Are AI Conversations Private? What Courts, Warrants, and Data Policies Say

AI chats may not be as private as they seem. Here’s what users should know.

Table of contents

Are AI conversations private? Based on U.S. court decisions from 2025 and 2026, the answer is no. Courts have ruled that chats with AI chatbots carry no legal confidentiality, can be subpoenaed, and may be preserved indefinitely — even after users click “Delete.”

Roughly half of the messages people send to ChatGPT are requests for advice, and more than 10 percent are personal reflections, according to OpenAI’s own data. Many users treat the chatbot like a diary, a therapist, or a trusted adviser — but unlike a therapist or a lawyer, a chatbot runs on third-party infrastructure, with no professional privilege protecting what you type. (For a practical starting point, see our guide to the most private browsers of 2026.)

Below: the 2025–2026 court decisions that shaped the legal status of AI conversations, how the storage architecture works, and what protective measures exist today.

What Data AI Chatbots Collect and How They Store It

To understand why conversations with AI are vulnerable, you first need to see how the platforms process and store them. The mechanics are the same across all major cloud AI services — OpenAI, Google, Anthropic, Microsoft — and rest on a few core principles. (For a deeper look at how cloud and local architectures compare, see Cloud AI vs. Local AI: Exploring Data Privacy.)

What exactly gets collected

When you send a message to ChatGPT, Gemini, or any other cloud chatbot, the service stores far more than your prompt and its response. Every request also produces:

  • Account data — name, email address, payment information
  • Device data — IP address, browser type, operating system, device identifiers
  • Usage patterns — session length, frequency of use, features accessed
  • Uploaded files and generated images

The service links each of these elements to your account. Together, they build a detailed digital profile — not only of what you asked, but when, from where, on which device, and in what context.

How your message travels: from prompt to potential disclosure

Who has access to your conversations

Access to chats extends well beyond automated systems. According to the privacy policies of OpenAI, Google, and Anthropic, the following parties may view your conversations:

  • Company employees and contractors — for model improvement, safety review, and investigating policy violations
  • Automated filters — scanning messages in real time for prohibited content
  • Organization administrators — on enterprise plans, they can review the full chat histories of their employees
  • Law-enforcement agencies — through court orders, warrants, or subpoenas

All major AI companies state in their terms of use that they will disclose data in response to a lawful request. In August 2025, OpenAI added that if its systems detect threats of violence in chats, the company may proactively hand information to police without waiting for a request.

Who can access your AI conversations: more people and systems than you think

What happens after you click “Delete”

Deletion in the interface does not destroy the data immediately. Retention periods vary by provider:

Provider Retention after user deletion Flagged / reviewed content
OpenAI (ChatGPT) 30 days Retained during active review
Google (Gemini) 72 hours Up to 3 years
Anthropic (Claude) 30 days Up to 7 years

But 30 days is only the default regime. Once a company falls under a litigation hold, retention becomes indefinite. That is exactly what happened in NYT v. OpenAI: the court ordered the company to preserve all chat logs — including ones that users had already deleted.

What happens after you click delete: deletion is not destruction

Why terms of use are your only protection

The only thing standing between your data and third-party disclosure is the company’s privacy policy. That policy is an internal document the company drafts, revises at will, and cannot enforce against a court order. The terms of use explicitly allow disclosure to comply with legal obligations, protect the company’s interests, and ensure safety.

In a cloud AI service, the company controls the data — not you. That follows directly from an architecture that runs processing on someone else’s server.

Are AI Chats Legally Privileged? Court Precedents from 2025–2026

Professional Privilege exists? Basis Applies to AI?
Attorney Yes Attorney-client privilege (statute + case law) No
Doctor Yes Medical confidentiality (HIPAA, state law) No
Therapist Yes Psychotherapist-patient privilege (Jaffee v. Redmond) No
Clergy Yes Clergy-penitent privilege (statute) No
AI chatbot No No statute, no professional code, no licensing N/A

None of them applies to conversations with an AI chatbot. A chatbot is not a licensed professional, follows no professional code, and bears no responsibility for disclosing information. Yet in practice, users bring AI the same questions they used to bring to lawyers, doctors, and therapists.

