Back to Blog

I Reviewed 50 Companies' AI Privacy Policies. Most of Them Aren't Telling the Whole Story.

Compliance 4 min read

Over the past month I looked at the privacy policies and data handling pages of 50 B2B SaaS companies that advertise AI-powered features. Support summarisation, document analysis, intelligent search, AI assistants, the usual.

The pattern was remarkably consistent:

What they say: "Your data is never used to train our models." "We take privacy seriously." "Enterprise-grade security."

What they don't say: Whether your data is sent to a third-party LLM provider. What that provider's data handling policies are. Whether PII is stripped before the data reaches the LLM. How long the LLM provider retains your prompts.

Of the 50 companies I reviewed:

  • 43 used a third-party LLM API (OpenAI, Anthropic, or Google)
  • Only 11 mentioned this explicitly in their privacy policy
  • 7 mentioned PII handling in their AI pipeline
  • 3 described any form of data sanitisation before LLM processing
  • 0 provided a technical description of how PII is stripped

The rest relied on the LLM provider's enterprise terms (which typically include some period of prompt retention for abuse monitoring; check the current terms for your specific provider) and their own vague assurances.

Why This Matters

When company A says "your data is secure," and company A sends your support tickets to OpenAI for summarisation, and the LLM provider retains those prompts for a period under their terms of service, and those prompts contain your customers' names, emails, and addresses, is that "secure"?

Technically, maybe. Legally, it's complicated. Practically, it's a chain of trust that your customers probably don't know about and definitely haven't consented to.

The Emerging Competitive Advantage

Here's the thing: the 3 companies that did describe PII sanitisation in their AI pipeline all mentioned it as a differentiator. They weren't hiding from the question; they were using it to win deals.

"Unlike competitors, we strip all personally identifiable information before any data reaches our AI models" is becoming a sales advantage in enterprise deals. Security questionnaires are starting to ask specifically about AI data handling. Compliance teams are learning to ask "do you send our data to a third-party AI provider?"

What You Can Do Today

If you're building AI features that process customer data, adding a PII sanitisation step before your LLM calls gives you:

  • An honest privacy policy ("PII is removed before data reaches our AI provider")
  • A clear answer for security questionnaires
  • A technical control you can demonstrate to compliance teams
  • A competitive advantage over the 47 out of 50 companies that can't say the same
# One API call before your LLM call
clean_data = requests.post(
    "https://api.comply-tech.co.uk/api/v1/anonymise",
    headers={"X-Api-Key": "your-api-key", "Content-Type": "application/json"},
    json={"content": raw_data, "contentType": "text", "strategy": "Redact", "frameworks": ["GDPR"]}
).json()["anonymisedContent"]

Try It

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \
  -H "X-Api-Key: demo-key-complytech" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Please summarise this ticket: Customer Tom Wilson (tom@gmail.com, +447700900123) wants a refund for order #9182 shipped to 7 King St, London EC2V 8AQ",
    "contentType": "text",
    "strategy": "Redact",
    "frameworks": ["GDPR"]
  }'

Be one of the 3, not the 47

Add PII sanitisation to your AI pipeline and mean it when you say "we take privacy seriously."

Get Your API Key Read the Docs