"We do not train on your data" is the most repeated sentence in legal AI sales decks. Westlaw says it, Harvey says it, Lexis says it, every credible AI-native suite says it.
The problem is that the slogan is verifiable, but almost nobody verifies it. This is the procedure for turning that one sentence into a documented, pass/fail checklist your firm can run before you sign.
Short answer: does legal AI train on your data? A reputable legal AI tool does not train its model on your prompts or uploads, and the foundation models underneath (OpenAI, Anthropic) do not train on API data by default. But "no training" is one narrow promise. It leaves retention, sub-processors, product-improvement reuse, and what a court can later compel open, so the answer you can rely on is the one written into the contract, not the one on the sales call. The five checks below turn the slogan into a record.

The path a privileged document takes, and the guarantees worth checking in the contract.
TL;DR
- "We do not train on your data" is one narrow promise. It says nothing about retention, sub-processors, or whether your prompts get reused for product improvement.
- ABA Formal Opinion 512 (July 29, 2024) makes this your job: competence and confidentiality require you to understand how a generative AI tool uses client data, not to take the slogan on faith.
- Run a 5-item check: (1) the no-training language lives in the contract, not a webpage; (2) a published sub-processor list with change-notice terms; (3) a written retention and deletion timeline; (4) zero-data-retention with the underlying foundation model; (5) a training-vs-product-improvement carve-out.
- The slogan usually hides at the foundation-model layer. "We don't train" can be true while a vendor still fine-tunes a reranker on your queries.
- No-training and even zero data retention do not override a court order. In New York Times v. OpenAI, a May 2025 preservation order forced OpenAI to keep ChatGPT logs, but zero-data-retention API traffic was untouched because it was never stored. Your verified retention terms set the ceiling on what a subpoena can reach.
- This post is the how-to. For who-routes-where across Harvey, Legora, CoCounsel, and Lexis, see where your legal AI data actually goes.
Part of our legal AI verification and hallucination guide series.
For related verification / hallucination / vendor-trust coverage, see Does Westlaw or LexisNexis Train OpenAI on Your Research? and Legal Research With No Data Indexing or Human Review: A Confidentiality Checklist.
Where does a 'we do not train on your data' promise have to live to be reliable?
Why the slogan is not enough
A vendor that promises "we do not train on your data" has told you one true thing and left four questions open.
Training is a specific operation: feeding your prompts and uploads into the weights of a model so future outputs reflect your content. A vendor can honestly say it never does that while still holding your privileged documents for 18 months, routing them through six sub-processors you have never heard of, and feeding your query patterns into a retrieval ranker that is technically not "the model."
Every one of those is a confidentiality exposure. None of them is "training."
So the slogan is a starting point, not an answer. The real question a client would ask, if they knew to ask, is simpler: where does my file go, who touches it, and when is it gone. That maps onto five things you can actually check.
This is not optional diligence. It is a stated ethics duty.
ABA Formal Opinion 512 made verification your job
In Formal Opinion 512 (July 29, 2024), the ABA issued its first formal guidance on generative AI. The short version for this discussion:
- Competence (Rule 1.1) requires a "reasonable understanding" of the capabilities and limitations of the specific GAI tool you use. You do not need to be an engineer, but you cannot plead ignorance about where the data goes.
- Confidentiality (Rule 1.6) requires evaluating the risk that client information will be disclosed to or accessed by others. The opinion specifically flags "self-learning" tools, the ones that improve from the inputs they receive, as a heightened concern.
- The opinion expects lawyers to read the tool's terms of use and privacy policy and, where appropriate, obtain client consent.
Read together, the message is direct: you are responsible for knowing how the tool uses your data, and "the salesperson told me they don't train on it" is not a defensible level of diligence.
The checklist below is how you build the record the opinion expects.
Regulators are pushing the same direction. California's AB 2013, the Generative AI Training Data Transparency Act, took effect January 1, 2026 and requires developers to publicly disclose the sources of the datasets used to train a generative AI system made available to Californians, including whether those datasets contain personal information or copyrighted material (California AB 2013; Davis+Gilbert, 2026). That transparency governs what a model was trained on, not what happens to your inputs, but the trend line is clear: "trust us" is losing ground to documented disclosure.
The 5-item verification checklist
Run each item as a pass/fail test. Put the questions to the same vendor representative who quoted you the price, and get the answers in writing. Any single fail sends the tool back to "undefined," which is not where client matter content belongs.
1. The no-training language is in the contract, not a webpage
A privacy page can be edited the day after you sign. A Data Processing Addendum (DPA) cannot.
The test: find the exact sentence committing to no-training, and confirm it appears in the executed agreement (DPA or master services agreement), not only in a marketing page or help-center article.
