Anthropic was founded in 2021 by former OpenAI researchers who left, in part, over disagreements about safety practices. The company has raised over $7.6 billion in funding, valued itself at $18 billion as of late 2023 (with subsequent valuations reportedly exceeding $60 billion by early 2025), and positioned itself as the “safety-first” alternative in the foundation model race. But safety and privacy are not synonyms, and the conflation of the two is one of the most consequential misunderstandings in the AI industry.

This is an honest assessment of how Anthropic handles your data – what they do well, where the gaps are, and what the structural tension between safety research and user privacy actually looks like in practice.

Anthropic’s Privacy Philosophy: Safety First, Privacy Second

Anthropic’s public positioning centers on AI safety – specifically, on reducing catastrophic and existential risks from advanced AI systems. Their flagship technical contribution, Constitutional AI (CAI), is a training methodology where the model is guided by a set of explicit principles rather than purely by human feedback.

This safety-first orientation has direct implications for privacy. Anthropic’s approach to data handling is shaped by a core belief: in order to make AI systems safe, you need to understand how they are being used. This creates an inherent tension. The more data you retain for safety analysis, the less privacy you can offer. The more privacy you guarantee, the less visibility you have into potential misuse.

Anthropic has, to its credit, been more transparent about this tension than most of its competitors. But transparency about a tradeoff is not the same as resolving it.

The Consumer/API Split

Like OpenAI, Anthropic operates two distinct data regimes:

Claude.ai (Consumer Product)

Claude.ai, Anthropic’s consumer-facing chat interface, launched in 2023 and follows a data model similar in structure (though not identical in specifics) to ChatGPT:

  • Conversation storage: By default, conversations are stored on Anthropic’s servers, associated with user accounts (email-based authentication).
  • Training data use: Anthropic’s usage policy states that conversations from the free tier of claude.ai may be used for model improvement, including training. Pro subscribers ($20/month as of early 2025) receive a contractual exclusion from training data use – a meaningful distinction, though one that still requires trust in enforcement.
  • Retention periods: Anthropic retains conversation data for up to 90 days for trust and safety purposes, even for users who have opted out of training. This is notably longer than OpenAI’s 30-day abuse monitoring window.
  • Human review: Conversations flagged by automated safety classifiers may be reviewed by Anthropic’s trust and safety team. This review process is manual – human eyes on your conversation text.

The API

Anthropic’s API data practices are materially different:

  • No training by default: API inputs and outputs are not used for model training. This has been Anthropic’s policy since the API’s public launch.
  • Retention: API logs are retained for 30 days for abuse monitoring and debugging, then deleted. This is consistent with industry standard practice.
  • Abuse monitoring: Automated classifiers scan API traffic for policy violations. Flagged content may be reviewed by humans.
  • No fine-tuning pipeline (historically): Unlike OpenAI, Anthropic was slower to offer fine-tuning services, which reduced one vector of persistent data storage. As fine-tuning capabilities expand, this dynamic changes.

The 30-day API retention window is standard but not zero. For applications handling sensitive data – medical transcription, legal analysis, financial modeling – 30 days of plaintext prompt storage on a third-party server represents meaningful exposure. This is the gap that zero-persistence architecture is designed to eliminate.

Constitutional AI and the Privacy Implications

Anthropic’s Constitutional AI methodology deserves specific analysis because it intersects with privacy in ways that are not immediately obvious.

Traditional RLHF (Reinforcement Learning from Human Feedback) requires large volumes of human-annotated conversation data. Annotators read real or synthetic conversations, rate responses, and generate preference pairs. This process inherently involves human access to potentially sensitive text.

CAI partially mitigates this by replacing some human annotation with model self-critique guided by constitutional principles. The model evaluates its own outputs against a set of rules (the “constitution”) and generates training signal without requiring a human to read the conversation.

The privacy benefit is real but partial:

  • CAI reduces but does not eliminate the need for human-reviewed data in the training pipeline.
  • The constitutional principles themselves are trained into the model using data that was, at some point, human-reviewed.
  • Safety evaluations (“red teaming”) still require extensive human interaction with the model, often involving sensitive or adversarial prompts.
  • Anthropic’s research papers indicate that human feedback remains a component of their training process alongside CAI, not a full replacement.

