5 Questions I’d Ask Before Buying Any AI Tool

Perhaps you are already accustomed to using the convenience of AI tools to efficiently tackle everyday challenges.
However, if you operate as an entrepreneur within the European Economic Area (EEA), you should pay special attention to five key questions when purchasing AI tools, which we have compiled for you in the following video.

Watch the Video

Here you will find a summary of the five most important questions:

1. What data is transmitted to the tool?

As an entrepreneur, you are considered the data controller under the GDPR (General Data Protection Regulation) and must have a lawful basis for processing customer-related data. This means you have to be very careful when transmitting data to the tool to avoid leaking your customers’ personal data—even if it happens unintentionally.

Here are some scenarios in which you might unintentionally leak your customers’ personal data:

1. Uploading a File for Analysis

You upload a spreadsheet to an AI tool for help with formatting or data analysis—but forget that it contains names, email addresses, phone numbers, or purchase histories of your customers.

Risk: Personal data is exposed without consent or proper legal basis.

2. Using AI Tools for Email Drafting

You paste the full content of a customer support email into a tool to improve wording or translate it—without removing sensitive information such as the customer's name, order number, or address.

Risk: Identifiable customer data is shared with a third-party tool.

3. Sharing Screenshots or Recordings

You send a screenshot of a software interface or a chat history to a tool for feedback or bug diagnosis—or upload a recording of your meeting with the customer for a meeting summary—but the image or audio contains visible or audible personal information like customer names, messages, email addresses, or account details.

Risk: Sensitive data is unintentionally disclosed.

4. Generating Business Reports with AI

You ask an AI tool to summarize your sales report, which includes individual customer transaction details or billing information.

Risk: Even if anonymized, patterns may still reveal personal identities.

5. Training Chatbots with Real Conversations

You train a chatbot using real chat transcripts between your customer support and clients, but forget to anonymize personal details.

Risk: GDPR violation due to lack of proper data anonymization and consent.

2. Where is the data processed and stored?

If the tool stores or processes personal data outside the European Economic Area (EEA), you must ensure—based on the Data Processing Agreement (DPA) or the information provided by the provider—that appropriate safeguards have been implemented.

To trust a Data Processing Agreement (DPA) and use a tool without concern, the DPA should at least clearly and transparently regulate the following points:

  1. Subject matter and duration of processing

    • Which data is processed exactly
    • For what purpose and how long the data will be processed

  2. Nature and purpose of processing

    • Which specific processing activities are carried out (e.g., storage, analysis, forwarding)

  3. Duties and rights of the controller

    • What responsibilities you have as the data controller and how the tool supports you

  4. Duties of the processor (the tool provider)

    • Ensuring the confidentiality and integrity of the data
    • Obligation to comply with the GDPR and other data protection laws

  5. Security measures

    • Which technical and organizational measures are implemented to protect the data (e.g., encryption, access restrictions)

  6. Sub-processors

    • Whether and which sub-processors (subcontractors) may be engaged
    • Rules for consent and control of sub-processors

  7. Data subject rights

    • Support in fulfilling data subject rights (e.g., access, deletion)

  8. Notification of data breaches

    • Obligation to promptly report data breaches

  9. Data return and deletion

    • Rules on how and when data will be deleted or returned after the end of the contract

  10. Location of data processing

    • Clear indication of the countries where data is processed and stored

3. What security measures are in place?

To understand how the data is protected, you should look for the following information in the DPA or in a separate security documentation:

Encryption:

The data is transformed into “unreadable characters” and can only be made readable again with a key.
Even if a hacker steals the data, they cannot decrypt it without the appropriate key.

Access Control:

This defines who is allowed to view or edit the data.
Only authorized persons have access to certain data.
The provider (vendor) should be able to describe these protective measures in detail or provide relevant information security certificates—such as ISO 27001 or a SOC 2 Type II Audit Report.

4. Can users easily revoke their consent and exercise their GDPR rights?

  • Check whether the provider offers clear and simple instructions on how users can:
  • Revoke their consent at any time,
  • Request access to their stored data,
  • Request changes to their data or the deletion of their personal data.

Where can you normally find these instructions?

Privacy Policy

The provider must explain in clear and understandable language how users can exercise their rights under the GDPR, such as revoking consent, accessing, correcting, or deleting their data.

Terms of Service

Often complementing the privacy policy, the terms of service include details on how user rights are handled.

Data Processing Agreement (DPA)

This contains contractual provisions on the processing of personal data, including obligations to support the exercise of data subject rights.

Support or Help Center

Some providers offer FAQs or guides on how users can revoke consent and exercise their data rights.

Contact to the Data Protection Officer
  • Reputable providers often name a data protection officer whom users can contact for information and consent withdrawal.
  • If these sources do not provide clear and simple instructions, you should be cautious and critically evaluate the provider.

5. Are my data used for training the AI, and is there an option to object?

It is important that you have the possibility to object to the use of your data for training and to have it deleted later from the AI tools, as some tools use your data by default to improve their AI models.
Normally, you can find out whether you can object to the use of your data for training AI models and how to request deletion of your data in the following places:

Privacy Policy

Providers often inform here whether and how user data is used for training purposes and if you can object to it.

Account Settings

Some tools offer an opt-out option for training in the profile or privacy settings.

Terms of Service

These may also contain information about how data is used and whether there are options to object.

Support or Help Center / FAQ

Questions about data use and withdrawal are often answered here.

Contact to the Data Protection Officer or Customer Service

  • If no direct option is visible, you can inquire here specifically and request deletion or opt-out.
  • If you do not find corresponding information in these sources, you should critically question the provider.

Conclusion

Before purchasing an AI tool, you should always ask these questions first—to protect not only your own data but also the data of your customers.
You can use the key points and corresponding approaches we have summarized for you to better handle information security issues.

If you found this article helpful, feel free to share it with your colleagues. Stay safe online!

Curious how AI agents could propel your business forward? Let’s discover together what potential lies in your idea.

Check out our Generative AI Services

FAQ