- Pass: the no-training commitment is written into the DPA, with the customer named as data controller and the vendor as processor.
- Fail: the only place it appears is a webpage, or the rep emails you a screenshot of the trust page instead of contract language.
Ask plainly: "Is the no-training commitment in the DPA you will sign? Please point me to the clause."
Certifications help here, but they do not stand in for the clause. SOC 2 Type 2 and ISO 27001 attest that the vendor follows its own stated controls under audit. Neither one, on its own, promises no-training, a retention window, or a product-improvement carve-out. Read them as corroboration for the contract language, not a replacement for it.
2. A published sub-processor list with change-notice terms
Your data does not stop at the vendor. Every legal AI product in 2026 is a layer on top of a foundation model running on someone else's cloud.
The sub-processor list is the map of who else touches the file.
- Pass: a public, dated sub-processor list (cloud provider, foundation-model provider, storage, observability) plus a defined notice period before the vendor adds or changes one.
- Fail: no list, a stale list, or "we will tell you if it changes" with no notice window and no opt-out.
Ask: "What is your current sub-processor list, and how many days of notice do I get before it changes?"
3. A written retention and deletion timeline
This is the item the slogan ignores entirely. No-training says nothing about how long your prompts, uploaded documents, and the embeddings derived from them sit in the vendor's own systems.
- Pass: a specific timeline for prompts, uploads, and embeddings, plus a deletion trigger (on session end, on a fixed window, on account termination) and a post-termination deletion clause.
- Fail: "we retain data as long as necessary" with no number, or silence on embeddings (the derived vectors often outlive the source file).
Ask: "What is the retention window for prompts, uploaded documents, and embeddings, and what event triggers deletion?"
The thing to watch is embeddings. A vendor can delete your PDF and keep the vector representation that was computed from it, which still encodes the content.
4. Zero-data-retention with the underlying foundation model
Here is where most slogans quietly stop short. The legal AI vendor may not train on your data, but the OpenAI or Anthropic model underneath it has its own retention behavior.
Start from what the providers actually publish, because it is better than the slogan and most buyers do not know it:
- OpenAI does not train on API data by default. Its data docs state that "data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in)." Abuse-monitoring logs are "retained for up to 30 days, unless longer retention is required by law" (OpenAI, API data usage docs, accessed June 2026).
- Anthropic does not train on commercial data by default. Its policy: "By default, we will not use your inputs or outputs from our commercial products (e.g. Claude for Work, Anthropic API, Claude Gov, etc.) to train our models" (Anthropic, Is my data used for model training?, accessed June 2026).
So no-training at the foundation-model layer is usually the default, not a favor. The retention window is the part that varies. Standard API access carries a default retention window for abuse monitoring (up to 30 days at OpenAI). Zero data retention (ZDR) removes that window for approved customers and eligible endpoints, so the prompt is processed and discarded with no stored copy.
- Pass: the vendor holds ZDR status with each foundation-model provider it routes to (OpenAI, Anthropic, or both) and will reference it in the DPA.
- Fail: "we do not train on your data" with no statement about what the foundation-model layer retains, or a ZDR claim the vendor cannot tie to a contractual reference.
Ask: "Do you hold zero-data-retention status with every foundation-model provider you route my queries to? Which providers, and is it referenced in the DPA?"
If the vendor routes across multiple models, confirm ZDR on each path, not just the one in the demo.
5. A training-vs-product-improvement carve-out
The sharpest gap in the slogan. "We do not train the LLM" and "we do not use your data to improve our product" are different promises.
A vendor can keep the first while quietly doing the second: fine-tuning a reranker, building evaluation datasets from your queries, or optimizing retrieval against your usage patterns. None of that is "training the model." All of it reuses your content.
- Pass: the contract states that customer content is not used for product improvement of any kind, including fine-tuning, retrieval optimization, ranking, or evaluation datasets, or it discloses exactly what is used and lets you opt out.
- Fail: the no-training clause is narrowly scoped to "foundation model training," with no mention of the vendor's own components, and the rep cannot say what happens to your query logs.
Ask: "Beyond foundation-model training, is my content used to improve your product in any way, including reranking, evaluation, or fine-tuning your own components? If yes, can I opt out?"
This is the question that most often produces a long pause.
For the per-vendor version of all five tests, with what Harvey, Legora, CoCounsel, and Lexis each publish, see where your legal AI data actually goes. That post is the map. This one is the procedure.
Consumer AI and enterprise AI are not the same promise
The checklist above assumes a vendor selling to firms. The bigger trap is the free or personal tool a lawyer opens in a browser without a contract at all.
