Personal Privacy Hygiene Checklist

This checklist is for individuals who use AI tools at work or personally. Complete it when you start using a new AI tool, and revisit it quarterly. No special technical knowledge is required. If any item prompts a question about your employer's policies, refer to your company's AI Acceptable Use Policy or ask your IT team.

Before You Start Using a New AI Tool

• [ ] I have read the tool's privacy policy and understand what data it stores, for how long, and whether it uses my inputs to train its models.
• [ ] I know whether the tool has a "private mode," "temporary chat," or "Zero Data Retention" option, and I know how to turn it on.
• [ ] I understand the tool's data sharing practices — specifically whether my inputs are reviewed by humans for quality control, safety, or training purposes.
• [ ] If I am using this tool for work, I have confirmed it is on my employer's approved list (or received written approval from the appropriate person).
• [ ] I have created the account with appropriate credentials: work email for work tools, personal email for personal tools. I have not used my work email to sign up for a personal AI tool that may be outside my employer's control.

What to Redact Before Pasting Content

Before you paste any content into an AI tool, run through this list. If the content contains any of the following, remove or replace it with a generic placeholder before submitting.

• [ ] Full names (use "Person A" or a role description instead)
• [ ] Email addresses
• [ ] Phone numbers
• [ ] Physical addresses
• [ ] National ID numbers, passport numbers, or similar government-issued identifiers
• [ ] Dates of birth
• [ ] Photos or documents that contain any of the above

• [ ] Credit card or bank account numbers
• [ ] Account balances or transaction details that identify an individual
• [ ] Social Security numbers (US) or equivalent

• [ ] Medical diagnoses, prescriptions, or treatment records
• [ ] Mental health information
• [ ] Insurance policy numbers or member IDs

• [ ] Customer names, contracts, or account data
• [ ] Source code marked as confidential or proprietary
• [ ] Internal financial projections or M&A-related information
• [ ] Attorney-client privileged communications
• [ ] Login credentials, API keys, or passwords

Using Private or Temporary Mode

• [ ] I know the difference between standard and private/temporary mode in the tools I use regularly.
• [ ] I use private or temporary mode by default when working with any content that is not clearly public.
• [ ] I verify that private mode is active before submitting sensitive content (do not rely on memory).
• [ ] I understand that private mode limits data retention on the vendor's side but does not prevent the tool from generating responses that could be logged at the network level by my employer's security tools.

Managing Your Account and History

• [ ] I regularly review and delete my conversation history for tools that store it. A reasonable cadence is once per month.
• [ ] I have turned off conversation history entirely for AI tools I use for sensitive personal tasks, where the tool supports this.
• [ ] I do not share my AI tool account or API key with others.
• [ ] I use a strong, unique password for each AI tool account and have enabled two-factor authentication where the option exists.
• [ ] I know how to submit a data deletion request to each AI vendor I use, if needed.

Verifying Training-Data Policies

AI vendors vary significantly in whether and how they use your inputs to train or improve their models. The following questions are worth answering for each tool you use regularly:

1. Does this vendor use my inputs to train models? Look for this in the privacy policy under terms like "training," "model improvement," or "feedback."
2. Is this opt-in or opt-out? Some vendors require you to actively turn off training use; others require consent before they collect for training.
3. Does training use apply to paid plans? Many vendors offer stronger protections on paid plans. If you are using a free tier, the data practices may be less protective.
4. Can I request deletion of data already collected? Under GDPR and CCPA, you may have the right to request deletion. Look for a "data subject request" form in the vendor's privacy policy.

Red Flags: When to Stop and Ask

If any of the following occur, stop using the tool for that session and consult your IT team or the vendor's support:

• The tool asks for credentials to another system (email login, API keys, etc.) without a clear, documented reason.
• The tool claims to have accessed information you did not provide.
• The output contains information about you or your organisation that you did not supply in the session.
• You receive a notification that your account was accessed from an unfamiliar location.
• The vendor's privacy policy or terms of service changed significantly since you last reviewed them.

Quick Reference: Data to Never Paste Without Redaction

| Category | Examples | Action |

|----------|----------|--------|

| Credentials | Passwords, API keys, tokens | Never paste. Use a placeholder: [API_KEY]. |

| Payment card data | Card numbers, CVV, expiry | Never paste. |

| Government IDs | SSN, passport, driver's licence | Never paste. |

| Health records | Diagnoses, prescriptions, claims | Remove or anonymise. |

| Customer PII | Names, emails, account numbers | Replace with roles or placeholders. |

| Legal privileged content | Attorney communications, litigation strategy | Ask legal counsel before using AI for this. |