Can a SaaS vendor train AI models on my data by default?
Short answer: Increasingly, no — but only if the contract says so. Modern enterprise norms require training to be opt-in, with customer data isolated to the customer's tenant. Many consumer-grade and prosumer SaaS terms still allow training by default.
The market has split. Enterprise contracts at the major AI providers (OpenAI, Anthropic, Google, Microsoft) default to no training on customer data — but the consumer and prosumer tiers of the same products often default the other way. Smaller SaaS vendors are highly variable; some opt out by default, others quietly reserve broad training rights in standard terms.
What to look for: (1) an explicit statement that customer data, prompts, and outputs will not be used to train, fine-tune, or improve any model; (2) a tenant-isolation commitment so customer data does not bleed across customers; (3) deletion rights and retention limits; (4) a sub-processor list. If any of those is missing, the contract is worth renegotiating.
Related deep-dives
Updated May 26, 2026. General information only — not legal advice for your specific situation. For advice on your facts, book an intro call.