General 13 min read

What You Type Into a Hosted AI Doesn't Stay Yours

MMNMNOTE
ai-privacydata-ownershiplocal-firstdata-retentionai-and-your-notes

What you type into a hosted AI can be retained on a server, used to train the next model, reviewed by a human for safety, and — in one 2025 case — held by court order past the moment you hit delete. That is the design of sending text across a perimeter, not a glitch. Your own notes never cross it.

This essay is not about which assistant is "safe." Every major provider runs the same architecture: the prompt leaves your machine, lands on theirs, and from that instant their rules govern it. The honest version of that fact beats both the vendor's reassurance and the privacy panic. There are opt-outs and carve-outs. And there is one structural truth no setting reaches: a third party can outvote your delete button once the text is on the other side.

What most people believe about the delete button

Most people assume a hosted AI works like a notebook with a trash can: type a prompt, get an answer, delete the chat, and it's gone. That model is reasonable and, for the everyday case, half-true. Providers do delete unsaved conversations on a schedule. The missing half is what "gone" means once your text sits on someone else's servers.

The trash-can intuition comes from decades of local software, where deleting a file deleted the file. A cloud assistant inverts that. As the Ink & Switch local-first researchers put it, "in the cloud, ownership of data is vested in the servers, not the users, and so we became borrowers of our own data."1 You are not deleting your copy. You are requesting that the borrower delete theirs — and the borrower has obligations you don't see.

Why "delete" is not the end of the story

The clearest proof that delete is a request, not a guarantee, came in 2025. A court ordered OpenAI to preserve logs that would normally have been wiped. In OpenAI's words: "The New York Times is demanding that we retain even deleted ChatGPT chats ... and API content that would typically be automatically removed from our systems within 30 days."2

OpenAI opposed the order and described it plainly: "Right now, the court order forces us to retain consumer ChatGPT and API content going forward."3 When a user asked the direct question, "If you delete my data from ChatGPT, will it still be retained under this order?", the answer was yes; the company was required to retain content going forward while it challenged the order.4

Be precise about what this proves, because the order itself did not stay frozen. It was a 2025 legal event that a court later narrowed in October 2025. The durable lesson is not "your chats are kept forever." It is structural: a party who is not you — and not the AI company — can override your delete. The button is real. Its authority is not absolute.

What you opt into without reading the toggle

For most consumers the bigger surprise isn't litigation — it's training, which often defaults on. In August 2025 Anthropic changed its consumer terms: "We will train new models using data from Free, Pro, and Max accounts when this setting is on."5 The same update was "extending data retention to five years, if you allow us to use your data for model training."6

There is an honest other side, and it belongs in the same breath. If you decline, the window shrinks: "If you do not choose to provide your data for model training, you'll continue with our existing 30-day data retention period."7 Users had until October 8, 2025 to make the choice.5 So the real picture is a fork, not a trap — opt in and your prompts can train a model and persist for years; opt out and they age out in a month.

The catch is what the toggle does not cover. Turning off training is not the same as turning off retention. (For getting your own copy of those conversations back out as files, see own your AI chat history.)

The retention you can't toggle off

Some retention isn't a preference; it's part of how the model runs. Anthropic's Mythos-class documentation states: "Prompts submitted to, and outputs generated by, Mythos-class models are retained for 30 days for trust and safety purposes, on every platform where these models are offered."8 "On every platform" is the load-bearing phrase.

The reason is not cartoon villainy — and this is where the panic version gets it wrong. When Claude Fable 5 launched on AWS in June 2026, the announcement spelled out the logic: "Anthropic will require 30-day retention for all traffic on Mythos-class models. Retaining data for a limited period allows Anthropic to detect patterns of misuse that are not visible from a single exchange. Once you opt into data retention, your data will leave AWS's data and security boundary."9

Read that last sentence twice. Even routing a model through an enterprise cloud's "security boundary" does not keep the text inside it once safety retention applies. The point is not that retention is evil. The point is that it is outside your control by design — including the part that survives every opt-out you can find.

What you actually control

Here is the line you can draw with certainty: you cannot govern what a hosted model does with a prompt after you send it, but you can govern whether your thinking lives somewhere that never has to be sent. The carve-outs prove the rule by their narrowness — they exist precisely because the default is retention.

Three concrete moves, in order of leverage:

  1. Treat the boundary as a decision, not a habit. Before you paste a note into a hosted assistant, ask whether this specific text needs to cross. Most of it doesn't. The cheapest privacy control is the prompt you don't send. (If you want the model but not the perimeter, you can run AI on your own notes with nothing sent to the cloud.)
  2. Use the documented escapes where they exist, but know their edges. Anthropic's decline-training path keeps the 30-day window instead of five years.7 OpenAI's Zero Data Retention API "never retain[s] the prompts you send or the answers we return," and "Because it is not stored, this court order doesn't affect that data."10 Enterprise and education tiers are carved out of the consumer rules entirely.2 None of these stops safety retention or human review — two different things from training.
  3. Keep the master copy where it never leaves. A note stored locally on your own device, in open Markdown, doesn't have a retention window — because it was never handed to anyone. When you choose to invoke AI on it, you decide what crosses — and you can bring your own key so a single sentence travels, not your whole notebook.

