Data Privacy and Client Confidentiality: What Can Be Shared, What Cannot, Especially with AI Tools

Published

10 Jun 2026

Author

Akash Shakya

The fastest way to destroy client trust is to be careless with their data. The second fastest is to be unable to explain how you protect it. This article gives you both the practices and the vocabulary.

Editorial note: Founder quotes throughout this article are composites drawn from multiple EB Pearls engagements. The numbers and decisions are real. Identifying details have been changed.

Why We Wrote This

AI tools have created new data privacy questions that most founders and development teams are not equipped to answer. Can I paste client data into an AI tool? Can I use client data to train a model? What happens to the data after the AI processes it? This article provides clear, practical answers based on current Australian privacy law, international best practices, and EB Pearls' own data handling policies as an ISO 27001 certified organisation.

Introduction: Why Data Privacy Is a Business Risk, Not Just a Compliance Task

Data privacy is not a checkbox. It is a trust asset. Clients who trust your data handling become long-term partners. Clients who discover careless data handling become ex-clients and, in worst cases, regulatory complainants.

The Office of the Australian Information Commissioner (OAIC) reported a 26% increase in notifiable data breaches in 2023, with the health and finance sectors most affected. The Australian Privacy Act reforms (currently in progress) are expanding obligations for all organisations that handle personal information, including mandatory privacy impact assessments and increased penalties.

For software development teams that use AI tools, the privacy landscape has a new dimension: data sent to AI APIs may be stored, logged, or used for model training depending on the tool's terms of service. Understanding these terms is not optional. It is a professional obligation. Related reading: a complete AI strategy for custom software.

"A developer on our team pasted a client's database schema, including column names that revealed the data structure of their customer records, into a consumer AI tool to get help with a query optimisation. The client's security team discovered the paste in a routine audit of AI tool usage logs. The client escalated to their legal team. We spent 3 weeks on incident response, even though the data was structural, not personal. The reputational cost was significant. We now have a strict policy: enterprise-tier AI tools only, with approved data classifications."

Data Classification: What Can and Cannot Be Shared

Data Classification	AI Tool Rules
Public: marketing materials, published content, public APIs	Can be used with any AI tool. No restrictions.
Internal: architecture docs, non-sensitive code, process documents	Can be used with enterprise-tier AI tools under NDA and data processing agreement.
Confidential: client business logic, proprietary algorithms, contracts	Enterprise-tier AI tools only. Anonymise where possible. Audit trail required.
Restricted: PII, financial data, health records, authentication credentials	Never enter into any AI tool without explicit client consent and contractual coverage. Use synthetic data instead.

AI Tools and Data Privacy: The Practical Reality

Consumer AI Tools (Free Tiers)

ChatGPT free tier, Claude free tier, Gemini free tier. These tools may use your inputs for model training unless you opt out (and opt-out mechanisms vary). Data retention policies are opaque. There is no contractual data protection.

Rule: Never use consumer AI tools for any data classified as Internal, Confidential, or Restricted. Ever.

Enterprise AI Tools (Paid/API Tiers)

OpenAI API, Anthropic API, Google Cloud AI, Azure OpenAI. These offer contractual guarantees: no training on your data, defined retention periods, data processing agreements, and compliance certifications (SOC 2, ISO 27001). For more on this, see how to be investor-ready.

Rule: Use enterprise-tier tools for Internal and Confidential data under appropriate contractual protections. Restricted data requires additional safeguards (encryption, anonymisation, specific client consent).

Self-Hosted AI Models

Running models on your own infrastructure (or your client's infrastructure). Data never leaves the controlled environment. Maximum privacy but higher infrastructure cost and operational complexity.

Rule: Required for Restricted data in regulated industries (health, finance, government) where data sovereignty is a legal requirement.

Non-Obvious Truth: The Terms of Service Are the Privacy Policy

Every AI tool has terms of service that define what happens to your data. Read them. Specifically: Does the provider use your inputs for model training? What is the data retention period? Where is the data stored (jurisdictionally)? Can the provider access your data for support or debugging? The answers to these questions determine whether the tool is appropriate for your data classification.

