AI app trust & transparency index
We read the privacy policy and terms of the most-used AI apps and graded what they disclose about data governance: training, deletion, retention, sharing, transparency, and security.
Tap a bar to filter the list.
Fireflies.ai Inc.
Fireflies.ai discloses explicit no-train policies for personal data and user content, with opt-out mechanisms, 30-day deletion timelines, and zero-retention for meeting content, but lacks concrete security controls naming and breach notification timelines.
Data platform
Atlan discloses no-train commitments for customer data except for customer-specific training, opt-in/off mechanism for AI, user ownership of outputs with carve-outs, data subject rights, deletion timelines, sub-processor list, and multiple named security certifications and controls.
GitHub (Microsoft)
GitHub Copilot trains user inputs by default with opt-out available; Business/Enterprise tiers exclude inputs from training; users own outputs; limited third-party sharing (ads/analytics with opt-out); data deletion within 90 days post-cancellation; minimal security controls disclosed.
Mistral AI
Mistral Le Chat trains user inputs by default with an opt-out on Enterprise/paid tiers, offers standard rights with some ambiguities, has unclear breach-notification safeguards, but explicitly discloses non-use of sublicensable outputs for training, undermined by a perpetual sublicense grant for service providers.
Sourcegraph, Inc.
Sourcegraph Cody trains user inputs with opt-out for most tiers but retains them for safety review; it discloses data practices transparently, offers user rights with some organizational limitations, and commits to minimal personal-data extraction from code.
Notion Labs
Notion's privacy policy discloses explicit no-training pledges for customer data with contractual safeguards, clear user rights including deletion and access, concrete AI-log retention periods (30 days/zero), and comprehensive security certifications, though international transfer mechanisms and some data-sharing opt-outs lack specificity.
Zapier, Inc.
Zapier discloses model training with opt-out (half), named opt-out mechanism, tier differences, user data ownership, comprehensive rights, vague retention except auto-deletion after 24 months, sharing categories with DPA reference, but lacks specific security controls and breach notification timeline.
Betterworks Systems, Inc.
Betterworks discloses privacy rights and retention limits but does not disclose model training practices on user inputs; the disclosed policy only governs third-party OpenAI's LLM service.
Productivity
Canva discloses opt-out AI training with privacy controls, comprehensive data subject rights, named third-party safeguards, and COPPA/FERPA education certification, but lacks breach notification procedures and concrete retention timelines.
Legal
Clio's privacy policy discloses training opt-out for generalized LLMs, user-owned outputs with limited provider reuse, comprehensive GDPR-aligned rights (access, deletion, portability, correction, objection), explicit data-sharing disclosures, 90-day post-termination deletion, named security controls and breach notification, but with vague retention periods and weak synthetic-output marking.
Cognition AI
Devin's policy discloses explicit opt-in model training, access/portability rights, no data sales for ads, and basic security measures, but lacks concrete retention periods, breach timelines, and named security certs.
Audio
ElevenLabs offers opt-out training controls, an explicit named mechanism, and tiered commercial use policies, but grants perpetual sublicensable content licenses without user retention; retention is named at 3 years for voice data and biometric data; it sells personal data with opt-out available; international transfers use named safeguards and it names a DPO contact, but security controls are referenced externally without specific certs named in the policy text.
Anysphere
Cursor commits to not training on user inputs without explicit opt-in, assigns output ownership to users, and offers standard rights, but lacks detailed retention timelines, named security controls, and breach notification specifics.
Leonardo Interactive (a Canva brand)
Leonardo.ai offers opt-out model training for paid users but trains by default on free content; paid users own outputs with limited reuse, free users do not; comprehensive data rights (access, deletion, portability, correction, opt-out); vague retention policy tied to account activity; extensive third-party sharing with ad partners; named security certification (SOC 2 II) and European DPO; weak sensitive-data protections.
n8n GmbH
n8n has strong data minimization and user rights disclosures but grants sublicensable usage rights to user data without limiting reuse scope, which is adverse.
Personio SE
Personio does not train on user inputs, limits data retention to 30 days post-termination, offers standard GDPR rights, but provides vague security controls and minimal change notification in its public privacy policy.
Fireworks AI Inc.
