AI Research

AI and Your Data: What Australian SMEs Must Know Before Feeding Client Info Into a Chatbot

ProjxAI Research·6 July 2026
Close-up of a laptop with a padlock security icon — protecting business data when using AI tools

Every week, another Australian business owner pastes a client contract, a spreadsheet full of customer emails, or a supplier's confidential pricing into a free chatbot to "just get a quick summary." It feels harmless. It usually isn't. The moment your business data leaves your own systems and lands in an AI tool, you have made a decision about privacy, security and compliance — whether you meant to or not. And in Australia, the rules around that decision are getting tighter, not looser.

According to the Australian Bureau of Statistics, around 12 per cent of Australian businesses used AI in 2024–25, with uptake among small and micro businesses sitting at roughly 11 per cent. Adoption is climbing fast. What isn't climbing at the same pace is the number of owners who have stopped to ask a basic question: where does my data actually go when I use this thing? This article answers that — and gives you the practical steps to stay on the right side of it before something goes wrong.

Your data doesn't disappear when you close the tab

When you type into a free, consumer-grade AI tool, that text is sent to servers — often overseas — where it may be stored, logged, and in some cases used to help train future versions of the model. The free tiers of most chatbots are the ones to watch: many reserve the right to use your inputs for training unless you dig into the settings and turn it off. Paid business tiers usually work differently, but you can't assume that. You have to check.

And training isn't the only risk. Every tool you hand data to is another door into your business — and doors get broken into. The Office of the Australian Information Commissioner recorded 1,113 notifiable data breaches in 2024, a 25 per cent jump on the previous year and the highest annual total since the scheme began in 2018. Malicious or criminal attacks were behind 59 per cent of breaches in the first half of 2025. Every extra service holding your customer data widens the target.

What Australian privacy law actually expects of you

The Privacy Act and the Australian Privacy Principles govern how personal information is collected, used and disclosed. Many very small businesses — those under the $3 million turnover threshold — are currently exempt, and owners often lean on that. That's a shaky place to stand. The exemption has been under active review, reforms are progressively tightening the regime, and it doesn't apply at all if you handle health information or trade in personal data. Size is not a reliable shield.

Two principles matter most here. One covers how you're allowed to use and disclose personal information; the other covers sending it overseas. Pasting a list of customer names and emails into a chatbot hosted on servers in another country can count as a cross-border disclosure of personal information — a real obligation, not a technicality. None of this is legal advice, but it's the kind of exposure worth understanding before it becomes a problem rather than after.

The one rule to apply today: strip the identifiers first

Here's something you can put in place this afternoon. Before any business data goes into an AI tool, remove the details that identify a real person. Replace names with "Client A" or "the customer." Delete email addresses, phone numbers, physical addresses and account numbers. Keep the substance — the contract terms, the complaint, the numbers — and drop the personal identifiers.

The AI doesn't need to know it's Jane Smith at 12 Example Street to draft a reply to her complaint or summarise her contract. It just needs the situation. Pseudonymising before you paste gives you most of the benefit of the tool with a fraction of the risk, and it's a habit any team can learn in a day.

Choose tools built to hold your data properly

Not all AI tools treat your data the same way. Paid business and enterprise tiers — the likes of ChatGPT Team and Enterprise, Claude for Work, and Microsoft Copilot with commercial data protection — typically commit in writing not to train on your content, and some let you control where data is stored. That contractual difference is worth paying for once real business information is involved.

Before you trust any tool with sensitive data, ask three plain questions: Is my data used to train the model? Where is it stored? Can I have it deleted? If the answers aren't easy to find, that's your answer. Read the terms once, properly, so you're making an informed choice rather than a hopeful one.

Governance beats good intentions

The biggest risk in most small businesses isn't a single bad tool — it's the free-for-all. Different staff using different chatbots, on personal logins, with no agreement about what's allowed in. Good intentions don't prevent leaks; a clear rule does. A single-page AI usage policy — what data can go in, what must never go in, and which tools are approved — removes the guesswork and protects everyone.

You don't have to ban AI to use it safely. You need a deliberate approach: the right tools, a simple rule for handling data, and a policy your team actually follows. That's exactly the groundwork we lay in ProjxAI's AI strategy work — helping Australian SMEs adopt AI in a way that's governed, not guessed, so you capture the upside without quietly handing your business away. Start there, and every tool you add after sits on solid ground.