June 22, 2026
AI agents and customer data: what actually happens to information your customers share
You're considering an AI chatbot for your website. Maybe it answers FAQs, qualifies leads, or handles support tickets. Before you flip the switch, there's a question you probably haven't asked yet: when a customer types "Hi, my name is Jane Smith, my account number is 4471, and I'm having trouble with..." — where does that information actually go, and who keeps a copy?
Most small-business owners deploying AI agents have no idea. The vendors don't go out of their way to explain it. And in a few states, getting this wrong now carries real legal exposure.
Here's what's actually happening behind the scenes, and what to ask before you sign anything.
The data flow, hop by hop
When a customer sends a message to an AI agent on your site, the data takes a path that looks roughly like this:
- Customer's browser → your website host. The message hits your server (or a serverless function) via HTTPS. Your host has the data in transit and may log the request.
- Your server → the LLM provider's API. Your application forwards the message (plus any "system prompt" or context you've configured) to an API like OpenAI, Anthropic, or Google. This call is also encrypted in transit.
- LLM provider → your server. The model generates a response and sends it back.
- Your server → the customer. The reply renders in their browser.
- Optional: your server → a database. If you've set up conversation logging (most setups do, for analytics or training your agent), the transcript gets stored somewhere — your database, a vector store, or an analytics tool like PostHog or Segment.
Every hop is a place where data can be retained, logged, or in the worst case, leaked. The two hops most owners don't think about are #2 (what the LLM provider does with the data) and #5 (what you do with the data once you've stored it).
API data versus consumer product data — they're not the same
This is the single most misunderstood point in the entire conversation, and it matters.
When you or your customer uses ChatGPT.com, Claude.ai, or Gemini.google.com through the browser as a consumer, that data may be used to train future models by default. You usually have to dig into settings to opt out.
When your application calls the API for those same providers — which is how 99% of AI agents on small-business websites work — the default is the opposite. As of this writing:
- OpenAI API: Data sent through the API is not used to train models by default. They retain it for up to 30 days for abuse monitoring, then delete it.
- Anthropic API (Claude): Same posture. API inputs and outputs are not used for training by default.
- Google Gemini API (paid tier): Same. The free tier has different rules, which is one reason you don't want to build a production agent on a free tier.
So if your AI agent uses one of these APIs and the integration is set up correctly, your customer's message is not feeding some future model. It hits the provider, gets processed, comes back, and gets purged within a defined window.
That said: "by default" is doing a lot of work in those sentences. Always read the current terms for the specific provider and tier you're using, because they change. And if you're using a third-party "AI chatbot platform" (a layer that sits between you and the underlying LLM), their terms are what govern your data, not the underlying provider's.
The red flag in vendor contracts
Here's the language to scan for when you're evaluating any AI tool, chatbot platform, or integration partner:
"Vendor may use Customer Data to improve, train, or develop its products and services."
If that clause exists with no explicit, free, easy opt-out, walk away or push back. That sentence means your customers' messages — names, account info, complaints, whatever they share — can become training data for a model that other companies will use.
What you want instead is something like:
"Vendor will not use Customer Data to train any machine learning model. Customer Data will be retained only for the purpose of providing the Service and will be deleted within [X] days of conversation end."
Specific. Bounded. Defaults set in your favor. If a vendor won't agree to this in writing, that tells you what you need to know about how they think about your customers' data.
CCPA basics for small businesses
The California Consumer Privacy Act (and its update, the CPRA) applies to your business if you meet any one of these thresholds:
- Gross annual revenue over $25 million, or
- Buy, sell, or share personal info of 100,000+ California residents/households per year, or
- Derive 50%+ of annual revenue from selling or sharing personal info
Most 10–50 employee businesses don't hit any of these. But two things to know anyway:
One: "Selling" under CCPA is broader than money changing hands. If you pass customer data to a third party in exchange for any benefit — including using a free analytics tool — that can count as a "sale" or "share." Sending customer messages to an AI vendor that uses them for training? Same idea.
