If one technical decision matters more than which AI tool you pick, it is which version of that tool you use. The same brand name can mean very different things depending on the tier, and most people do not know what changes between them. This is the decision that quietly separates a careful business from an exposed one.
The tier, not the tool, is the decision
When people compare AI tools they tend to argue about capability: which model is smarter, which writes better, which integrates with what. Those questions matter less than they feel like they do. The decision that actually carries the risk is the tier you run the tool on: whether you are on the free, paid-personal, business, or enterprise version of the account.
| What changes | Free | Paid personal | Business / Enterprise |
|---|---|---|---|
| Trains on your inputs by default? | Often yes | Often still yes | Generally no |
| Written data-handling commitment? | Usually not | Usually not | Yes, in writing |
| Admin controls? | No | No | Yes |
| OK for protected data? | No | No | Yes, if configured |
Same logo, very different risk. The gap between the Free and Business / Enterprise columns is the gap between we were careful and we exposed protected information to a third-party system that learned from it.
What “trains on your data” actually means
Training means the AI system learns from what you type: your inputs can become part of the product. The major tools follow a similar pattern, even though the details differ by vendor and change over time, so verify the current terms for your specific product and tier.
On consumer and free tiers, your conversations can be used to help improve the model. The control exists, but training is on until you turn it off. On business and enterprise tiers, the vendors generally commit not to train on your data by default, give you a written data-handling commitment — the vendor’s promise, in writing, about what happens to your data — and provide administrative controls a personal account does not have.
How to check in Microsoft 365: look for the green shield icon in the top right corner of the window. It means enterprise data protection — Microsoft’s name for the business-tier data commitment — is turned on.
Two traps catch people. The first is assuming that paying for a personal tier fixes the data question. It usually does not. A paid personal account often removes usage limits without adding the enterprise data commitments. The second is assuming a setting once checked stays checked. Vendors change defaults, migrate accounts, and add features. The tier decision is part of governance precisely because it needs to be reviewed, not set once and forgotten.
Why this is close to the whole game in a regulated business
In a business bound by professional duty, if a tool trains on what you put in, and what you put in is information you are obligated to protect — patient records, client files, financials — that is a serious problem. If you can turn that off, document that you turned it off, and show the vendor’s commitment in writing, you are in a defensible position: you can show anyone who asks that you understood the tool and configured it on purpose.
The cost of getting this wrong is not hypothetical. In United States v. Heppner, a 2026 federal case, documents a person created using a public, consumer-grade AI chatbot were ruled not protected by privilege — the legal shield that normally keeps attorney-client material out of the other side’s hands. What cost them the protection was not using AI. It was the consumer tier, undocumented. The same logic applies to a clinic pasting patient information into a free tool or an accounting firm running client financials through a personal account. The tier and the process around it are what make the difference.
How to get the tier decision right
The practical sequence is short:
- Inventory which tools are in use and at which tier, including personal accounts.
- Move anything touching protected or sensitive information to a business or enterprise tier.
- Confirm the training setting is off.
- Capture the vendor’s written commitment.
- Record the decision in your tool inventory so it is reviewable, and revisit it on a schedule, because the terms will change.
None of this requires you to become an expert in every vendor’s policy. It requires treating the tier as a deliberate, documented decision rather than an accident of whoever signed up first. That is the difference between defensible and exposed, and it usually costs less than people expect.
Want help getting the tier decision right? Book a free consultation.