Learn
Data Protection

AI Data Handling Disclosure: What to Tell Your Users

If your app uses AI models (OpenAI, Anthropic, Google, etc.) to process user data, you must disclose this in your privacy policy and ideally in your app UI. Tell users: what data is sent to the AI provider, which provider you use, whether data is used for model training (API data typically is not), and how users can opt out if possible. Transparency builds trust — hiding AI usage erodes it.

Why this matters

AI-powered features are becoming standard in modern apps, but many users are concerned about their data being used to train AI models. Regulations are catching up — the EU AI Act and updated GDPR guidance increasingly require disclosure of AI data processing. Being transparent now positions you ahead of regulatory requirements and builds user trust.

What's at stake

Users who discover their data is being processed by AI without their knowledge feel betrayed. Regulatory scrutiny of AI data handling is increasing rapidly. The builders who disclose AI usage proactively are seen as trustworthy. Those who hide it risk backlash and regulatory penalties.

In detail.

When Disclosure Is Required

You need to disclose AI data handling whenever:

  • User input (text, images, files) is sent to an AI provider for processing
  • AI models analyze user behavior, content, or preferences
  • Generated content is based on or influenced by user data
  • Your app uses AI for moderation, classification, or recommendations

What to Disclose

In Your Privacy Policy

  1. Which AI providers you use — Name them: OpenAI, Anthropic, Google, etc.
  2. What data is sent — Be specific: "User prompts are sent to OpenAI for response generation"
  3. How the provider handles data — Link to their privacy/data policies
  4. Training data usage — Clarify whether user data is used for model training
  5. Data retention — How long the AI provider retains your user data
  6. Opt-out options — Whether users can disable AI features

In Your App UI

Beyond the privacy policy, consider clear in-app disclosure:

  • Label AI-generated content (e.g., "Generated by AI")
  • Show a notice before AI processes sensitive data
  • Provide settings to control AI feature usage
  • Link to your AI data handling section in settings

API vs Consumer AI Services

This distinction is crucial:

API Services (OpenAI API, Anthropic API)

  • Data is NOT used for model training by default
  • Zero data retention policies available
  • You have a Data Processing Agreement (DPA)
  • Most appropriate for production apps

Consumer Services (ChatGPT, Claude.ai)

  • Data MAY be used for model training unless opted out
  • Less suitable for processing customer data
  • Users should be aware their data goes through consumer services

Practical Steps

  1. Audit your AI integrations — List every AI service your app calls
  2. Review provider data policies — Check OpenAI, Anthropic, etc. for current terms
  3. Update your privacy policy — Add an "Artificial Intelligence" section
  4. Add in-app notices — Label AI features and generated content
  5. Offer controls — Let users disable AI features when possible
  6. Choose API over consumer — Use API endpoints with zero-retention for user data

Note: This is general guidance, not legal advice. AI regulation is evolving rapidly — consult a legal professional for your specific situation.

Use AI features transparently and responsibly

  • Guidance on AI disclosure requirements for builder apps
  • Privacy-first AI integration recommendations
  • Templates for AI data handling sections in privacy policies
Get started with BWORLDS

Keep learning.

Related topics

do i need a privacy policycan i store client data in my appgdpr for small appsis it legal to store customer datawhat happens if i lose customer data

Frequently asked questions.

No. OpenAI API data is not used for model training by default as of March 2023. This is stated in their API data usage policy. Consumer products like ChatGPT may use data for training unless users opt out, but the API has a zero data retention option. Always use the API for processing customer data, not consumer products.

Under GDPR, processing user data with AI requires a legal basis — typically consent or legitimate interest. The safest approach is explicit consent: inform users during signup that AI processes their data and let them agree. Include details in your privacy policy and provide an opt-out mechanism.

If the AI processes user data (even internally for moderation, categorization, or analysis), you should disclose it. If the AI only processes internal operational data that contains no user personal data, disclosure is not legally required but is still good practice.

Not yet, but best practices are emerging. The EU AI Act requires labeling AI-generated content. Many companies add an "Artificial Intelligence" section to their privacy policy. In-app, use clear labels like "AI-generated," "Powered by AI," or "This feature uses AI to process your input." Consistency and clarity matter more than format.