Tier 1 · Foundations1.515 min

What to keep out of Claude

A gravel track winding into mossy native beech forestWorking with Claude — CC BY 4.0

The last lesson was about not trusting what comes out of Claude. This one is about being careful with what you put in. Every message you type is sent off your machine to be processed somewhere else, by a company you don’t control. Before you paste, ask one plain question first — and know the few things that really shouldn’t go in.

The first custody question

Whenever you’re about to hand something to any AI tool, ask: where does this go, and who can reach it once it leaves my hands?

That’s the custody question, and it’s the habit this whole lesson is built on. Not “is this tool good”, but “once I paste this, who has it, for how long, and under whose laws?” You keep asking it — of Claude, of any chatbot, of any cloud service. It’s the difference between using a tool and quietly handing your work to a stranger.

For Claude specifically, the plain answer is: your message goes to Anthropic, a US company, and is processed on servers it operates. What happens next depends on which version you’re using — and that difference matters enough to spell out.

Where your data actually goes

Anthropic draws a hard line between its consumer plans and its commercial ones, and they’re governed by different terms.

So the first practical move, if you’re on a free or paid personal plan and doing anything sensitive, is to find the privacy setting and turn training off. It takes a minute and it changes what happens to everything you type from then on.

(These specifics come from Anthropic’s own published terms and can change — check the current privacy settings and terms rather than taking a course as gospel.)

The US CLOUD Act, in one line

Here’s the part people miss. Because Anthropic is a US company, US law reaches its data. The CLOUD Act (a 2018 US statute) lets US authorities compel a US-based provider to hand over data in its control — even if that data is stored outside the United States. Opting out of training doesn’t touch this; it’s a separate question about legal reach, not model improvement. For most everyday use this is academic. For anything you’re legally obliged to protect, it isn’t.

What simply shouldn’t go in

Rules of thumb, in plain terms:

If you genuinely need Claude’s help with sensitive material, the safer path is to strip it back first: remove the names, swap real figures for placeholders, describe the situation in the abstract. You usually get the same quality of help from an anonymised version.

Before you paste anything sensitive: whose information is it — yours, or someone who trusted you with it?

If they could see it landing on a US company’s servers, would they be comfortable? And if you’re not sure, who would you ask before pasting — not after?

A note for anyone working with Māori data

If your work touches information about Māori individuals, whānau, or communities, data sovereignty is a live and legitimate concern — the principle that Māori data should be subject to Māori governance. Sending it to a US-operated service is exactly the kind of decision that deserves a proper conversation with the people it belongs to, not a solo call in a chat window.

This lesson is general education, not legal advice. Privilege, privacy obligations and confidentiality duties turn on your specific situation and jurisdiction. If real exposure is on the line — a client’s data, a regulated record, anything privileged — talk to a qualified lawyer about your circumstances. The point here is only to make you pause and ask the custody question before you paste, because once it’s sent, you can’t unsend it.

That’s the whole discipline: you decide what leaves your hands. The tool never gets to make that call for you.


Shared freely, in good faith. If it's been of value, a koha toward development and running costs is warmly welcomed.

Leave a koha →

Useful? Share this lesson with a colleague.