AI Privacy Checklist: What You Should Never Paste Into a Chatbot

AI chatbots have become everyday tools for writing, research, and problem-solving, but most users have not thought carefully about the privacy implications of what they share in those conversations. An AI privacy checklist is not about avoiding these tools—it is about using them in a way that does not inadvertently expose sensitive information that could cause problems for you or the people you are responsible for protecting.

This guide covers the categories of information you should keep off AI platforms, explains why each category carries risk, and offers practical alternatives for situations where you genuinely need AI assistance with sensitive material.

How AI Chatbots Handle Your Data

Before diving into the checklist, it is worth understanding the general data landscape. Most AI platforms—including major ones like OpenAI’s ChatGPT, Anthropic’s Claude, Google’s Gemini, and others—process your queries on their servers and may use those conversations to improve their models, subject to their privacy policies and your account settings. Policies vary and change, so reviewing the current privacy policy and settings for any AI service you use regularly is worthwhile.

The practical implication is that anything you type into a standard AI chatbot should be treated as potentially visible to the company operating it, retained in their systems for some period, and potentially subject to regulatory requests, data breaches, or policy changes you cannot predict. This does not make these tools dangerous for general use—but it does mean you should apply the same judgment you would to sending information to any third-party service over the internet.

The AI Privacy Checklist: What to Keep Off Chatbots

1. Social Security Numbers and Government ID Numbers

Your Social Security number, national ID number, passport number, or driver’s license number should never appear in an AI chat. These identifiers are the primary keys to identity theft. There is no task requiring AI assistance that legitimately requires you to include your actual government ID numbers in the input. If you are asking for help filling out a form, describe the field without including your real number.

2. Financial Account Numbers and Card Details

Bank account numbers, routing numbers, credit card numbers, and PINs have no place in an AI conversation. If you are asking for help understanding a bank statement or disputing a charge, you can describe the situation in general terms without including your actual account numbers. Redact any account information before pasting financial documents into an AI interface.

3. Passwords and Authentication Credentials

Never paste a password, security question answer, two-factor authentication code, API key, or any other authentication credential into an AI chatbot. Even if your intent is simply to ask a question about password security, use a placeholder like “ExamplePassword123” rather than a real credential. This applies to personal passwords and to credentials for work systems—particularly important given that some AI platforms may use conversations for training.

4. Protected Health Information

Medical records, diagnoses, prescription details, insurance claim information, and anything else that identifies a specific person’s health situation falls under the category of protected health information. If you are using an AI to help understand a medical document or draft a message to a healthcare provider, remove names, dates of birth, insurance numbers, and specific diagnostic codes before pasting any text. Use general descriptions (“my doctor recommended X medication”) rather than personal medical records.

5. Other People’s Personal Information

The privacy rule applies not just to your own data but to information about other people. Pasting a colleague’s performance review, a client’s personal details, a family member’s financial situation, or a friend’s private messages into an AI chatbot exposes someone else’s information to a third-party service without their knowledge or consent. This can create legal liability in professional contexts and is a significant breach of trust in personal ones.

6. Confidential Business and Professional Documents

Internal business documents—financial forecasts, merger discussions, client contracts, strategic plans, proprietary product designs, personnel files—are subject to confidentiality obligations whether or not there is an explicit label on the document. Before pasting any work-related document into an AI chatbot, check whether your employer has a policy on AI tool use with company information. Many organizations have implemented explicit policies restricting this, and violating them can have professional and legal consequences.

7. Legal Documents Containing Sensitive Information

Contracts, legal correspondence, court filings, and settlement documents often contain sensitive personal, financial, or strategic information. If you want AI assistance analyzing a legal document, consider whether you can describe the structure and ask your question without pasting the full text, or whether you can redact sensitive specifics before sharing it.

8. Children’s Personal Information

Personal details about children—names, ages, schools, medical information, photographs—carry specific legal protections in many jurisdictions, including the Children’s Online Privacy Protection Act (COPPA) in the United States. Avoid including identifiable information about children in AI conversations, particularly when the purpose does not require it.

9. Location Information Combined With Identity

While sharing a city name for travel planning is generally benign, combining specific location information with identifying details—your home address, your daily routine, the school your child attends, your employer’s precise address—creates a profile that is more sensitive than either piece in isolation. Be thoughtful about how much combined location-and-identity information you include in any AI conversation.

10. Login Sessions, Browser Cookies, or Session Tokens

If you are using AI tools to help with technical tasks—automating workflows, debugging web applications, building integrations—be careful about pasting session tokens, OAuth tokens, API keys, or browser cookie strings into the chat. These credentials can grant access to your accounts if intercepted and should be treated with the same security as passwords.

Safer Alternatives for Sensitive Tasks

Recognizing these categories does not mean you cannot use AI for tasks that touch on sensitive topics. The practical alternative is usually one of three approaches:

• Anonymize and generalize. Describe the situation in general terms, replace real names with placeholders, and redact specific numbers. “I received a medical bill for $X that seems higher than expected—how should I dispute it?” is as useful as pasting the actual bill.
• Use locally-run models for sensitive work. Open-weight models like Meta’s Llama can be run locally on your own hardware, meaning your queries never leave your device. For genuinely sensitive professional tasks, this architecture eliminates the third-party data exposure concern.
• Review platform privacy settings. Many AI platforms offer settings that disable the use of your conversations for model training. On ChatGPT, for example, you can disable chat history in settings, which also disables the use of those conversations for training. Reviewing and configuring these settings takes only a few minutes and meaningfully changes the data retention picture.

Organizational and Professional Context

If you are using AI tools in a professional context, the privacy checklist extends beyond personal information to include organizational obligations. Most professional roles involve some form of confidentiality expectation—toward clients, toward colleagues, toward the organization itself. AI tools have made it easy to accidentally route confidential information through third-party servers in ways that would not have been possible with traditional software tools.

Many organizations are now developing explicit AI acceptable-use policies. If yours has one, follow it. If it does not, applying a conservative interpretation—treating AI chatbots like any other cloud-based third-party service—is a reasonable default position until clearer guidance is available.

Reading the Privacy Policy

Privacy policies are not the most engaging reading, but for any AI service you use regularly, it is worth spending 10 minutes understanding the key points: how long conversations are retained, whether they are used for training, how you can delete your data, and what circumstances would lead to disclosure to third parties. The FTC’s privacy and security resources provide useful context for evaluating privacy policy terms and understanding your rights as a consumer.

A Quick-Reference Version of the Checklist

For easy reference, here is the core AI privacy checklist condensed:

1. No Social Security numbers or government ID numbers
2. No financial account numbers, card numbers, or PINs
3. No passwords, API keys, or authentication tokens
4. No protected health information or medical records
5. No other people’s personal details without their knowledge
6. No confidential business documents without verifying your organization’s AI use policy
7. No sensitive legal documents without redacting identifiable details first
8. No children’s personal information
9. No home addresses or personal location data combined with identifying information
10. No session tokens or OAuth credentials from technical systems

Applying this checklist consistently takes only a moment of pause before pasting text into an AI interface. That brief habit of checking what you are about to share is one of the simplest and most effective data privacy practices available to anyone using these tools regularly.