eustella
by eustella Team, co-authored by newsrooms.ai
privacyai-chatbotsgdprdata-sovereignty

The Privacy Problem with AI Chatbots in 2026

Every major AI chatbot trains on your conversations by default. Most store your data on US or Chinese servers, subject to foreign government access. Several have signed military contracts. And the opt-outs — when they exist — are buried in settings, gated behind paid plans, or simply not retroactive.

eustella analysed the data practices of the 11 most widely used AI chatbots. Here is what we found.

ChatGPT: $200M Pentagon contract, €15M GDPR fine

ChatGPT by OpenAI is the world's most popular AI assistant. By default, OpenAI uses your conversations to train its models. The opt-out is buried in settings and is not retroactive — data already submitted has been used. All data is stored on US servers routed through Microsoft Azure. In June 2025, OpenAI launched its government division with a $200 million contract from the Pentagon's Chief Digital and AI Office (CDAO) 1. Italy's data protection authority fined OpenAI €15 million for GDPR violations in 2024 2.

OpenAI is backed by Microsoft ($13 billion+). All data flows through Microsoft Azure. OpenAI is restructuring into a for-profit corporation. Note: OpenAI now offers EU data residency for Enterprise and Education customers since February 2025 3, but free-tier user data is still processed in the United States.

Claude: Trains on chats since September 2025

Claude by Anthropic is a capable AI assistant — but it is a US product, backed by Amazon ($8 billion) and Google ($3 billion+). Since September 2025, Anthropic trains on your conversations by default unless you opt out 4. The opt-out interface has been criticised as a dark pattern that defies GDPR guidelines 5. Opted-in data may be retained for up to 5 years. Anthropic has no European offices and no EU data centres. All infrastructure runs on AWS and Google Cloud, and the US CLOUD Act applies — meaning the US government can compel data access.

Google Gemini: 22 data categories, Pentagon AI for 3 million personnel

Google Gemini collects 22 out of 35 possible data categories — more than any other AI chatbot. Your conversations are used for training by default, reviewed by human employees, and retained for up to 3 years even if you delete them. Gemini now powers the Pentagon's GenAI.mil platform, rolling out to all 3 million military, civilian, and contractor personnel 6. Gemini is part of Google — the world's largest advertising company. Your AI usage feeds the same ecosystem that tracks you across Search, Gmail, Maps, YouTube, Chrome, and Android.

Grok: Owned by SpaceX, no opt-out since January 2026

Grok by xAI is the world's third-largest AI chatbot by web traffic. xAI is now a wholly owned subsidiary of SpaceX, controlled by Elon Musk, following its acquisition in February 2026 7. X's January 2026 terms of service grant a perpetual, worldwide license to use your content for AI training with no opt-out. Grok is under active GDPR investigation across multiple EU countries after NOYB filed complaints in nine EU countries in August 2024, alleging training on EU users' data without consent 8. Musk led the DOGE initiative, which sought access to US federal databases containing sensitive data on millions of citizens — Treasury payment systems were confirmed accessed, while IRS access was blocked by courts 9.

DeepSeek: All data in China, 1 million+ chat logs exposed

DeepSeek is a powerful AI chatbot from China — but all your data is stored on servers in mainland China, subject to Chinese national security laws that compel companies to hand over data on government request. DeepSeek was banned in Italy on 30 January 2025 10, is under investigation across the EU, and security researchers discovered an unprotected database with over 1 million lines of plaintext chat histories. The opt-out was only added after South Korean regulators intervened.

Microsoft Copilot: $9B shared Pentagon contract, Recall screenshots your screen

Microsoft Copilot is bundled across Windows, Office, Edge, and Bing. Consumer Copilot conversations are used to train AI models by default. Microsoft paused this training in the EEA in August 2024 rather than face GDPR enforcement — acknowledging the GDPR conflict rather than fixing the underlying practice 11. Microsoft deploys GPT-4 in top-secret Pentagon clouds as part of the Joint Warfighting Cloud Capability (JWCC) — a $9 billion contract shared across Microsoft, Amazon, Google, and Oracle 12. Consumer Copilot and military Azure operate on physically and logically separate infrastructure. The Windows Recall feature screenshots your screen every few seconds. The US House of Representatives banned its own staff from using Copilot over data security risks.

Meta AI: €2.5B in GDPR fines, breaks WhatsApp encryption

Meta AI is embedded across Facebook, Instagram, WhatsApp, and Messenger. Meta uses your AI conversations to personalise ads and train models. Invoking Meta AI in a WhatsApp chat breaks end-to-end encryption. Since May 2025, public posts from EU users are used for AI training by default. Meta has been fined over €2.5 billion under GDPR and paid $5 billion to the US Federal Trade Commission for the Cambridge Analytica scandal 13. Meta is now an active defence contractor, partnered with Anduril since May 2025 for Pentagon AI and AR/VR projects 14.

