Paste is a data transfer
A chat box looks like a text editor. Private, local, yours.
It is a form submission to a third-party server. Everything you type is sent, processed, and retained under terms you agreed to and didn't read.
Which tool you're in decides everything
The model behaves identically. The contract does not.
- Consumer tier — often trains on your conversations by default, retention you don't control, no data processing agreement, no defined jurisdiction. Fine for public information. Not fine for anything else.
- Enterprise / API tier — typically no training on your data, contractual retention limits, a DPA, often a choice of region.
That's the difference that matters legally, and it's usually already available at your company. People reach for the consumer tab out of habit, not necessity.
Two things that catch people out
Deleting the chat is not deleting the data. It removes it from your view. Provider-side retention, backups, and any abuse-monitoring copies run on their schedule, not your click.
"Don't train on this" is not a control. It's a request to a text predictor. Retention and training are decided by your contract and the provider's infrastructure long before the model reads a word. The model has no authority over the systems around it — it can only produce a sentence agreeing with you.
And the one that stings: a leak into a consumer tool is usually unrecoverable. You can't un-send it. You can't audit where it went. If it's personal data under GDPR, you may have a notification obligation with a clock on it.
There's no incident response for this. Only prevention.