Privacy questions to ask
before you share anything.
At some point a builder will need to see how your business works. That often means looking at real client data. Here is what to ask before anything leaves your hands.
To build an automation that works with your real business, a builder usually needs to see some version of your real work. Sample emails. Example client notes. A handful of invoices. The shape of the data matters as much as the task itself.
That is a reasonable ask. It is also a moment where most owners hand things over without thinking twice. Some builders handle that information carefully. Some do not. You have no way to know which you are dealing with unless you ask. These are the questions.
Why this matters more than people think.
If you are a lawyer, a doctor, an accountant, or anyone else who handles information under a professional duty of care, "I shared some files with a developer" is not a small thing. In most jurisdictions you have an obligation to know where your client data is going and to have a basis for sharing it.
Even if your work is not formally regulated, your clients trusted you with information. They did not consent to that information being used to train AI models, sitting in a builder's cloud storage, or passing through a service with terms nobody read.
The questions below are not about distrusting the builder. They are about understanding what is happening to information that is not yours to treat carelessly.
Five questions to ask before sharing anything.
- Where will the sample data I send you be stored? Is it on your personal computer? In your email account? Uploaded to a cloud service? The answer tells you the exposure surface. A builder who uploads your client emails to a shared cloud storage for convenience is creating a risk you did not agree to.
- Will any of it be sent to an AI service, and if so which one? Building with AI usually means sending data to an external model at some point. You need to know which service, and you need to check that service's data usage policy. Some AI services use submitted data to train future models. Most professional tiers do not. But you need to know which tier your builder is using.
- What happens to the data when the build is finished? Is it deleted? Returned? Does it sit in the builder's email archive indefinitely? Ask specifically. "I'll clean up when we're done" is not an answer.
- Can we use anonymised data for development? In most cases, a builder can do everything they need with anonymised examples — client names replaced with placeholders, identifying details removed. If a builder insists they need real client data to build with, ask why. The answer is usually that they have not thought about it.
- Are you willing to sign a simple confidentiality agreement? For professional service firms in particular, a one-page NDA before any data is shared is a reasonable ask. A builder who hesitates at this is either inexperienced or careless. Either is a problem.
What good answers sound like.
A builder who takes this seriously will give you specific, direct answers. They will know which AI services they use and on what terms. They will have a position on data handling that they have thought through before you asked. They may already have a standard confidentiality agreement they use.
They will also probably suggest using anonymised data as a default, not because you asked but because it is the right way to build. Real data introduces noise that is hard to separate from the signal. A well-designed automation should work on clean example data first, then be connected to real data when the logic is confirmed.
Miriam · Family law mediator — she asked her builder which AI service processed her documents. He named it, linked to the data policy, pointed out the relevant clause on professional use, and suggested she verify it with her professional body before they started. She hired him the same day.
The specific risk of AI services that train on your data.
Most AI services aimed at professional use have explicit commitments not to use submitted data for training. Most free tiers do not have the same commitment. The difference matters, and the answer is usually in the terms under a section called "data usage" or "privacy."
You do not need to read the whole policy. You need the builder to point you to the specific clause that covers this and confirm which product tier they are using. If they cannot do that, they are using a service they have not read the terms for. That is a problem regardless of what the terms actually say.
Red flags.
-
They ask for real client data before a confidentiality agreement is in place.
There is no reason a builder needs identifiable client information before they have agreed in writing how they will handle it. Send anonymised examples first. If they push back, ask why.
-
They cannot name the AI service they will use or its data terms.
Every builder using an external AI service has a service they are using. If they cannot name it and locate the relevant privacy terms in under five minutes, they have not done that work.
-
Data deletion is described as something that will happen "at the end."
Ask for a specific process and timeline. What gets deleted, from where, and when? "At the end" means whenever they remember, which is often never.
-
They hesitate at a confidentiality agreement.
A one-page NDA is standard. A builder who finds it unusual either has not worked professionally before or has a reason to avoid putting things in writing. Both are worth understanding before you proceed.
The short version.
Before you share real client data with a builder, know where it will be stored, whether it will pass through an AI service and on what terms, when it will be deleted, and whether you can use anonymised examples instead. Ask by email so you have the answers in writing. A builder who handles this well will not find the questions difficult.
If you want to know how I handle client data in builds, email below. The answer is short and specific.