Fireworks AI explicitly commits to no-train-without-opt-in for user inputs and zero-retention for open model logs, offers full GDPR rights including deletion within 30 days and data portability, does not sell personal information, uses standard contractual clauses for international transfers, and appoints a GDPR representative; however, the terms grant Fireworks perpetual sublicensable rights over all user-generated outputs, and lacks named security controls and breach notification standards.
Sana Labs AB
Sana explicitly prohibits AI model training on user data and provides comprehensive data rights, retention limits, and security disclosures, but lacks defined mechanisms for some rights exercises and overstates governance of AI interaction disclosure.
Dashworks AI, Inc.
Dashworks provides comprehensive data subject rights, transparent AI use with opt-out, and baseline security practices, but lacks minimization commitments and explicitly does not age-gate children's access.
Perplexity AI
Perplexity discloses training-data opt-out, full user rights (access/delete/port/correct/object), vague retention, broad third-party sharing with no-sell attestation, comprehensive data categories and legal bases, but lacks AI interaction disclosure, security control specifics, and breach timeframes.
NotebookLM discloses explicit no-training for inputs unless feedback is provided, tier protections for Workspace users, deletion rights, 3-year retention with feedback minimization, and 18+ age verification.
Productivity
Lovable's privacy policy discloses training opt-out and core rights but uses vague language for several capabilities, and the Terms contain a perpetual license clause that directly contradicts the Privacy Policy's training opt-out offer.
Fivetran, Inc.
Fivetran discloses solid data access and deletion rights with concrete timelines, transparent data sharing categories, and named security controls, but is vague on training data use beyond sensitive data, AI choice, and government access standards.
Dropzone
Dropzone AI's privacy policy discloses user rights and international transfer protections but lacks disclosure of AI model training, output ownership, and product-specific data governance for its AI SOC analyst service.
BI & analytics
Hex discloses explicit no-train commitments for personal data, with opt-out rights for AI training, but retention language is vague and some sharing mechanisms lack named safeguards.
Salesforce
Salesforce Einstein discloses zero-retention for customer prompts, customer data ownership, opt-out mechanisms for sharing/ads, and named international transfer safeguards, but lacks specificity on deletion timelines, breach notification, and granular access/portability procedures.
Eightfold AI Inc.
Eightfold AI discloses moderate privacy protections with clear data retention limits, deletion rights, and industry-standard security practices, though some claims lack concrete specificity and adverse sharing practices are absent from the policy.
Plaud Inc.
Plaud's privacy policy commits to never training AI on user content without explicit opt-in consent, names in-app access, correction, and deletion mechanisms, and discloses SCC-based international transfers, but it shares hashed identifiers for advertising with only a GPC opt-out, gives only vague retention and security language, and is silent on breach notification and synthetic-output marking.
Salesforce (Slack Technologies)
Slack's public policy discloses no-train for LLMs with a named opt-out for global models, strong data-subject rights, named sharing recipients and SCC transfers, but is thin on retention periods, synthetic-output marking, named security controls and breach notice.
Anthropic
Claude discloses training with opt-out, user data ownership, core GDPR-style rights, multi-mechanism data sharing, and named international safeguards, but lacks concrete security controls, breach notification timelines, and AI-use transparency.
Image & video
VEED's privacy policy provides transparency on tier-specific training use and data rights, with mostly functional GDPR-aligned protections, though output ownership is broadly licensed to third parties rather than user-exclusive.
Productivity
Fyxer does not train models on user data and requires explicit consent for AI processing, but retains data indefinitely without named deletion timelines, limits rights transparency to on-request sub-processor lists, and does not grant users ownership of AI-generated outputs.
Otter.ai, Inc.
Otter.ai discloses training on user inputs with opt-out, granular data rights, conditional retention, transparent sharing with subprocessor lists, and standard security measures, but lacks specificity on synthetic content marking and AI-specific retention periods.
Data platform
LangChain explicitly prohibits training on customer data and includes comprehensive data rights, but retention standards and security controls remain vague.
Kuaishou
Kling AI trains user inputs on models with a revocable opt-out; owns outputs with sublicensable reuse rights; provides standard GDPR-style data rights with vague retention; shares data with affiliates and third parties with generic contractual safeguards; discloses AI interactions and requires output labeling; implements encryption and access controls; and gates access at age 13.