The default terms on consumer chat products are the opposite of the enterprise default. On the consumer tier, your inputs can be retained, used to improve the product, and reviewed, unless you turn that off in settings. The enterprise and API tiers flip it: OpenAI states API data is not used to train by default, and Anthropic states commercial inputs and outputs are not used to train by default (both cited above). Same brand, two different data deals.
| Consumer tier (free / personal) | Enterprise / API tier | |
|---|---|---|
| Trained on your inputs? | Possible by default unless you opt out | No, by default (OpenAI, Anthropic) |
| Contract / DPA | Click-through terms, no DPA | Negotiated DPA available |
| Zero data retention | Not offered | Available for approved customers |
| Fit for client matter content | No | Yes, once the five checks pass |
The practical line is the client's information. General research or admin drafting on a consumer tool is a judgment call. The moment a privileged document or client fact goes into the box, you need the enterprise terms and the contract record, because a click-through consent that permits training and disclosure is the kind of term that can put privilege at risk. For the questions to send a vendor, see our vendor security questionnaire for in-house counsel; for the contract clauses to mark up, see the DPA review field guide.
Confidentiality is a legal duty, not a vibe
It is tempting to treat "we deleted it" as the end of the conversation. The law of digital privacy says it should be the start.
In Carpenter v. United States, 585 U.S. 296 (2018), the Supreme Court held that a person retains a reasonable expectation of privacy in cell-site location records even though those records were held by a third-party carrier.
The older intuition, that handing data to a third party extinguishes any privacy interest in it, did not survive contact with modern data practices. The Court recognized that the sheer detail and persistence of third-party-held data made the old rule untenable.
The analogy for legal AI is not perfect, but it is instructive. Your client's confidences do not stop being confidential because they now sit on a vendor's server. The duty travels with the data.
And a verbal "we don't keep it" carries about as much weight as the third-party doctrine Carpenter declined to apply mechanically: the protection has to be real and enforceable, which in a commercial context means it has to be in the contract.
Contractual teeth are what convert a slogan into something a client, or a disciplinary panel, can hold you to.
That is the whole point of insisting the no-training and deletion promises live in the DPA (item 1 above) rather than on a webpage.
The risk the checklist hardens against: compelled disclosure
No-training tells you the vendor will not reuse your file. It says nothing about what happens when a third party demands it. A subpoena, a discovery request, or a litigation-hold preservation order can reach data a vendor holds regardless of whether the vendor ever trained on it. Retention, not training, is what determines whether there is a copy for a court to reach.
The clearest recent example is the copyright litigation against OpenAI. In May 2025, the court ordered OpenAI to preserve ChatGPT output logs it would otherwise have deleted. Later that year the court affirmed an order to produce roughly 20 million de-identified chat logs to the plaintiffs (Bloomberg Law, 2025). None of that turned on training. It turned on what was retained and therefore reachable.
The lesson maps straight onto item 3 and item 4. Data a vendor never stores cannot be preserved or produced. OpenAI's own account of the case makes the point: zero-data-retention API traffic fell outside the preservation order because there was no stored copy to preserve. So the retention and ZDR checks are not only confidentiality hygiene. They set the ceiling on what a court can compel your vendor to surrender, and by extension the ceiling on your own exposure.
This is also why "we deleted it" has to be a contractual deletion timeline with a named trigger, not a verbal assurance. A vendor placed under a litigation hold cannot delete on your schedule if a court has told it to keep everything. The narrower the retained footprint you negotiated up front, the less there is to freeze when that day comes.
A worked example of the five answers
Put it back together with one concrete vendor. The answers a buyer would want to see in writing look like this:
- Contract, not webpage. No-training commitment is in the DPA, with customer named as controller, vendor as processor.
- Published sub-processors. Public, dated list (cloud provider, foundation-model providers, observability) with a defined notice period before change.
- Retention and deletion. Query content processed for the response, not stored beyond billing metrics. Uploads and embeddings have a defined lifecycle with deletion on account termination.
- Foundation-model ZDR. Zero-data-retention status with each foundation-model provider in the routing path, referenced in the DPA.
- Product-improvement carve-out. No reuse of customer content to fine-tune, rerank, or build evaluation datasets. Research answers grounded by retrieval over public law (US opinions plus U.S. Code and CFR), not by training on your inputs.
If a vendor cannot produce something equivalent to those five, you do not yet have a record you can put in front of a client or a disciplinary panel.
The one-page version to keep
If you do nothing else, save these five questions and send them to any legal AI vendor before you sign:
- Is the no-training commitment in the DPA I will sign, and where is the clause?
- What is your current sub-processor list and your notice period before it changes?
- What is the retention window for prompts, uploads, and embeddings, and what triggers deletion?
