You just pasted your client's NDA into an AI tool to "make sure you're not signing something stupid." Then you scrolled down to their Terms of Service and saw the line: "We may use your content to improve our services." Now your stomach is in knots, because you also remember signing a confidentiality clause with that client last month.
If you've ever asked yourself "does AI training data include my contract" right after hitting upload — you're asking the right question, way too late. Here's how to figure out the answer in 60 seconds and what to do if you don't like it.
The 4-word phrase that tells you everything
The phrase to look for in any AI tool's Terms of Service is "improve our services." That phrase is the polite, lawyer-approved way of saying "your stuff might become training data."
Here's the translation table nobody hands you:
"Improve our services" usually means training. "For quality assurance" usually means a human at the company can read your documents. "Aggregated and anonymized" sounds safe but often still means your specific contract clauses end up in a dataset where they can be re-identified.
And the line everyone misreads is "we don't sell your data." That's a misdirection. Training is not selling. A company can promise to never sell your contract while still feeding it to a model that gets sold as a product.
The single sentence to Ctrl-F for in any AI tool's terms is the word "training" — and if that word doesn't appear, search "improve" or "derivative works." Absence of the word isn't safety. Vague language usually hides a broader grant than the specific language would.
The three ways your contract can become training data
There are basically three buckets, ranked from worst to best for you.
Worst: explicit opt-in to training. This is the default for most free AI tools — ChatGPT free tier, Claude free tier on some products, and almost every "free forever" AI startup. You don't have to sign anything. Uploading IS the consent. Middle: opt-out available, but buried. Some paid SaaS and most enterprise AI tools let you turn training off. The toggle is usually three menus deep, named something like "data controls" or "improve the model." If you don't go find it, you're opted in. Best: never trained, never stored server-side, browser-only processing. Your file is parsed and analyzed on your own device. Nothing gets uploaded. There's no server copy to train on, retain, or accidentally leak. This is rare and the only fully private option.One callout: even tools that say "we don't train on your data" usually have a carve-out for legal hold, subpoena response, or internal safety review. Read those exceptions. They're where confidential client data leaks in real life.
The 60-second contract-you're-about-to-upload audit
Before you paste another contract into anything, run this five-step check:
Step 1: Is there a login? If yes, your data is tied to an identity on their server. That's automatic risk — even if they don't train on it, your file exists somewhere with your name on it. Step 2: Search the ToS for "training." If absent, search "improve." If absent, search "derivative." If all three are absent, that's not safety — it usually means the broader licensing grant elsewhere covers it. Step 3: Check for a Data Processing Agreement (DPA). Real privacy-first tools publish one. Many consumer AI tools don't have a DPA at all. That absence is the tell. Step 4: Look for the exact phrase "processed in your browser" vs "uploaded to our servers." The phrasing is usually word-for-word in the privacy policy. If it says "uploaded," your contract leaves your device. Step 5: Apply the confidentiality multiplier. If the contract you're about to upload contains client names, pricing, NDAs, or trade secrets, every "yes" or "unclear" answer above multiplies into a real risk to YOUR client relationship — not just your privacy.What to do if you already uploaded something you shouldn't have
First, don't panic. You have legal rights here that most people don't know exist.
Under GDPR Article 17 (the "right to erasure") and CCPA §1798.105 (California's equivalent), you can demand any AI vendor delete the document you uploaded. Most US states now have similar laws. The script is short:
"Per Article 17 GDPR / CCPA §1798.105, I am exercising my right to erasure. Please delete all copies of the document(s) I uploaded on [date], confirm deletion in writing within 30 days, and confirm the document was not used in any training run."
Send that to their support email or DPO (Data Protection Officer) address. Save the response.
Important caveat: at most AI vendors, "deletion" means "your file is removed from active storage and flagged in the database." It does NOT mean the model weights forget what they learned from your file. If your contract contained trade secrets or NDA-protected content, that distinction is everything. The data may already be baked into the model.
Should you tell the counterparty? If their contract has a confidentiality clause and you uploaded it without permission — probably yes. The soft version: "Hey, I ran our agreement through a contract-review tool to double-check the terms. Wanted to flag it in case you have a preferred process." Most clients won't care. The ones who do, you needed to know about anyway.
The single most important rule going forward: never upload a contract that contains someone else's confidential data to any tool that requires a login.
How NovaDocs catches this automatically
NovaDocs analyzes contracts entirely in your browser. There's no login, no account, no server upload. Your file never leaves your device. The tool detects 30+ clause categories — payment terms, IP ownership, termination, auto-renewal, and the confidentiality clauses that made you panic in the first place — without ever sending your document anywhere.
Unlike template generators or Q&A bots that summarize what you paste, NovaDocs actually reads and scores YOUR specific contract — clause by clause — locally. The analysis is yours. The file stays yours.
The Bottom Line
You now know more than 90% of people who upload contracts to AI tools — most of them never read the ToS, never check for "training," and never realize the difference between server-side processing and browser-only processing.
The next time someone asks if AI training data includes their contract, you can answer in one sentence: it depends on whether the tool requires a login and whether the word "training" appears in their terms. If both answers are yes, the answer is probably yes too. If you want zero risk, use a browser-only tool that never sees your file in the first place.
NovaDocs is a free AI contract intelligence platform. Upload any contract and get instant analysis at novadocs.online. Browser-only. No login. No server storage. Your contract never leaves your device.