Perplexity: Funded by Bezos, scrapes despite no-crawl rules

Perplexity is a US-based AI search engine funded by Jeff Bezos, NVIDIA, and SoftBank, with a $750 million Microsoft Azure dependency. It trains on user data by default and has been caught scraping websites that explicitly blocked AI crawlers. Perplexity faces active lawsuits from The New York Times, Reddit, News Corp, and others. Cloudflare has publicly confirmed that Perplexity's bots ignore no-crawl rules.

Mistral: Funded by Microsoft, lobbied against the EU AI Act

Mistral positions itself as Europe's AI champion — but it is heavily funded by Microsoft, NVIDIA, and major US venture capital firms. Mistral trains on free-tier user data by default and was hit with a GDPR complaint filed by French lawyer Jeremy Roche with CNIL in February 2025 for gating the opt-out behind paid plans 15. Mistral actively lobbied to weaken the EU AI Act — Corporate Europe Observatory documented how this effort aligned with Big Tech interests 16. Mistral has a direct military contract with the French armed forces 17, and indirect defence partnerships through Helsing (Germany) and Faculty AI (United Kingdom).

Character.AI: Trains on intimate conversations, teen safety lawsuits

Character.AI is the fifth-largest AI chatbot by web traffic. It trains on your conversations by default and uses chat data for targeted advertising since August 2025. Character.AI faces multiple lawsuits linked to teen suicides. Google invested $2.7 billion and is named as a co-defendant. In January 2026, Character.AI and Google agreed to mediate settlements — the first major legal settlement over AI-related harm.

OpenClaw: 40,000+ exposed instances, malicious plugins

OpenClaw is a popular open-source AI agent with over 316,000 GitHub stars. It can control your computer, manage your calendar, send emails, and run shell commands. But it is insecure by default — security researchers initially found over 40,000 exposed instances on the public internet, many without authentication; later scans revealed between 135,000 and 220,000+ vulnerable deployments. 12% of community-built skills on ClawHub were found to be malicious, a figure that has since grown to approximately 20%. OpenClaw stores API keys in plaintext and has no built-in encryption. Its creator joined OpenAI in February 2026, leaving the project's governance uncertain.

The pattern is clear

Every major AI chatbot — American, Chinese, and even nominally European — trains on your data by default, stores it outside the EU, or is funded by the same Big Tech companies that profit from your information.

eustella is designed as the European alternative. Your data stays in Europe, is never sold, and is never used for training. eustella runs exclusively on European and open-source AI models, with no Big Tech investors, no military contracts, and no hidden agendas.

Sign up for early access to eustella →

Sources

  1. Breaking Defense. "OpenAI for Government launches with $200M win from Pentagon CDAO." June 2025. Link
  2. Euronews. "Italy's privacy watchdog fines OpenAI 15 million after probe into ChatGPT data collection." December 2024. Link
  3. OpenAI. "Introducing data residency in Europe." February 2025. Link
  4. TechCrunch. "Anthropic users face a new choice: opt out or share your data for AI training." August 2025. Link
  5. The Decoder. "Anthropic uses a questionable dark pattern to obtain user consent for AI data use in Claude." 2025. Link
  6. Breaking Defense. "Pentagon rolls out GenAI platform to all personnel, using Google's Gemini." December 2025. Link
  7. CNN. "SpaceX acquires xAI." February 2026. Link
  8. NOYB. "Twitter's AI plans hit with 9 more GDPR complaints." August 2024. Link
  9. NPR. "Musk's DOGE group has access to the federal payments system. What does that mean?" February 2025. Link
  10. Euronews. "DeepSeek AI blocked by Italian authorities." January 2025. Link
  11. Microsoft. "Transparency and control in consumer data use." August 2024. Link
  12. CNBC. "Google, Oracle, Amazon and Microsoft awarded $9 billion Pentagon cloud deals." December 2022. Link
  13. FTC. "FTC imposes $5 billion penalty, sweeping new privacy restrictions on Facebook." July 2019. Link
  14. CNBC. "Meta, Anduril partner on VR/AR project intended for US Army." May 2025. Link
  15. Sifted. "Mistral privacy policy GDPR complaint." February 2025. Link
  16. Corporate Europe Observatory. "Trojan horses: how European startups teamed up with Big Tech to gut the AI Act." March 2024. Link
  17. TechRepublic. "Mistral French military AI deal." 2025. Link
← All articles

Be among the first

Sign up for early access to eustella — your European personal AI assistant.