Comparison point United States v. Heppner (2026) Warner v. Gilbarco (2026)
Court level Federal (S.D.N.Y.) State (Michigan)
Doctrine at issue Attorney-client privilege Work-product doctrine
AI treated as Third party (no privilege) Tool (privilege preserved)
Outcome Data disclosed Data protected
Precedent weight Higher (federal) Lower (state)

Why ChatGPT Has No Confidentiality Privilege

In July 2025, OpenAI CEO Sam Altman appeared on This Past Weekend, a podcast hosted by comedian Theo Von — a conversational show with an audience of millions, most of whom don’t work in technology. TechCrunch, Business Insider, TechRadar, and dozens of other outlets picked up his remarks.

According to Altman, people bring ChatGPT their most personal matters — treating it as a therapist and a life coach, asking what they should do. Young users especially. But no legal privilege attaches to those conversations. If a matter reaches litigation and someone makes a lawful request, a court can compel the company to hand over the contents. Altman’s own summary of the situation:

“Very screwed up.”

Legally, the statement broke no new ground — specialists already knew that AI carries no privilege. But public confirmation from the CEO of the largest AI company, in front of a mass audience, moved the issue from trade press into public debate.

Altman also argued for creating a new legal institution modeled on attorney-client privilege. In June 2025, he wrote on X:

“We think conversations with AI should be like conversations with a lawyer or doctor. Hopefully, society figures this out soon.”

At the time of publication, no jurisdiction had created such an institution, and no bill on the subject had advanced beyond discussion.

United States v. Heppner (federal, 2026)

While the discussion continued in podcasts and on Twitter, the courts were forming their own position.

In April 2026, the federal court for the Southern District of New York decided United States v. Heppner — the first federal ruling to directly address whether AI conversations carry legal privilege. The defendant had entered information he described as “confidential legal strategy” into a public AI platform — effectively using the chatbot to prepare for litigation. Investigators pulled the data during a search and introduced it as evidence.

The defense argued that attorney-client privilege protected the information. The court rejected that argument on three grounds:

  1. The AI platform is not a lawyer.
  2. The platform’s terms of use expressly allow disclosure of user data to government authorities.
  3. The defendant acted on his own, without legal counsel — so his interaction with the AI never formed part of an attorney-client relationship.

The reasoning is straightforward. What matters is the venue: a federal court issued the ruling, creating precedent. The court effectively held that using AI for legal tasks does not, by itself, create any privilege.

Warner v. Gilbarco: the counterexample (Michigan, 2026)

For completeness, one Michigan state court reached the opposite conclusion during the same period. In Warner v. Gilbarco, Inc., a self-represented (pro se) party used AI to prepare materials. The court held that the work-product doctrine protected the resulting work, reasoning that generative AI functioned as a tool rather than as a third party to whom the party had disclosed confidential information.

Two caveats limit that ruling:

  • It addressed the work-product doctrine specifically, not attorney-client privilege.
  • It came from a state court, whereas Heppner came from a federal court — giving Heppner greater weight as precedent.

Legal Status of AI Conversations in the United States

United States v. Heppner (2026)Warner v. Gilbarco (2026)Court levelFederal (S.D.N.Y.)State (Michigan)Doctrine at issueAttorney-client privilegeWork-product doctrineAI treated asThird party (no privilege)Tool (privilege preserved)OutcomeData disclosedData protectedPrecedent weightHigher (federal)Lower (state)

The legal landscape is fragmented, and no uniform standard yet exists. At the federal level, though, one trend is clear: entering data into a commercial AI platform creates no legal privilege. Until legislation says otherwise, courts will treat information you provide to a cloud chatbot the same way they treat email, text messages, or search history — subject to request and admission in litigation.

