If an AI learns from your prompts, how much of your world is it taking with it? Incogni’s 2025 AI privacy ranking offers a sobering snapshot of which large language model (LLM) platforms collect the least, explain the most, and share the fewest breadcrumbs about your usage.
Quick facts from Incogni’s report
- Incogni evaluated nine major LLM/GenAI platforms against eleven privacy criteria, including training data usage, transparency, and data-sharing practices.
- Top privacy scorers: Le Chat (Mistral AI) ranked first, ChatGPT (OpenAI) second, and Grok (xAI) third.
- Le Chat: minimal data collection and easy opt-outs; some policy details could be clearer.
- ChatGPT: transparent policies with a clear prompt-training explanation and an opt-out mechanism; caution flagged around training data sources.
- Grok: overall strong but loses points on transparency and the amount of collected data.
- Most invasive group: Meta AI ranks worst; Incogni says prompts may be shared with affiliates/researchers, no opt-out for training, and collection of location/phone data via apps.
- Gemini (Google) and Copilot (Microsoft): broad, complex policies; Incogni notes there are no easy opt-outs and data sharing with ads/services.
- DeepSeek and Pi AI: unclear opt-outs, data sharing within corporate groups, and vague policies.
- Policy style: larger companies tend to have complex, expansive privacy docs; smaller labs like Mistral and Anthropic often use concise FAQs for clarity.
- App privacy: Incogni flags Meta AI for extensive tracking/sharing; Copilot is cited for a “zero data” claim on Android that the report views skeptically.
- If privacy is critical, Incogni suggests prioritizing Mistral, ChatGPT, or Grok.
- Full details and dataset: Incogni’s methodology and public dataset.
Why this matters for developers and engineers
At AI Tech Inspire, the question that keeps coming up is simple: what happens to your prompts? Whether you’re prototyping a TensorFlow or PyTorch pipeline, deploying an agent that calls internal APIs, or fine-tuning a GPT-class model, your inputs can be sensitive—customer PII, code secrets, or strategic documents. Incogni’s scorecard highlights three levers that materially affect risk:
- Prompt training opt-outs: Can you prevent your prompts from being used to improve models?
- Transparency: Are data uses and retention winced-over in legalese or clearly explained in product docs/FAQs?
- Data-sharing scope: Do prompts or telemetry get shared across affiliates, researchers, ads, or other services?
Incogni’s top-line: platforms with clear controls and minimal collection earn trust; broad policies and cross-service sharing don’t.
For teams building with hosted LLMs, these differences can change your architecture. If prompts might be used for training and widely shared, you’ll likely increase redaction, switch to retrieval-augmented generation (RAG), or move certain workloads on-prem. If your provider offers an opt-out or a “no training” API tier, you may keep your existing workflow with tighter request hygiene.
The leaderboard through a privacy lens
Incogni places Le Chat (Mistral AI) at the top for keeping data collection lean and providing a straightforward opt-out. ChatGPT (OpenAI) follows closely, as Incogni credits its explicit documentation about prompt training and opt-out pathways, while reminding readers to scrutinize training data sources. Grok (xAI) lands third—solid overall but dinged for transparency and volume of collected data.
On the other end, Meta AI is flagged as most invasive, with Incogni pointing to shared prompts, no training opt-out, and app-level collection such as location and phone data. Gemini and Copilot are criticized for broad policy language, a lack of easy opt-outs, and data flows associated with ads/services. DeepSeek and Pi AI reportedly keep their policies vague with unclear opt-outs and intra-group data sharing.
One meta-observation from the report: large corporate ecosystems often center privacy explanations inside multi-product, multi-vertical policies. In contrast, smaller AI companies and certain research-first labs (Incogni highlights Mistral and Anthropic) frequently use tighter FAQs that map actions to implications, which helps teams thread privacy into engineering decisions.
Practical moves: building with privacy in mind
Here’s a compact checklist that teams have been adopting as privacy requirements sharpen. Consider it a starting point to operationalize the report’s findings:
- Choose models with clear opt-outs: Prefer providers that let you disable training on your prompts or provide a formal “no training” tier.
