How much do AI apps tell you about your data?

Leonardo.Ai

Leonardo Interactive (a Canva brand)

A

Strong data rights and opt-out controls for training and ads, with named transfer safeguards; the gap is no synthetic-image marking.

Notion

Notion Labs

A

A no-train-by-default commitment with named encryption, certifications, deletion timelines and SCCs; the cleanest policy in the set.

Photoroom

Image & video

A

A named training opt-out, an explicit no-sell commitment, full rights and detailed retention periods; light on named security controls.

Mistral Le Chat

Mistral AI

B

A detailed GDPR policy with strong rights, an account-level training opt-out, named retention windows, and a clear statement that it does not sell or run targeted advertising.

Claude

Anthropic

B

The strongest policy in the set, though consumer chats train by default, which caps it below A.

Cursor

Anysphere

B

Does not train on your code by default, with narrow named exceptions; a strong privacy posture for a coding tool.

NotebookLM

Google

B

Keeps user content out of foundational model training by default (only used if you send thumbs up or down feedback), lets you own generated content, and names a three-year feedback retention window.

Lovable

Productivity

B

Does not sell data, names SCCs for transfers, and only uses anonymized data for model improvement with permission.

Grammarly

Productivity

B

An opt-out of AI training, a full rights suite and strong transfer safeguards; missing breach notice and a concrete deletion timeline.

Freepik

Freepik Company (Magnific)

B

A detailed GDPR policy (Freepik now trades as Magnific) that deletes uploaded images right after generation and caps model-provider retention at 30 days.

PolyBuzz

Companion

B

A companion app that states it does not sell user information and gates access at 18, with clear rights.

ChatGPT

OpenAI

B

Full rights suite and a 30-day deletion window; trains by default with a clear opt-out.

Suno

Audio

B

Does not sell data and grants deletion rights, but trains its music models on user submissions without a clear opt-out.

Perplexity

Perplexity AI

B

A concise policy that still grants real rights, and it scores on substance rather than length.

Kling AI

Kuaishou

B

Solid regional protections for children and transfers, but the global policy stays silent on training use and synthetic-output marking.

VEED

Image & video

B

A detailed UK GDPR policy that limits AI training to free-tier uploads with a named opt-out, grants the full rights suite, and does not sell personal data, held back by vague retention and generic security.

Canva

Productivity

B

Named AI-training opt-out and mature rights; sharing data with ad partners is the drag.

Remini

Bending Spoons

B

A GDPR-grounded policy that trains on user images only with explicit opt-in, names standard contractual clauses, and gives a full rights flow, though its own retention figures contradict each other (1, 14, and 15 days).

Gemini

Google

B

A 'Keep Activity' toggle stops training; long default retention and human review weigh it down.

FaceApp

Image & video

B

Photos are not used for training and auto-delete within 48 hours, but a perpetual licence to user feedback trips a dealbreaker flag.

Genspark

Assistant

B

States it does not train AI on user data beyond the requested service, does not sell, and deletes within 30 days.

ElevenLabs

Audio

B

Treats voiceprints as biometric data with a named retention limit; trains on voice data.

Microsoft Copilot

Microsoft

C

The shared Microsoft policy allows training but is thin on Copilot-specific retention, deletion timelines and output ownership.

QuillBot

Learneo

C

A detailed multi-service policy that uses your inputs to improve its AI models, paired with a full rights suite and named transfer safeguards.

Facemoji

Image & video

C

Discloses strong rights and concrete retention numbers, but it sells personal information for advertising (with an opt-out) and collects biometric face scans with no governance regime.

Picsart

Image & video

C

A thorough rights-and-retention policy with standard contractual clauses named, but it predates the AI features and never addresses model training.

Candy.AI

EverAI Limited

C

A detailed GDPR notice with a full rights suite and named retention windows, but it trains its models on companion chats by default with only a general objection right and stays silent on marking AI-generated media.

Kimi

Moonshot AI

C

Grants a full set of GDPR-style rights and says it does not sell data. It also trains on your content by default with no opt-out, and retention is vague.