The net effect: Anthropic likely requires less human review of individual user conversations than a pure RLHF approach, but the claim that CAI eliminates human access to user data would be inaccurate.

What Anthropic Collects: The Full Inventory

Based on Anthropic’s privacy policy (substantively updated in mid-2024) and terms of service, here is what the company collects:

From Claude.ai Users

  1. Account information: Email address, name (if provided), payment information for Pro subscribers.
  2. Conversation content: Full text of prompts and responses, stored server-side.
  3. Usage data: Features used, session duration, model version selected, conversation frequency.
  4. Device and connection data: IP address, browser type, operating system, device identifiers, referring URL.
  5. Feedback data: Thumbs up/down ratings, explicit feedback text, reported issues.

From API Customers

  1. Account and billing information: Organization name, billing contact, payment method, API key metadata.
  2. API request logs: Prompt and completion text retained for 30 days (abuse monitoring).
  3. Request metadata: Timestamps, token counts, model version, endpoint used, HTTP headers.
  4. Rate limiting data: Request frequency, throttling events, quota usage.

From Everyone (Regardless of Opt-Out)

  1. Aggregate analytics: De-identified usage patterns, error rates, feature adoption metrics.
  2. Safety classifier outputs: Whether a conversation triggered automated safety flags, and the nature of the flag.
  3. Infrastructure logs: Server-side logs related to request processing, latency, and errors.

The metadata collection is the story beneath the story. Even if Anthropic never trains on your conversation text, they maintain a detailed profile of when you used Claude, from where, on what device, how often, and whether your conversations triggered any safety flags. This metadata profile persists regardless of content-level opt-outs.

The Trust and Safety Tension

This is the most nuanced aspect of Anthropic’s data practices, and it deserves direct engagement rather than simplification.

Anthropic’s stated mission is to build AI that is safe and beneficial. Achieving this requires understanding how their models are used in practice – including identifying misuse, jailbreaks, and attempts to generate harmful content. This monitoring function is genuinely important. AI systems can be weaponized, and the companies deploying them have a legitimate responsibility to prevent the worst outcomes.

But monitoring requires data retention. And data retention is the enemy of privacy.

Anthropic’s 90-day retention window for claude.ai conversations (compared to OpenAI’s 30 days for opted-out users) reflects this tension directly. Anthropic retains data longer because they believe the safety benefit of extended analysis outweighs the privacy cost. This is a defensible position, but it is a position – not a neutral fact.

The question for users is whether they accept this tradeoff. For a researcher studying AI safety, the answer might be yes. For a lawyer discussing client matters, a journalist protecting a source, or a therapist exploring clinical scenarios, the answer might be very different.

The deeper structural issue: Anthropic’s safety monitoring is fundamentally incompatible with zero-knowledge architecture. If the infrastructure operator cannot see the data, they cannot monitor for misuse. This is not a criticism of Anthropic’s approach – it is a description of a real architectural constraint. The two goals (safety monitoring and zero-knowledge privacy) cannot coexist in the same system without one yielding to the other.

Stealth Cloud resolves this by shifting the trust boundary. Instead of trusting the AI provider to handle data responsibly, the architecture ensures that sensitive data never reaches the provider in identifiable form. PII stripping happens client-side. Encryption happens client-side. The provider receives a sanitized, encrypted payload and returns a response. Safety monitoring can still operate on the sanitized content – but the identifying information that makes privacy violations harmful is never in the provider’s possession.

Anthropic vs. OpenAI: A Direct Comparison

DimensionAnthropicOpenAI
Default consumer trainingFree tier: yes / Pro: noYes (all consumer tiers)
API training defaultNoNo (since March 2023)
Consumer retention (opted out)90 days30 days
API retention30 days30 days
Enterprise tierYes (custom terms)Yes (SOC 2 compliant)
Human review of flagged contentYesYes
Safety methodologyConstitutional AI + RLHFRLHF + rule-based
Metadata collectionComprehensiveComprehensive
Transparency about tradeoffsHigherModerate
GDPR deletion complianceYes (stated)Yes (stated)

The picture that emerges is not one of a clear privacy leader. Anthropic’s shorter training window for Pro users is a meaningful advantage. Its longer retention window for safety monitoring is a meaningful disadvantage. Its greater transparency about the safety/privacy tension is commendable but does not change the underlying data flows.

