They have the same name. They are not the same product.

ChatGPT Free and ChatGPT Enterprise are both made by OpenAI. They use similar underlying technology. They look almost identical. But from a privacy and compliance perspective, they are fundamentally different products — and using the wrong one with client data is one of the most common AI governance failures we see in Australian SMEs.

Understanding this distinction is the single most important thing you can do to reduce your AI-related privacy risk right now.

What public AI tools do with your data

Public or consumer-tier AI tools — free accounts, standard subscriptions without enterprise terms — typically operate under terms that permit the vendor to use your inputs to improve their models. This means:

  • The content you enter into a prompt may be reviewed by the vendor's team
  • Your inputs may be used to train future versions of the model
  • Data may be retained for extended periods after your session ends
  • There is no data processing agreement governing how your information is handled

None of this is hidden — it's in the terms of service that almost no one reads. But the practical consequence is significant: any personal information entered into a public AI tool may be disclosed to the vendor in ways that your clients haven't consented to and that may breach the Australian Privacy Principles.

What enterprise AI tools do differently

Enterprise versions of the same tools — Microsoft Copilot for Microsoft 365, ChatGPT Enterprise, Google Workspace AI features, Claude for Enterprise — are designed for business use and typically include:

  • No training on your data. Your inputs are not used to improve the model.
  • Data isolation. Your data is kept separate from other customers' data.
  • Data processing agreements. The vendor commits contractually to handling your data in accordance with applicable privacy laws.
  • Data residency options. In many cases, you can specify that your data is stored in Australian or regional data centres.
  • Encryption and access controls. Your data is encrypted, and access by the vendor's staff is restricted.

These aren't just nice-to-haves. Under APP 8, a data processing agreement is a key part of demonstrating that you've taken reasonable steps to protect personal information shared with an overseas vendor.

The rule of thumb: If you don't have a data processing agreement with your AI vendor, assume the free-tier terms apply — even if you're paying for the tool. A paid subscription is not the same as an enterprise agreement.

How to tell which you have

Check your subscription terms. The key things to look for:

  • Is there a section titled "Data Processing Agreement," "Business Associate Agreement," or "Enterprise Terms"?
  • Does it explicitly state that your data will not be used for model training?
  • Does it specify where your data is stored?

If none of those terms appear in your agreement, you're likely on standard consumer terms — regardless of how much you're paying.

What to do right now

  1. List every AI tool your team uses for work
  2. For each tool, check the terms: are you on consumer or enterprise terms?
  3. For any tool used with personal information that's on consumer terms, either upgrade to an enterprise plan with a DPA, stop using it for that purpose, or get explicit consent from affected individuals
  4. Document your decisions in your AI Register

This exercise usually takes less than an hour and creates clarity that most businesses don't currently have about their AI risk exposure.

Get your AI governance pack

A complete, tailored set of AI governance documents for your Australian business — ready in minutes.

Get started →