CapCut

ByteDance

C

Trains its models on user content and is light on a no-sell commitment, though it says face and body data is not used to identify you.

Higgsfield

Image & video

C

Openly says it trains its algorithms on your prompts and uploads with no opt-out, but balances that with named deletion windows and a full rights suite.

PixVerse

PixVerse (AISphere)

C

Names a no-sale commitment, standard contractual clauses, and one-shot facial-data deletion, but it trains on your content by default and reserves a free, worldwide, perpetual and sublicensable licence to it.

Meta AI

Meta

C

Graded on the shared Meta privacy policy: your AI interactions help develop Meta's AI and AI for third parties, with no training opt-out named.

Hypic

Image & video

C

Names strong rights, transfer safeguards, and careful face-data handling, but it trains its models on your content by default with no opt-out and keeps retention vague.

Ideogram

Image & video

C

Trains the models behind its service on your data as a legitimate interest with no opt-out, but commits clearly to never selling or sharing personal information.

Midjourney

Image & video

C

Users own their images but grant Midjourney a perpetual licence to reuse them, and prompts and outputs train the model unless declined.

Manus

Assistant

C

A recent agentic-assistant policy with solid transfer and advertising controls, but it never says whether your tasks and prompts train any model.

Brainly

Brainly sp. z o.o.

C

Explicitly promises not to train models on personal data, grants a full rights suite, and names standard contractual clauses, held back by no security, breach, or retention detail.

Character.AI

Character Technologies

C

Better rights disclosure than most companion apps, but data is shared for advertising.

Photomath

Google

C

Photomath spells out a full set of GDPR-style data-subject rights and a clear no-sale commitment. On a legitimate-interest basis with no opt-out, it also uses captured images and feedback to improve its service and affiliate machine vision technologies. Retention periods are not specified, and there is no breach-notification clause.

Talkie

Talkie AI

C

Grants full data rights and maps each purpose to a legal basis, but never says whether conversations train its models and keeps retention vague while sharing browsing data with advertisers.

Cutout.Pro

Image & video

C

States plainly that it does not train on uploads and does not share data, and gives short numbered retention windows. It says nothing about portability, breach notice, certifications, or versioning.

DeepSeek

Hangzhou DeepSeek AI

C

Solid rights, but data is stored in China with only vague transfer safeguards.

Gamma

Gamma Tech, Inc.

C

Grants a full slate of European data rights and names standard-form contracts for transfers, but it trains its AI models on your data with no opt-out and names no retention period or specific security controls.

Qwen

Alibaba

C

Scored on Alibaba Cloud's generic policy, which grants core rights and names transfer safeguards but omits any AI-specific disclosure.

Grok

xAI

D

Trains by default with no general opt-out, and no 'we don't sell' statement.

Hugging Face

Productivity

D

This dated, GDPR-aware policy names a full subprocessor list and grants access and deletion rights. It says nothing about AI training inputs, output ownership, retention periods, or portability, which places it in the D band. No adverse reservations are present, so no dealbreaker flags apply.

Janitor AI

JanitorAI Inc.

D

Grants real rights and doesn't sell, but stays silent on training, retention, and breaches.

Civitai

Image & video

D

A short 2024 policy that explains what it collects and shares but stays silent on AI training, retention periods, formal data rights, and labelling of generated images.

Pixelcut

Image & video

D

A generic compliance policy with a full set of data rights, but it never mentions AI at all: nothing on whether your images train models or whether outputs are marked.

SeaArt

Image & video

D

A 2023 policy that spells out a full set of data rights but stays silent on whether prompts and generated images train its models, with only vague retention and security.

Poe

Quora

D

Poe lets third-party developers train on user chats and shares data with ad platforms, with no user control over either.

CrushOn AI

CrushOn

F

A thin template policy: deletion rights are stated, but training use, retention, output ownership and security are all absent.

SpicyChat

Companion

F

A thin policy that grants deletion and an 18-plus gate but is silent on training, retention, sharing and security.