Can Deleted ChatGPT Chats Be Used in Court? NYT v. OpenAI

The New York Times Company v. Microsoft Corporation et al. became the landmark case for what happens to deleted user chats when a court preservation order is in force.

How a Court Ordered OpenAI to Preserve User Chat Logs

In December 2023, The New York Times filed suit against OpenAI and Microsoft in the federal court for the Southern District of New York. The core allegation: both companies had used millions of NYT articles to train their language models without permission or payment. The case became one of the largest copyright disputes involving generative AI, and other publishers — including the Chicago Tribune — joined it.

Once discovery began, the case started reaching into the data of ordinary ChatGPT users.

The plaintiffs wanted to prove that ChatGPT systematically reproduces copyrighted content in its responses. For that, they needed real examples — specific answers to specific prompts from real users, not just information about the training data.

The logic was straightforward: if a user asks ChatGPT about a topic covered by an NYT article, and the model reproduces portions of that article in its response, that may constitute copyright infringement. Therefore user chat logs were relevant evidence.

OpenAI objected. The company argued that the request was overbroad, swept in millions of non-party users, and conflicted with its privacy policy and deletion practices.

Timeline of the preservation order

Date Event
Jan 2025 Deletion of chat logs first raised at a court conference. OpenAI continues standard deletion procedures.
May 13, 2025 Magistrate Judge Ona Wang issues a preservation order requiring OpenAI to preserve and segregate output log data that would otherwise be deleted.
May 16, 2025 OpenAI files a motion for reconsideration. Court denies the motion.
May 27, 2025 Court clarifies that the order does not cover ChatGPT Enterprise or Zero Data Retention agreements.
Jun 2025 Sam Altman publicly challenges the order. OpenAI publishes a response and files an appeal.
Jul 2025 Appeal fails. Plaintiffs begin analyzing preserved logs.
Oct 9, 2025 Judge Wang lifts the preservation order. Existing preserved logs remain available.
Nov 2025 Federal Judge Sidney Stein approves transfer of 20 million de-identified user conversations.

Several ChatGPT users tried to intervene in the case to protect their data. The court denied those motions repeatedly, on the ground that the users were non-parties to the litigation.

The preservation order stayed in effect for five months. Data preserved during that window remained available to plaintiffs even after the order lifted.

What NYT v. OpenAI Means for AI Chat Privacy

The case set out several principles that extend well beyond this specific copyright dispute:

  1. AI user chats are electronically stored information subject to disclosure in litigation. The court expressly treated them like emails, messenger conversations, and server logs.
  2. The “Delete” button sends the service a request for deletion. If a court preservation order is in force at that moment, the service must ignore the user’s request and preserve the data. The user watches the conversation vanish from the interface — without knowing it still lives on the server.
  3. Users are non-parties and cannot influence preservation decisions. The court rejected every user attempt to intervene.
  4. The same order can reach any cloud AI service. OpenAI is not uniquely vulnerable — any company that stores conversations on its servers occupies the same legal position.

ChatGPT Chat History as Evidence: Warrants and Criminal Cases

Alongside civil litigation, U.S. law-enforcement agencies began using AI chatbot conversations as legal evidence in criminal cases through 2025. By early 2026, a consistent practice had emerged.

Pacific Palisades Arson Case: ChatGPT Conversations as Evidence

On January 1, 2025, a fire started in the Pacific Palisades neighborhood of Los Angeles and smoldered for six days. On January 7, strong winds drove it into one of the most destructive wildfires in the city’s history: 12 dead, nearly 7,000 structures destroyed, and estimated damage of $150 billion.

In October 2025, the FBI arrested Jonathan Rinderknecht, a 29-year-old former Uber driver with dual French and U.S. citizenship. Prosecutors charged him with intentional arson, carrying up to 45 years in prison.

