Dumping full customer rosters, unreleased earnings, or ID scans directly into chats is the easiest mistake to avoid. Treat this as a printable list.

  1. Assume chats may train models unless the product clearly says otherwise and you trust compliance—redact or fictionalize first.
  2. Replace real client names with internal codenames; geography can stop at city level.
  3. Blur screenshots—watch status bars, browser tabs, mail sidebars.
  4. Separate work and personal tenants to stop accidental data cross‑pollution.
  5. Before voice transcription, confirm consent; sanitize again before external sharing.
  6. API keys live in env vars or vaults—never paste into a chat window.
  7. On offboarding, revoke third‑party integrations, not only passwords.
  8. Don’t post intranet URLs or full internal logs in public issues.
  9. For medical/legal topics treat model text as reference—decisions stay with licensed pros.
  10. Revisit privacy policies occasionally, especially data retention and training clauses.

Short list—few people stick to all ten consistently.