Introduction
Anthropic’s Claude can be a useful AI tool for businesses, but like any platform that processes company, customer, or employee information, it needs to be reviewed carefully before use. Based on Anthropic’s Privacy Policy, here are the key security and compliance considerations businesses should be aware of.
Note that while this article is specific to Anthropic’s Privacy Policy, the same or similar applies to other AI companies such as OpenAI’s ChatGPT.
1. The Privacy Policy Covers Consumer Offerings
The Privacy Policy applies to Consumer offerings. It does not apply Business and Enterprise offerings.
This is an important point: if you are a business, you should be leveraging a Business or Enterprise account for better protection. However, we are seeing customers leverage Consumer plans without consideration for security, privacy, or compliance.
Paid Consumer offerings are not Business or Enterprise ones. People assume they are protected because they are paying. But this is not the case.
2. Inputs and Outputs May Be Used for Model Improvement
Anthropic states that user Inputs and Outputs may be used to train and improve its models unless users opt out. Even where opt-out is available, content may still be reviewed or used in some cases, such as safety reviews or when a user submits feedback.
This creates a risk if staff enter sensitive information, including customer data, credentials, source code, contracts, financial records, intellectual property, or regulated information.
3. Third-Party Integrations Can Increase Data Exposure
Claude can integrate with third-party services and, depending on permissions, may access files, retrieve information, send messages, or modify content on behalf of users.
These integrations can create additional risks, especially if permissions are too broad. Businesses should carefully control which connectors are enabled, what data Claude can access, and whether actions taken through integrations are logged and auditable.
4. International Data Transfers Need Review
Anthropic may transfer and process data in the United States and other countries. For New Zealand businesses, and especially those working with Australian, EU, UK, health, legal, financial, or government customers, this may require additional review.
Businesses may need to confirm appropriate contractual safeguards, customer disclosures, privacy impact assessments, and data residency expectations.
5. Data Retention Terms Need to Be Confirmed
The policy says Anthropic retains information for as long as reasonably necessary, but businesses should confirm the exact retention settings that apply to their plan and agreement.
Key questions include:
- How long are prompts, files, and outputs retained?
- Can data be deleted on request?
- How long do backups retain deleted data?
- Are enterprise admins able to control or audit retention?
- Are deleted accounts and workspaces fully removed?
6. Feedback Can Capture Sensitive Conversations
If users provide feedback, such as rating a response, Anthropic may store the related conversation as part of that feedback.
This is easy for staff to overlook. Businesses should train users not to submit feedback on conversations containing sensitive, confidential, or customer information unless that has been explicitly approved.
7. Legal and Government Disclosure Is Possible
Like most cloud providers, Anthropic may disclose information where required for legal, regulatory, safety, fraud prevention, security, or abuse investigation purposes.
This is not unusual, but it matters for organisations with strict confidentiality, sovereignty, or regulated data obligations.
8. Compliance Responsibility Sits With the Business
Anthropic’s policy makes clear that users are responsible for ensuring they have the necessary rights and authority to upload or connect data.
In practice, this means the business carries the risk if staff upload customer data, third-party material, or regulated information without approval.
Recommended Controls for Business Use
Before approving Claude for business use, organisations should consider the following controls:
- Use a business or enterprise plan, not personal accounts
- Confirm model-training opt-out settings contractually
- Review the Data Processing Addendum
- Review subprocessors and hosting locations
- Enable SSO and centralised admin controls
- Restrict third-party integrations and connector permissions
- Define what data can and cannot be entered
- Prohibit credentials, secrets, and highly sensitive data
- Train staff on feedback and file upload risks
- Confirm logging, audit, retention, and deletion options
- Complete a privacy or AI risk assessment for sensitive use cases
Bottom Line
Claude can be suitable for business use, but it should not be adopted casually. The biggest risks are sensitive data exposure, unclear retention, model-training use, third-party connector access, and cross-border data transfer obligations.
For most businesses, the safest approach is to use a managed business plan, lock down permissions, confirm contractual protections, and give staff clear rules about what information can be used with AI tools.