- Do you hold zero-data-retention with every foundation-model provider you route to?
- Beyond model training, is my content used for product improvement, and can I opt out?
A vendor that answers all five in writing is one you can sign with and document for your file. A vendor that routes you to a trust page is one whose data handling you should assume is undefined until proven otherwise.
FAQ
Does legal AI train on your data?
A reputable legal AI tool does not train its own model on your prompts or uploads, and the foundation models underneath do not train on API data by default. OpenAI states API data is not used to train its models unless you opt in, and Anthropic states commercial inputs and outputs are not used to train by default. The risk is not training. It is retention, sub-processors, and reuse for product improvement, which the no-training promise does not cover.
Is my data used to train AI if I use ChatGPT or Claude?
It depends on the tier. On the consumer (free or personal) tier, your inputs can be used to improve the product by default unless you change the setting. On the API and enterprise tiers, both OpenAI and Anthropic say they do not train on your data by default. For client work, use the enterprise or API path under a contract, not the consumer app.
What is zero data retention (ZDR)?
ZDR means the provider processes your prompt, returns a response, and keeps no stored copy, including no abuse-monitoring logs. Standard API access usually carries a default retention window (up to 30 days at OpenAI). ZDR removes that window for approved customers and eligible endpoints. It is the strongest retention setting, but it is a separate question from training.
Is "we do not train on your data" enough for attorney confidentiality?
No. ABA Formal Opinion 512 (July 29, 2024) makes you responsible for understanding how the specific tool uses client data, which means reading the terms, not trusting the slogan. No-training says nothing about how long your files are kept, who else touches them, or whether your query patterns feed a reranker. You need those answers in the contract.
Where should the no-training promise be written?
In the executed agreement, the Data Processing Addendum (DPA) or master services agreement, not on a marketing or trust page. A webpage can be edited the day after you sign. Ask the vendor to point you to the exact clause, with you named as data controller and the vendor as processor.
Can a vendor say "we do not train" and still reuse my data?
Yes. "We do not train the model" and "we do not use your data to improve our product" are different promises. A vendor can keep the first while fine-tuning a reranker, building evaluation datasets, or optimizing retrieval against your usage. Ask for a product-improvement carve-out, and ask whether you can opt out.
What about embeddings after my document is deleted?
Embeddings are the vector representations computed from your file, and they can outlive the source document. A vendor can delete your PDF and keep the embedding, which still encodes the content. Ask for the retention and deletion timeline to name prompts, uploads, and embeddings, with a deletion trigger for each.
Can a court force a legal AI vendor to hand over my data?
Yes, if the vendor still holds it. A subpoena, discovery request, or preservation order can reach data a vendor retains regardless of whether it ever trained on that data. In the copyright litigation against OpenAI, a May 2025 preservation order forced OpenAI to keep ChatGPT logs, and the court later affirmed production of roughly 20 million de-identified logs (Bloomberg Law, 2025). Traffic sent through zero-data-retention endpoints was not affected, because it was never stored. This is why the retention and ZDR checks matter beyond privacy: they cap what a court can compel.
Does SOC 2 or ISO 27001 mean a legal AI will not train on my data?
No. SOC 2 Type 2 and ISO 27001 attest that a vendor follows its own stated security controls under audit. Neither one, by itself, promises no-training, a defined retention window, or a product-improvement carve-out. Treat them as corroboration for the contract language, not a substitute for the clause.
Where Vaquill AI lands
We built Vaquill AI so the five checks have written answers: no-training and deletion in the DPA, a published sub-processor list, defined retention, ZDR with the foundation-model providers we route to, and no reuse of your content to fine-tune or rerank our own components. Research answers are grounded by retrieval over public law (US opinions plus U.S. Code and CFR), not by training on your inputs. If you want to see those answers in writing before you trust them, ask us for the DPA and sub-processor list.

Cost context for the vendors you are weighing is in our Harvey, Legora, and CoCounsel pricing reality breakdown.
For more on how this maps across specific vendors, see where your legal AI data actually goes.
New legal AI guides, weekly.
Further Reading
Does OpenAI Train on Your Westlaw or LexisNexis Data?
Read postABA Formal Opinion 512 (2024): Generative AI Duties for Lawyers
Read postHarvey AI Subprocessors: Where Your Client Data Actually Flows
Read postLegal Research With No Data Indexing or Human Review: A Confidentiality Checklist
Read postAre ABA Formal Opinions Binding? What Opinion 512 Means for Your AI Workflow
Read postAI Law Search Engine vs Keyword Search: Find Case Law Faster
Read post
Product & Content
Legal AI suite for US working lawyers: research, drafting, document comparison, document matrix, matters, and citation-verified answers, in one tool.