The prosecution combined several sources of evidence — iPhone geolocation data, surveillance-camera footage, witness testimony, and analysis of how the fire developed. But it also introduced Rinderknecht’s ChatGPT history as a separate strand.

According to prosecutors, Rinderknecht used ChatGPT as a kind of diary. He generated images of a burning city. He asked the chatbot, “Why am I always angry?” He discussed wealth inequality and expressed the view that rich people were destroying the world. And while calling the police to report the fire, he simultaneously typed a question into ChatGPT:

“Are you guilty if a fire is caused by your cigarette?”

— with a spelling mistake in “lit.” ChatGPT answered yes.

The prosecution used the prompts to argue motive: revenge, anger, loneliness. The defense argued that the prosecution had pulled the conversations out of context. One juror noted during trial that he himself had had similar conversations with chatbots — casting doubt on the claim that such prompts alone demonstrated criminal intent.

At the end of June 2026, the jury deadlocked 10–2 in favor of acquittal, and the judge declared a mistrial. The court scheduled a retrial for October 2026.

The significance is not the outcome — which remains open — but the fact of admission. Federal prosecutors introduced a chatbot conversation history as evidence, and the court accepted it.

Reverse Prompt Warrant: How DHS Searched ChatGPT by Prompt Text

In October 2025, Forbes published an investigation into the first documented case of federal investigators obtaining a warrant specifically for ChatGPT user data — not for a known account, but for a reverse search based on prompts.

The background: Homeland Security Investigations had spent a year pursuing the administrator of a dark-web site containing child sexual abuse material. Agents operated undercover and communicated with the suspect through the site. During those exchanges, the suspect mentioned using ChatGPT and shared fragments of his prompts. The prompts themselves involved nothing criminal — one, for example, asked what would happen if Sherlock Holmes met Q from Star Trek.

But knowing the exact wording of the prompts was enough. Investigators obtained a court warrant requiring OpenAI to run a reverse search: identify the account that sent those exact prompts and turn over everything associated with it — full transcripts of all conversations, the user’s name, email address, IP addresses, and payment history.

The novel element was the direction of the search. The warrant required OpenAI not to disclose data from a known account, but to search prompt contents to identify an unknown user — analogous to the “reverse warrants” law-enforcement agencies previously used against Google for geolocation and search queries. For AI platforms, this was the first public precedent.

Jennifer Lynch, an attorney at the Electronic Frontier Foundation, framed the significance:

Although the warrant covered only two prompts from one user, it showed that law-enforcement agencies now view ChatGPT as another data source they can tap for evidence.

Other Cases Where AI Chat Logs Were Used as Evidence

The Rinderknecht case and the DHS warrant are not isolated. By the end of 2025, AI conversations had surfaced in several criminal cases:

Case AI platform What prosecutors used Charge
Rinderknecht (L.A., 2025) ChatGPT Diary-like prompts, fire-related questions Arson (mistrial)
DHS reverse warrant (2025) ChatGPT Prompt text to identify suspect CSAM distribution
Ja-Zion Robertson (Virginia, 2025) Snapchat My AI Question about shooting intruders First-degree murder (25 years)
Ryan Schaeffer (2025) ChatGPT Messages describing vandalism Vandalism

In the Robertson case, one piece of evidence was a conversation with My AI, Snapchat’s chatbot, in which he asked:

“What if I shoot them if they step onto my property with hostile intent?”

In the Schaeffer case, prosecutors linked the 19-year-old to a series of acts of vandalism through messages he sent to ChatGPT discussing his actions.

In each case, investigators used AI conversations to establish motive, intent, or the suspect’s awareness — the elements criminal law calls mens rea.

When OpenAI Reports User Data to Law Enforcement Without a Warrant

Beyond responding to warrants and subpoenas, OpenAI confirmed in August 2025 that the company proactively monitors user conversations for threats of violence. When automated filters flag content that suggests plans to physically harm other people, the conversation goes to a specialized moderation team. If moderators confirm a real threat, the company may hand information to law-enforcement agencies — without notifying the user and without waiting for a court request.