Client Confidentiality in Development

NDAs Before Access
Every team member who accesses client data signs an NDA. This includes developers, designers, QA, and project managers. At EB Pearls, NDAs are signed before project kickoff, not after.
Synthetic Data for Development
Production data should never be used in development or testing environments. Create synthetic data that mirrors the structure and edge cases of real data without containing any actual client information.
Access Controls and Audit Logs
Role-based access control (RBAC) ensures each team member has the minimum access required for their role. Every access to production data is logged. Logs are reviewed monthly. For more detail, see AI flows: Vibe Code vs. Agents.
Secure Communication Channels
Client data is never shared via email, Slack DMs, or unsecured file sharing. Use encrypted channels and approved collaboration tools with enterprise-grade security.
Data Disposal at Engagement End
When an engagement concludes, all client data is returned or destroyed within 30 days. Confirmation of destruction is documented and provided to the client.

"We have a rule at EB Pearls: if you cannot explain to the client exactly where their data is, who has access, and what happens to it when we are done, we have failed. ISO 27001 certification is not a badge on our website. It is an operational discipline that governs every data handling decision, from the way developers access staging environments to the way we dispose of data when a project ends." For more detail, see EB Pearls' AI service line.

The Privacy Framework for AI-Augmented Development

ISO 27001

EB Pearls security certification

30 days

Breach notification window (OAIC)

0

Client data in consumer AI tools

26%

YoY increase in AU data breaches (2023)

Common Mistake: Assuming Your AI Vendor's Compliance Covers You

If your AI vendor is SOC 2 certified, that covers their infrastructure. It does not cover how your team uses their tool. You are responsible for: which data you send, which employees have access, and whether you have appropriate consent. Vendor compliance is necessary but not sufficient.

Data classification scheme implemented (public, internal, confidential, restricted)
Enterprise-tier AI tools selected with data processing agreements
Consumer AI tool usage policy: prohibited for all non-public data
Synthetic data used for development and testing environments
NDAs signed before project access for all team members
Role-based access controls and audit logs in place
Incident response plan documented and tested
Data disposal process defined for engagement end
Client-facing privacy documentation current and accurate

Frequently Asked Questions

Can I use client data to train AI models?

Almost certainly not without explicit contractual permission. Most service agreements and privacy policies do not grant the right to use client data for model training. This requires a specific, separate consent that details what data is used, how, and with what safeguards.

Is it safe to paste client data into ChatGPT or Claude?

Consumer versions (free tiers) may use data for training. Enterprise/API versions typically do not. Always use enterprise-tier AI tools with contractual data protection guarantees when handling client data. Never paste sensitive data into consumer AI tools.

What data can I share with an offshore development team?

Data necessary for development, under NDA and appropriate contractual protections. Minimise the data shared: use synthetic data for development/testing, restrict production data access to those who need it, and audit access logs.

Do I need to comply with GDPR if I am in Australia?

If you process data of EU residents, yes. If your product is Australia-only, the Australian Privacy Act (and the proposed Privacy Act reforms) applies. The principles are similar: collection limitation, purpose limitation, security, and individual rights.

How do I handle a data breach?

Australian law (Notifiable Data Breaches scheme) requires notification to affected individuals and the OAIC within 30 days of becoming aware of an eligible breach. Have an incident response plan before you need one.

Free Founder Resources

Data Classification Template (Notion)
A pre-built framework for classifying your data and defining handling rules for each classification level.
AI Tool Evaluation Checklist (PDF)
10 questions to ask before using any AI tool with non-public data: training policy, retention, jurisdiction, compliance certifications.
Privacy Policy Template for Software Products (Google Docs)
A starting template for Australian software products covering collection, use, disclosure, storage, and individual rights.

Final Thought

Data privacy is not a constraint on innovation. It is a competitive advantage. Clients choose partners they trust with their data. The founders and development teams who build rigorous privacy practices earn that trust and keep it.

The data you protect carefully is the trust you build permanently. The data you handle carelessly is the client you lose instantly.

Akash Shakya Chief Operating Officer and Co-Founder

Discover app development insights and AI trends with Akash Shakya, COO of EB Pearls. Learn how we build successful digital products.

Start your project with the right foundations

Book a Free Consultation

5.0

Most of the decisions that determine long-term product success are made in the first few weeks. Book a discovery call and we'll show you exactly what Built to Last™ looks like applied to your project.