Is it safe to put customer details into ChatGPT?

You can save hours pasting a customer's email thread into ChatGPT and asking for a reply. The worry is what happens next: does it remember the customer's details, and have you just handed personal data to a US tech company without permission? That worry is half right. ChatGPT does not "remember everything" in the way people fear, but on the wrong account type your customer's details can end up in OpenAI's training data, and under UK GDPR that is your problem, not OpenAI's.

Which ChatGPT are you actually using?

This is the whole question, and most people have never checked.

Free, Plus and Pro are personal products. On those accounts, model training is on by default: what you type can be used to improve OpenAI's models. You can turn it off in Settings, under Data Controls, with the "Improve the model for everyone" toggle, but the switch only covers new chats. Anything already used in a completed training run stays used.

ChatGPT Business, Enterprise and the API are different products with different rules. On those tiers OpenAI does not train on your data by default and will sign a data processing agreement, the DPA your accountant or solicitor keeps mentioning. That agreement is what gives you something to show the ICO if anyone ever asks how your customers' data is handled.

The trap is the word "paid". Plenty of owners assume Plus is the business version because money changes hands. It is not. It is the personal version with a faster queue, and it trains on your inputs unless you switch that off.

Why this is your problem and not OpenAI's

Under UK GDPR you are the data controller for your customers' information. Paste it into any third-party tool and that tool becomes a processor acting on your behalf, and the duty to choose a safe one sits with you. If it goes wrong, the fine lands on your business. The full treatment of lawful basis, DPAs and what the ICO expects is in our guide to AI and GDPR for UK small businesses; this page is the short answer.

What to do this week

• On Free or Plus: turn off "Improve the model for everyone" today, and strip names, email addresses and anything identifying before you paste. Ask for a reply to "a customer chasing a late delivery", not to Mrs Patel of 14 Acacia Avenue.
• If your team touches customer data in ChatGPT weekly or more: move to ChatGPT Business and sign the DPA. The toggle on a personal account is better than nothing, but it is not a paper trail.
• Find out which accounts your staff are using. The riskiest setup in most small businesses is not the owner's account, it is an employee quietly pasting the customer list into their own free login.

I use AI on customer data every working day, and I still would not put a client's email thread into a free ChatGPT account. Not because disaster is certain, but because the safe setup takes one afternoon and being lazy about it is the only way this goes wrong.