This is the local-first answer, and it's the architectural inverse of the cloud assistant. Steph Ango, who leads Obsidian, frames the underlying principle: "File over app is a philosophy: if you want to create digital artifacts that last, they must be files you can control, in formats that are easy to retrieve and read."11 His shorter version is the whole argument: "Apps are ephemeral, but your files have a chance to last."12

Frequently asked questions

Does what I type into ChatGPT get stored?

By default, yes. Conversations are stored on the provider's servers; unsaved or deleted chats are normally removed on a schedule (about 30 days) "unless legally required" to keep them.2 You can reduce, but not eliminate, this through data-control settings, because some retention is operational and not user-toggleable.8

Is my data used to train ChatGPT or Claude?

Often by default, depending on the provider and tier. Anthropic states it will "train new models using data from Free, Pro, and Max accounts when this setting is on,"5 and opting in extends retention to five years.6 Declining keeps a 30-day window instead.7 Check each provider's data-controls page; the default is not always off.

If I delete a ChatGPT chat, is it really gone?

Usually it's removed within about 30 days, but "delete" is a request to the provider, not a guarantee. In 2025 a court ordered OpenAI to retain even deleted ChatGPT chats and API content that would normally be removed within 30 days.2 That order was later narrowed, but it proves a third party can override your delete.

How do I stop an AI from using my prompts for training?

Most providers offer a data-controls or training toggle; turning it off stops training and, for Anthropic, keeps the shorter 30-day retention.7 The honest caveat: turning off training does not turn off safety retention or human review, which can be operational and apply "on every platform."8 They are separate things.

What happens to my prompts after I send them to an AI?

They cross from your device to the provider's servers. From there they may be retained for a set window, used to train new models if that setting is on, and held 30 days for trust-and-safety review to "detect patterns of misuse."9 What governs them is the provider's policy and applicable law — not your settings alone.

Is there any prompt that's truly private with a hosted AI?

The closest thing is a zero-retention path: OpenAI's Zero Data Retention API "never retain[s] the prompts you send or the answers we return."10 But that's a specific business API, not the consumer chat box. For everyday use, the only text guaranteed not to cross a perimeter is the text you never send.

If files outlast apps, then the most honest question about any tool you think with is not how private it promises to be, but whether your thinking has to leave your own walls to use it at all. To keep the thinking you want to keep in notes that never have to cross that line, mnmnote.com lives in your browser, on your own device.

Footnotes

  1. Kleppmann, M., Wiggins, A., van Hardenberg, P., & McGranaghan, M. "Local-first software: You own your data, in spite of the cloud." Onward! 2019. https://www.inkandswitch.com/essay/local-first/. Accessed 2026-06-20.

  2. OpenAI. "How we're responding to The New York Times' data demands in order to protect user privacy." June 5, 2025. https://openai.com/index/response-to-nyt-data-demands/. Accessed 2026-06-20. 2 3 4

  3. OpenAI. "How we're responding to The New York Times' data demands in order to protect user privacy." June 5, 2025. https://openai.com/index/response-to-nyt-data-demands/. Accessed 2026-06-20.

  4. OpenAI. "How we're responding to The New York Times' data demands in order to protect user privacy" (FAQ). June 5, 2025. https://openai.com/index/response-to-nyt-data-demands/. Accessed 2026-06-20.

  5. Anthropic. "Updates to Consumer Terms and Privacy Policy." August 28, 2025. https://www.anthropic.com/news/updates-to-our-consumer-terms. Accessed 2026-06-20. 2 3

  6. Anthropic. "Updates to Consumer Terms and Privacy Policy." August 28, 2025. https://www.anthropic.com/news/updates-to-our-consumer-terms. Accessed 2026-06-20. 2

  7. Anthropic. "Updates to Consumer Terms and Privacy Policy." August 28, 2025. https://www.anthropic.com/news/updates-to-our-consumer-terms. Accessed 2026-06-20. 2 3 4

  8. Anthropic. "Data retention practices for Mythos-class models." Claude Help Center. https://support.claude.com/en/articles/15425996-data-retention-practices-for-mythos-class-models. Accessed 2026-06-20. 2 3

  9. Amazon Web Services. "Anthropic Claude Fable 5 on AWS: Mythos-class capabilities with built-in safeguards now available." AWS News Blog, June 9, 2026. https://aws.amazon.com/blogs/aws/anthropic-claude-fable-5-on-aws-mythos-class-capabilities-with-built-in-safeguards-now-available/. Accessed 2026-06-20. 2

  10. OpenAI. "How we're responding to The New York Times' data demands in order to protect user privacy" (FAQ). June 5, 2025. https://openai.com/index/response-to-nyt-data-demands/. Accessed 2026-06-20. 2

  11. Ango, S. "File over app." 2023. https://stephango.com/file-over-app. Accessed 2026-06-20.

  12. Ango, S. "File over app." 2023. https://stephango.com/file-over-app. Accessed 2026-06-20.