\d{3}[-.]?\d{3}[-.]?\d{4}\b', '[PHONE]', text)
return text
ticket = "Contact Jane at jane.doe@gmail.com or 555-123-4567 about the refund."
print(redact(ticket))
# Output: Contact Jane at [EMAIL] or [PHONE] about the refund.You run this first, then send the cleaned text to the AI. The model gets enough context to help, and the personal data never leaves your machine.
Vérification des acquis
1. What was Samsung's response after discovering that engineers had leaked confidential data through ChatGPT?
2. According to the lesson, what is the simple rule to apply before pasting anything into an AI tool?
3. The lesson mentions GDPR and HIPAA as examples of what?
4. Select ALL correct answers about what can happen to text you paste into an AI tool, according to the lesson.
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers that fall under the lesson's 'never paste' categories.
Sélectionnez toutes les réponses correctes.
Not necessarily. Deleting a conversation from your screen does not guarantee it is wiped from backups or that it was never used for training before you deleted it. Treat anything you have pasted as already sent.
The risk is in what you paste, not what you ask. "How do I fix this?" is harmless. The 200 lines of internal code under it are the leak.
Enterprise tools protect data from the provider, not from your own bad habits. If you paste a colleague's salary into a shared team workspace, the privacy problem is now internal. Need-to-know still applies.
Be careful. Sometimes combining "anonymous" fields re-identifies someone. A redacted ticket that still says "the only left-handed engineer in the Tokyo office" is not anonymous. Strip context, not just names.
When you are about to paste something sensitive, run through this:
1. Is it confidential or personal? If no, paste away.
2. If yes, do I have an approved enterprise tool? Use it.
3. No enterprise tool? Redact the sensitive parts, then use the consumer tool with training turned off.
4. Can't redact it meaningfully? Don't paste it. Do that part by hand.
This flow would have saved Samsung. The engineers had a real need (debugging code) and reached for a real tool (ChatGPT). What was missing was step 2: an approved, safe channel for exactly that task.
Privacy mistakes rarely show up as a dramatic court case. They show up as:
The good news: avoiding all of this is mostly about a few small habits, repeated. You do not have to give up AI to stay safe. You just have to be deliberate about what crosses the line into someone else's servers.