The company follows a different approach in self-harm cases: it does not notify police and instead offers support and crisis resources to the user. But the mere existence of a proactive monitoring system means a court order is not the only path to a ChatGPT conversation — the company may also disclose it on its own initiative.

For law enforcement, AI conversations function as electronic evidence on the same footing as search history, email, and messenger chats. A conversation with a chatbot can be more informative than a search query, though: instead of a few keywords, it is an extended dialogue in which the user articulates thoughts, asks follow-up questions, and discusses possible courses of action.

AI Chatbot Privacy Settings: What They Actually Protect

All major AI platforms offer privacy settings: disabling chat history, Temporary Chat, and opting out of training data use. Each measure has a specific effect — and specific limits.

Does Disabling Chat History in ChatGPT Delete Your Data?

When you disable history in ChatGPT or use Temporary Chat, the conversation no longer shows up in the sidebar, and the platform does not use it to train the model. The data itself does not vanish from the server. OpenAI keeps it for 30 days for safety monitoring and abuse detection. Google Gemini keeps it for 72 hours; Anthropic keeps it for 30 days. During that window, the data sits on the server, remains accessible to company employees, and a court warrant can pull it.

And if a court issues a preservation order within that window — as happened in NYT v. OpenAI — the 30-day rule stops applying. The data freezes indefinitely.

Does Opting Out of AI Training Protect Your Privacy?

Users on Free, Plus, and Pro plans can disable the “Improve the model for everyone” option in settings. That does exclude your conversations from the training data for future model versions. It does not change the core fact: the platform still sends the data to the server, processes it there, and stores it for the standard retention period.

Privacy setting Prevents training use? Removes data from server? Blocks court warrants?
Disable chat history Yes No (30-day retention) No
Temporary Chat Yes No (30-day retention) No
Opt out of training Yes No No
Enterprise ZDR Yes Yes (contractual) Partially (excluded from NYT order)

Opting out shapes what the company does with the data internally. It has no effect on what the company must do with the data in response to a court order.

ChatGPT Enterprise and Zero Data Retention: Who Qualifies

ChatGPT Enterprise and business plans offer a substantially stricter regime: no training on user data by default, administrator control over retention, and contractual confidentiality obligations from OpenAI. The preservation order in NYT v. OpenAI expressly excluded customers with Zero Data Retention (ZDR) agreements.

These protections are available to organizations with the budgets and legal resources to negotiate them. For an ordinary user working through a medical diagnosis, a termination, or an insurance dispute, the option is effectively out of reach.

Why Privacy Settings Cannot Block a Court Warrant

All of the measures above limit how the company uses your data internally. None of them changes the company’s obligation to comply with a court warrant. As long as the data sits on the company’s server, a court order can reach it — regardless of what you toggled in settings.

Local AI Models: How to Keep AI Conversations Private

The alternative to cloud processing is a local language model — an architecture that never sends your data to an external server.

How Local AI Processing Protects User Data

A local language model runs directly on your device. Your device’s processor handles the prompt. Your device generates the response. The data never leaves the machine at any stage — not when you send the prompt, not during processing, and not when the platform stores your conversation history.

When the data never reaches a company server, the mechanisms of court requests, preservation orders, and proactive monitoring have no target. The company physically has no data to disclose.

Cloud AI vs Local AI: where your data goes

Limitations of Local AI Models

A local model is not absolute protection. The limits matter:

  1. Physical access to your device defeats it. If law-enforcement agencies seize your device through a search or install specialized software on it, a local model will not protect your data. Your conversation history sits on the drive like any other file, and investigators can extract it.
  2. Local models are generally less capable than the largest cloud models. They run on the resources of a single device, not a server cluster with thousands of GPUs. For long-form generation, complex analysis, or processing large volumes of data, cloud models remain more powerful.
  3. A local model has no internet access during processing. It cannot search for current information, reach external databases, or call third-party APIs.

