It is the first question a partner asks, and it deserves a straight answer rather than reassurance. The honest reply is: it depends on which version of the tool you are using and what the document actually contains. The free consumer version of ChatGPT and most other public chatbots are not safe for client work by default. The enterprise and API tiers can be, with the right contract in place. The danger is treating all of these as the same product because they share a name and a chat box.
The reason the distinction matters is that the consumer tier and the enterprise tier are governed by completely different terms. One is built for individuals trying things out. The other is built for organizations with confidentiality obligations. A firm handling client data lives entirely in the second category, and the gap between the two is where most accidents happen.
Why the free tier is not safe by default
On the free and personal-paid consumer tiers, the provider may retain what you type and use it to improve the model unless you actively turn that setting off. That is not a scandal; it is the stated default, and it is how consumer products have always worked. But it means a client's contract, a financial statement, a draft filing or a list of names can become training data, reviewed by people you will never meet, sitting on servers outside your control. For a firm under a confidentiality duty, that is not a hypothetical risk. It is a breach waiting for a careless paste.
Two habits make it worse. The first is that people reach for whatever is open in a browser tab, which is usually the personal account they set up at home. The second is that the convenient tool and the compliant tool are rarely the same thing, so staff quietly choose convenience. The fix is not a memo telling people to stop. It is making the compliant tool the one that is already open.
Why the enterprise and API tiers can be appropriate
The enterprise and API products from the major providers are sold on different terms, and the differences are the entire point. They offer a contractual commitment not to train the model on your data, controls over how long inputs are retained and when they are deleted, options for where data is processed, and confidentiality backed by a signed agreement rather than a checkbox. With those terms documented, putting appropriate client material into the tool becomes a defensible decision instead of a gamble. The word doing the work in that sentence is appropriate.
Verifying those terms is not glamorous, but it is the job. You want the no-training commitment in writing, not implied by a blog post. You want a clear retention and deletion policy you can point to. You want to know which region processes the data. And you want the confidentiality terms in the contract your legal team actually reviewed. A tool that cannot produce these in writing is, for client work, the free tier wearing a logo.
Match the task to the right tier
Not every task carries the same risk, and treating everything as maximum-sensitivity is its own kind of failure: people route around rules that feel absurd. The useful move is to sort tasks by what they actually expose. General questions with no client information in them can live anywhere. Anything touching identifiable client data, financials, legal strategy or personal information belongs on the contracted enterprise or API tier, or stays out of a public model entirely.
- General, non-client questions, learning a tool, drafting boilerplate with no real names or numbers: the consumer tier is acceptable, though the enterprise tier is still tidier.
- Anything containing client names, financial figures, case strategy, contracts, CFDI data or personal data: enterprise or API tier with a documented no-training and retention agreement, never a personal account.
- The most sensitive matters, where even a contracted cloud is more exposure than the client or the matter can bear: a private or on-site deployment, so nothing leaves your control.
Redact, anonymize, and know the hard line
Even on an appropriate tier, good habits reduce exposure. Redaction and anonymization are simple and underused: strip names, account numbers and identifiers before a document goes in, and you have lowered the stakes if anything ever goes wrong. Often the model does not need the real name to do the work; it needs the shape of the problem. Train people to ask what the tool actually requires, rather than pasting the whole file out of habit.
There is also a hard line that does not move regardless of tier. Some material should never enter a public model: data covered by Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (the LFPDPPP), anything protected by professional secrecy, privileged legal communications, and information a client has explicitly told you to keep confined. For that line to mean anything, it has to be written down, named to your sector's duties, and trained into the team until it is reflex rather than a document nobody reads.
When the answer is your own servers
For the most sensitive matters, the right answer is not a better cloud contract but no cloud at all. Open models can run on your own servers or in a private environment, so client data never leaves infrastructure you control. This is not necessary for most work and it carries real cost, so the discipline is deciding where it genuinely earns its keep and where a private enterprise deployment is enough. That judgment, made deliberately, is what lets a firm say yes to AI without saying yes to exposure.
So, is it safe to put client documents into ChatGPT? On the free tier, by default, no. On a properly contracted enterprise or API tier, for appropriately handled material, yes. For your most sensitive matters, the safest answer may be a model that never leaves your building. The skill worth building in a firm is not avoiding the tools. It is knowing, without having to stop and think, which tier a given task belongs to and where the line sits that nothing crosses.