Enterprise and Business Tier

Anthropic’s enterprise offering provides enhanced protections:

  • Contractual training exclusion: Business and Enterprise conversations are excluded from training, backed by contractual terms rather than toggles.
  • Custom retention: Enterprise customers can negotiate retention windows shorter than the default 30 days for API data.
  • SSO integration: SAML-based single sign-on for organizational access control.
  • Audit logging: Administrative visibility into usage patterns within the organization.
  • Data processing agreements: Custom DPAs for organizations subject to specific regulatory requirements (HIPAA, SOC 2, etc.).

The pricing for enterprise tiers is negotiated individually, but public reporting suggests entry points in the range of $30-40 per user per month for the business tier, with enterprise pricing scaling based on volume and customization requirements.

As with OpenAI, the pattern holds: more money buys more privacy. The free tier is the most exposed. The enterprise tier is the most protected. The architecture of the system is the same at every tier – the difference is contractual, not structural.

Regulatory Positioning

Anthropic’s regulatory exposure differs from OpenAI’s in several respects:

  • No Italian ban: Unlike OpenAI, Anthropic did not face a national-level ban in any EU member state, partly because Claude launched later and with marginally more transparent data disclosures.
  • GDPR compliance: Anthropic maintains a GDPR-compliant data processing framework, with a UK representative and EU-standard contractual clauses.
  • US regulatory landscape: Anthropic has been more proactive in engaging with US regulators, including voluntary commitments to the White House AI framework in 2023 and participation in congressional testimony on AI safety.
  • The safety halo: Anthropic’s positioning as a safety-focused company provides a degree of regulatory goodwill that its competitors do not enjoy. Whether this goodwill translates into substantively different regulatory treatment remains to be seen.

Anthropic’s $7.6 billion in funding creates its own pressure. Investors – including Google, which invested $2 billion in 2023 – expect returns. The long-term question is whether Anthropic’s safety-first positioning can survive the commercial pressure to monetize user data more aggressively as the company scales. So far, the answer has been yes. But “so far” is not “forever,” and policy-based protections can change with a board vote.

What Anthropic Does Well

Credit where it is earned:

  1. Training exclusion for paid users: Excluding Pro subscribers from training by default (not just by opt-out) is a meaningful improvement over OpenAI’s consumer model.
  2. Constitutional AI reduces human data exposure: While not eliminating human review, CAI structurally reduces the volume of conversations that require human annotation.
  3. Transparency about limitations: Anthropic has been more forthcoming than competitors about the tensions between safety monitoring and privacy.
  4. API-first privacy posture: The API’s default exclusion from training, combined with reasonable retention periods, makes it suitable for many privacy-sensitive applications (with appropriate architecture around it).

What Remains Problematic

  1. 90-day retention for safety monitoring: This is three times OpenAI’s window and represents meaningful exposure for sensitive conversations.
  2. Metadata survives all opt-outs: IP addresses, device fingerprints, usage patterns, and safety classifier outputs are retained regardless of content-level choices.
  3. Human review pipeline: Flagged conversations are read by humans. The criteria for flagging are determined by automated classifiers whose behavior is not fully documented.
  4. No zero-knowledge option: There is no tier, at any price, where Anthropic architecturally cannot access your data. Every protection is policy-based, not cryptographic.

This last point is the crux. Anthropic is arguably the most thoughtful major AI company on privacy questions. But thoughtfulness within a centralized architecture is categorically different from privacy by architecture. A self-hosted AI system or a zero-knowledge relay like Stealth Cloud eliminates the trust requirement entirely. Anthropic asks you to trust them – and gives you reasonable grounds for doing so. But the ask itself is the vulnerability.

The Stealth Cloud Perspective

Anthropic represents the best of what centralized AI privacy can achieve: thoughtful policies, genuine safety commitment, and meaningful opt-out mechanisms. But the 90-day retention window, the comprehensive metadata collection, and the absence of any cryptographic guarantee mean that trust – not mathematics – remains the foundation. Stealth Cloud uses Anthropic’s excellent models through an architecture where PII stripping and client-side encryption make the trust question irrelevant, because the data that reaches the provider has already been rendered harmless.