Two: Even if you're below the threshold today, you might cross it as you grow, and other states are passing similar laws — Virginia, Colorado, Connecticut, Utah, Texas, and more. The cheapest time to build privacy hygiene into your stack is when you set it up, not after you have to retrofit it.
The practical minimums for a small business deploying an AI agent:
- A privacy policy that names the AI vendor as a "service provider" and explains what data flows to them
- A clear notice at the start of an AI chat that the customer is talking to an AI and that their messages will be processed by a third-party model
- An easy way for customers to request deletion of their data (you should be able to answer "delete everything you have on jane@example.com" within 45 days)
- A data retention policy you actually follow — don't keep chat logs forever just because storage is cheap
What privacy-respecting architecture actually looks like
This is where most off-the-shelf chatbots fall short and where a custom-built agent has a real advantage. A privacy-first AI agent does a few specific things:
PII stripping before the API call. Before your server sends the message to the LLM, a preprocessing step looks for things like email addresses, phone numbers, credit card numbers, and account numbers, and replaces them with tokens. Pseudocode:
"My card is 4111-1111-1111-1111"
→ "My card is [CARD_NUMBER_1]"
The LLM never sees the real number. The response comes back, your server swaps the token back in if needed, and the customer sees a coherent reply. Nothing sensitive ever leaves your environment in raw form. This is especially important for any agent that might touch payment info, health info, or anything else regulated.
Short retention windows. Don't keep conversation logs forever. Thirty to ninety days is plenty for debugging and improving the agent. Set up automatic deletion — a cron job, a database TTL, whatever fits your stack — and document it.
Audit logs separated from content. Keep two streams: one for operational metadata (timestamp, conversation length, was the agent helpful, did it escalate to a human) and one for actual message content. The metadata can live longer because it has no PII. The content gets purged on a schedule.
Region-pinned API calls when possible. Some providers let you specify that your API traffic stays in U.S. data centers, EU data centers, etc. If you have EU customers, this matters for GDPR. If you have customers in regulated industries, it can matter for them too.
A documented data flow. Write down — actually write down — every place customer data goes. Browser, your server, LLM provider, database, analytics, email tool. When a customer asks "what do you have on me?" you should be able to answer in an afternoon, not a week.
What to ask any vendor before you sign
Five questions. Get the answers in writing.
- Is customer data sent to your service used to train models, ever, by anyone in your data pipeline? The answer you want is no, with a contract clause to back it up.
- How long do you retain conversation data, and is that configurable? You want a specific number of days and the ability to lower it.
- Where is data stored geographically? Especially if you have international customers.
- What's your process if a customer requests deletion? They should have one.
- Do you have a SOC 2 report, or at minimum a security questionnaire you'll complete? For a 10–50 person business, SOC 2 isn't always realistic to demand, but a vendor who can't even answer a basic security questionnaire is a vendor to avoid.
If a vendor pushes back on any of these or sends you a 40-page document and tells you "the answer is in there somewhere," that's an answer in itself.
The honest tradeoff
Privacy-first architecture costs more to build than slapping a chatbot widget on your site. PII stripping, retention policies, audit logs, contract review — all of it takes time. The cheap chatbot platforms hide these costs by making decisions for you, and the decisions are usually optimized for their business, not yours.
For most small businesses, the right answer is somewhere in the middle: a custom agent built on a reputable API with privacy baked in from day one, sized appropriately for your actual traffic. Not enterprise-grade. Not "free chatbot from random startup" either.
The good news is that the building blocks are all available and not particularly exotic. PII stripping is a couple hundred lines of code. Retention policies are configuration. Contract clauses are a paragraph. The hard part is knowing to do it before you launch, not after a customer complains or a regulator asks questions.
If you're thinking about an AI agent for your business and you'd rather get the privacy architecture right the first time than retrofit it later, my AI Pilot Agent package bakes this in by default — PII stripping, short retention windows, vendor terms reviewed, and a documented data flow you can hand to anyone who asks. Worth a conversation before you sign with a SaaS chatbot vendor whose terms you haven't read.