Image & video
Synthesia offers opt-out training, comprehensive data rights including deletion, enumerated data categories, and explicit restrictions on biometric data monetization, but remains vague on AI component disclosure and lacks breach notification timelines.
Guru Technologies, Inc.
Guru explicitly prohibits training on public models while allowing private model training, grants user ownership of outputs, supports data subject rights with 90-day post-termination deletion, but lacks specificity on breach notification, special category data governance, and named security certifications.
Corti ApS
Corti's privacy policy discloses retention timelines, data subject rights, and named security certifications, but lacks explicit training-data optionality and contains ambiguous security boilerplate on several indicators.
Zoom Communications
Zoom explicitly commits not to train AI on customer content and enumerates rights, recipients, biometric governance and named certifications, but is silent on deletion timelines, AI-log retention, breach notice and synthetic-output marking.
Productivity
Grammarly (Superhuman) grants users data subject rights and opt-out control over AI training, but retains data indefinitely per business needs and allows AI model training including for new products.
Assistant
Manus discloses opt-out training control and offers core data rights (access, deletion with caveats, correction), but grants sublicensable content licenses and lacks detailed retention specificity outside sandbox data.
Image & video
Facemoji collects keyboard inputs for model training with a named opt-out toggle, discloses AI interactions clearly, but grants itself a perpetual sublicensable license over user content and sells Internet/Network data with opt-out only.
Ada Support Inc.
Ada's policy discloses strong data governance for deletions, access, and subprocessors, but reserves harmful rights on output reuse and targeted advertising sales with only opt-out protection.
Greenhouse Software, Inc.
Greenhouse discloses AI training with weak opt-out mechanisms, strong user rights frameworks, and certification compliance but lacks specific technical controls and retention transparency.
Vercel
Vercel v0 discloses an opt-out model for training data (Enterprise customers fully opt out; Hobby/Pro users can opt out with limitations for safety-flagged content), supports core user rights (access, deletion, correction, portability, restriction), but lacks concrete timeframes, named security controls, or breach notification procedures.
OpenAI
ChatGPT offers opt-out training controls and user ownership of outputs, but lacks named security mechanisms, transparent AI interaction disclosures, and purpose-to-legal-basis mapping in its global privacy policy.
Image & video
Photoroom offers moderate transparency on AI training (opt-out available with limits) and data rights, but reserves broad content licensing rights and provides weak security/breach disclosures.
Gong.io Inc.
Gong's privacy policy discloses foundational data subject rights (access, deletion, portability, correction, opt-out) with named mechanisms, limited training transparency, moderately clear retention (vague language without concrete periods except post-closure), enumerated data sharing categories including DPA incorporation, and named safeguards for international transfers, but lacks specificity on AI/ML disclosure, synthetic-output marking, and breach notice timelines.
Every app is scored across seven data-governance domains on a transparent 10-point scale, with each grade anchored to a quoted clause. Scoring is automated and reproducible: a fixed prompt at temperature 0, rubric version 2.0.
Read the full methodologyAssessed 2026-07-08. Scores reflect each policy as captured on that date; policies change.
Disclaimer
The VerifyWise AI Trust & Transparency Index is provided for general informational purposes only and reflects VerifyWise's good-faith analysis of publicly available privacy policies and terms of service as of each app's stated assessment date. Each grade is a statement of opinion based on our published methodology, not a statement of fact, legal or compliance advice, or an endorsement or warning about any company or product. We assess only what these documents disclose; we do not audit, test, or verify any company's actual data handling, security practices, or legal compliance, and a grade does not measure whether an app is safe or trustworthy to use. Policies change over time, so a grade may not reflect an app's current documents, and any assessment may contain errors or omissions. The index is not a substitute for your own review; you should read the relevant policies and seek professional advice before relying on it. VerifyWise makes no warranty as to accuracy or completeness and, to the fullest extent permitted by law, accepts no liability for any decision made in reliance on the index. Company and product names are trademarks of their respective owners; their inclusion does not imply any affiliation with or endorsement by VerifyWise. To request a correction, contact privacy@verifywise.ai.