- Use RAG over fine-tuning for sensitive data: Keep proprietary text in your vector store; send only short queries. If you fine-tune, isolate datasets and add strict access controls.
- Minimize PII: Tokenize or redact secrets before sending. For example:
{ "api_key": "***redacted***" }. - Set explicit headers or flags where available. Some APIs support data collection preferences, e.g.:
X-Data-Collection-Opt-Out: 1. - Separate concerns: Route analytics and LLM traffic differently. If analytics are needed, aggregate at source and remove identifiers.
- Log safely: Scrub prompts in server logs. Rotate and minimize logs; store only what you need for debugging, then purge.
- Threat-model affiliates: If policies mention sharing with “affiliates” or “partners,” assume your data could move beyond the product boundary.
For users of Hugging Face ecosystems, enterprise-hosted endpoints can keep data localized. Teams training with GPUs should review how telemetry and drivers are configured in their CUDA stacks, since ops data can leak usage patterns even when prompts are locked down.
Examples: from prototype to production
Scenario 1: Prototyping a code assistant
If you’re building a code helper that ingests repo snippets, Incogni’s ranking nudges you toward providers with a clear “no training” pathway. Use RAG: index your private code and send only function-level contexts. Send prompts with masked secrets. Consider local embeddings or on-prem inference for the vector index. If the product has a settings path like Settings → Data Controls → Opt out, turn it on for every environment.
Scenario 2: Customer support summarization
When summarizing tickets, minimization is king. Strip names and emails client-side; hash identifiers; store just the summary. If your model option doesn’t provide opt-out, weigh a provider switch or migrate the workflow to an internal endpoint running an open model variant.
Scenario 3: Creative workflows
For image pipelines (e.g., Stable Diffusion) mixed with text prompts, apply the same principles: redact PII in prompts, configure private inference endpoints, and check model TOS for training reuse clauses.
Reading the fine print without losing a weekend
Incogni’s report implicitly suggests a playbook for parsing policies:
- Scan for data retention windows and the existence of a data deletion process.
- Confirm whether training on prompts is on by default and how to opt out.
- Look for affiliate/partner sharing; this is where scope often expands.
- Check if ads personalization can influence data handling.
- Prefer product docs/FAQs that restate legalese in operational terms.
Document these details near your code, right where developers make calls. Even a tiny snippet helps keep behavior intentional:
// policy-notes.md
Provider: Example LLM
training_on_prompts: false
retention_days: 30
affiliate_sharing: minimal (per product doc)
redaction: client-side via regex + allowlist
The uncomfortable trade-offs
Incogni flags a pattern: broad ecosystems that monetize through ads or multi-product funnels tend to write broad privacy policies, while smaller labs seem nimbler with clarity. That doesn’t automatically make one “unsafe” and the other “safe,” but it should shape your threat model. If your app processes customer secrets, a provider with no opt-out and expansive sharing is a tough sell. If your workload is public knowledge aggregation, the calculus changes.
It’s also worth noting the app layer. According to Incogni, Meta AI’s app integrations collect a wide array of signals, while Copilot’s “zero data” position on Android is noted with skepticism. If your risk profile is high, testing models via clean browsers, isolated containers, or locked-down mobile profiles is prudent. Use separate accounts for dev/test/production and review their respective data controls.
Open questions worth tracking
- How quickly will providers standardize on a “no training” header or contract term?
- Will DP techniques or on-device models narrow the privacy gap for consumer use cases?
- Can clearer privacy scorecards become part of procurement checklists, just like uptime SLAs?
“If privacy is your priority, stick with Mistral, ChatGPT, or Grok.” — Incogni’s recommendation, with the full dataset available here.
For practitioners living in evals/, prompts/, and callbacks/, the path forward is clear: apply minimization by default, pick providers with explicit controls, and keep an eye on how policy language evolves. The platforms that make privacy simple to configure will win developer trust first—and keep it.
Recommended Resources
As an Amazon Associate, I earn from qualifying purchases.