Cloud AI vs. Local AI: Data Privacy Comparison

Dimension Cloud AI (ChatGPT, Gemini, Claude) Local AI (e.g. Eclipse in Sigma)
Where processing happens Provider’s servers Your device
Where data is stored Provider’s servers Your device
Retention after deletion 30 days minimum; indefinite under litigation hold You control it
Reachable by court warrant to provider Yes No — provider has no data
Vulnerable to physical device seizure Somewhat (local caches) Yes — data sits on the device
Proactive monitoring by provider Yes (OpenAI publicly confirmed) No
Model capability ceiling High (large frontier models) Lower (device-bound)
Internet-dependent features Available Not available

With cloud AI, someone else stores your data and a court can compel that someone. With a local model, your data stays on your device, and law-enforcement agencies need a warrant to search that specific device — a procedure that is harder and more legally constrained than a request directed at a technology company.

How to Protect Your AI Chat Privacy

The court decisions and architectural realities above lead to a few practical rules.

Separate Sensitive and Non-Sensitive AI Tasks

Not every AI conversation carries the same risk. Asking a chatbot to phrase an email, explain a textbook concept, or brainstorm project ideas rarely produces material that would cause harm if exposed. Cloud AI remains a convenient and productive tool for those tasks. (For an overview of how a browser-native AI assistant fits into this workflow, see What Is Sigma AI Chat?)

When sensitive information enters the picture, the rule is simple: before you type it, ask whether you would be comfortable with a stranger reading that message. If the answer is no, the message should not leave your device.

Sensitive information includes:

  • Medical data — symptoms, diagnoses, test results, medication names
  • Legal matters — details of disputes, conflict circumstances, litigation strategy
  • Financial information — income, debts, investment decisions, tax positions
  • Workplace conflicts — complaints about management, dismissal discussions, internal company documents
  • Personal struggles — relationships, crisis situations, anything you wouldn’t share with a colleague

Minimize Your Data Footprint in Cloud AI Services

For non-sensitive tasks, cloud models remain useful. Even so, it makes sense to minimize the data you leave on the server.

  • Disable training data use. In ChatGPT: Settings → Data Controls → Improve the model for everyone. Similar toggles exist in Claude, Gemini, and other platforms. This does not protect against a court request, but it limits the company’s internal use of your data.
  • Use Temporary Chat when available. The conversation stays out of your history and out of training, though the server still retains it for 30 days.
  • Don’t upload documents with personal data — passport scans, medical certificates, bank statements, employment contracts. Every uploaded file becomes part of the data pool on the server.

Are AI Conversations Private? Key Takeaways

Court decisions from 2025 and 2026 built a working enforcement practice around conversations with AI chatbots:

  1. Courts classify AI chats as electronic evidence available through standard discovery — on the same footing as emails, search history, and messenger logs.
  2. No legal privilege applies. Attorney-client privilege, medical confidentiality, and other professional protections do not cover conversations with AI.
  3. The “Delete” button removes data from the interface — but not necessarily from the server.
  4. Privacy settings limit internal use only. They cannot block a court warrant.
  5. Local processing is the only architecture that physically prevents third-party access.

Cloud AI remains a productive tool for work that does not require confidentiality. For anything involving sensitive information, local models — where your device processes the data and nothing reaches a third party — are the right architecture.

Download Sigma Browser

Also available on Windows, iOS and Android. Linux version coming soon!

Questions & Answers

If you have any questions,
reach out to us on X at @Sigma_Browser
Are AI conversations really private?
Can AI providers keep chats after I delete them?
Can law enforcement or courts access AI conversations?
Which AI services offer the best privacy?
Can I make ChatGPT more private?
Is local AI safer than cloud AI?
×

Get Sigma on Android

We’ll let you know when Sigma for Android launches.
You’re on the list!
Please enter a valid email address.
Oops! Something went wrong while submitting the form.
Oops! Something went wrong while submitting the form.