Where Does Your Client Data Go When You Use AI? A Small-Firm Field Guide

The question nobody asks before they paste

A staff member is staring at a long, messy email thread from a client. The deadline is today. There is a free AI tool open in the next browser tab. So they copy the whole thread, names and account details and all, paste it into the chatbot, and type "summarize this and draft a reply." Thirty seconds later they have a clean answer. Nobody stopped to ask the only question that matters here: where did that client's information just go?

This is not a story about a careless employee. It is what efficient, well-meaning people do under pressure when the convenient tool is right there. The problem is that the convenient tool was never designed to keep your client data inside your firm. The stakes are not hypothetical. In IBM's 2025 Cost of a Data Breach Report, the global average breach reached $4.44 million.

Three places your data can end up

When information leaves the keyboard, it lands in one of three very different places. The difference between them is the whole story.

• Your own device. If the AI runs locally, on a machine you own and control, the text never crosses your office network boundary. This is the safest case, and the rarest one for the average free tool.
• A vendor's cloud you do not control.Most AI tools route your client data through servers you do not control, under terms you did not negotiate. The text is processed on someone else's hardware, in a data center you will never see, governed by a policy you clicked past.
• A training set. Depending on the tool and the plan, the text your team typed can become raw material the vendor uses to improve a future model. Once it is in that pipeline, it is no longer just yours.

Most owners assume the first case. In practice, for ordinary consumer chatbots, it is usually the second, and sometimes the third. That gap between what people assume and what actually happens is exactly the exposure worth caring about. If you want the plain version of the safest case, here is what on-prem AI is.

The unmanaged version of this has a price tag. IBM found that breaches involving shadow AI, the unsanctioned AI tools employees adopt without approval, cost an average of $670,000 more. And this is not a fringe problem: IBM also reported that 13% of organizations had a breach involving an AI model or application, and roughly two-thirds had no AI governance policy in place.

"May" is the word that should worry you

Read the terms behind a typical consumer AI tool and you keep hitting the same small word:may. Consumer AI tools may use what your team types to train their models. They may retain it for some period. They may share it with sub-processors. "May" is not a promise. It is a reservation of the vendor's right to do the thing, on their schedule, for their benefit, with notice that lives in a document almost no one reads.

This is not a strawman. By default, OpenAI may use content from personal ChatGPT accounts to improve its models unless you opt out; its business and enterprise tiers are excluded, as the company spells out in its own documentation on how your data is used. The default matters, because the default is what a rushed staff member gets.

Two facts make this harder than it first looks. First, you did not negotiate the terms. A small firm clicking "I agree" on a free or low-cost tool has zero leverage over how its clients' information is handled. Second, and this is the one that should sit with you: you cannot un-send data to the cloud. Once a client's name, account number, or sensitive detail has crossed into a system you do not control, there is no recall button. You can stop using the tool tomorrow. You cannot reach back into someone else's servers and pull the text out.

That asymmetry is the reason this question deserves a real answer instead of a shrug. The downside is one-directional and permanent.

The private alternative: keep the AI in your building

There is a different way to get the same drafting and summarizing help without sending your clients' information anywhere. Instead of a tab pointed at someone else's cloud, you put a private AI employee on a small dedicated machine that sits on your own office network. The models run locally, on that box. The work your team needs, drafting replies, summarizing long threads, processing intake, happens on hardware you own.

The point is not a stronger privacy policy. The point is that there is nothing to send. When the AI runs on a machine in your building, client data has no path to a vendor cloud by default. We call this private by physics, not by policy. A promise can be revised in a terms-of-service update you never see. A machine in our office ends the conversation, because the data has nowhere to go.

What "stays in your building" actually means

That phrase is easy to say and worth pinning down. Here is what it means concretely in the system we install, and how we verify it:

• At install, we verify that no client content leaves your network in the default configuration, and we document how we checked. Possession and a clear record, not a slogan.
• The only thing that reaches us is management telemetry: system health, software versions, and how deep the work queue is. Never client content. We watch the box, not what it reads.
• You own the hardware, the models, and the credentials. It is your box. If you ended the engagement, the machine and everything on it stays with you.
• A person on your team approves every outbound action. The AI never sends on its own, and that gate is enforced by the system, not left to discipline. The same reason a person approves every send is the reason nothing reaches a client that your team did not see.

One honest note. The default configuration runs local models, and no client content leaves your network. If a particular workload ever calls for a cloud-assisted setup, that is optional, opt-in, and spelled out in the engagement letter before anything changes. We will never quietly route your clients' data to the cloud and call it local.

Four questions to ask any AI vendor

Whether you talk to us or anyone else, these four questions cut through the marketing fast. If a vendor cannot answer all four cleanly, you have your answer.

• Where does my data physically go?You want a specific place, not a gesture at "the cloud."
• Can I keep it on my own hardware? If running it on a machine you own is not even an option, that tells you how the product was built.
• Do you ever use my data to train anything?Listen for a flat no, not a "may."
• Can a person approve before anything sends? The answer should be yes, with approval on by default and impossible to quietly switch off.

The short version

When your team uses a typical AI tool, your client data goes to servers you do not control, under terms you did not negotiate, and it may be used to train a model you will never see. You cannot un-send it. The alternative is to keep the AI in your building, on a box you own, where the data stays put because it physically cannot leave. Private by physics, not by policy. That is the difference, and it is the difference that lets you sleep.