In partnership with
A lawyer runs a sensitive question past an AI tool, gets a useful answer, and clears the conversation. The matter is handled and the trace is gone. Except what you deleted was your view of it.
Delete clears your view, not the provider’s custody. On the consumer app it does eventually reach the back-end copy too - a deleted chat is purged within about thirty days. But four kinds of copy sit outside that, and they are the ones most likely to matter on a client matter: a conversation flagged as a usage-policy violation, held up to two years whether or not you deleted it; certain designated models, which carry a fixed retention window you cannot switch off, even on a zero-retention plan; anything already swept into a training run before you deleted it, which the provider cannot unlearn after the fact; and any provider-side copy on a business or contracted tier, which follows the contract’s schedule, not the delete button in your interface. Hitting delete does not reach any of these. That is the gap between what delete feels like and what it does.
Two records, one of which you control
Step back to why. Assume two records of any AI session: yours and the vendor’s. Clearing your history manages your copy. It does nothing to the vendor’s, which - where one exists - persists for whatever window applies and is independently reachable by valid legal process, sometimes with no notice to you, because a court can bar the provider from telling you at all.
The windows are not uniform, and they move. Across the three doors into these tools - the consumer app, the business tier, and a contracted arrangement (a signed zero-retention agreement) - they differ. As the terms stand in mid-2026: a deleted consumer chat purges within about thirty days, but an undeleted one with training left on can be retained, de-identified, for up to five years. The business API does not store your prompts and outputs as conversation content by default - more protective than the consumer app, not less. None of these clocks resets when you hit delete, and every one of them has already changed at least once. The window to trust is the one you confirm for your exact path today, not the one you remember from an article.
The attachment is the part that lingers
And the chat is the easy case. The riskier habit is uploading documents - a claim chart, a diligence memo, an unfiled specification - because a file often does not share the chat’s lifecycle. Delete the conversation and the file can remain in the project, workspace, or connected store you attached it from, on a retention rule of its own. For an IP lawyer that inverts the danger: the prompt that says “summarize this” looks harmless, while the attachment it points at is the entire confidential matter. If you are going to confirm one retention path, confirm the one for files, not just for chats.
What this is, and what it is not
This is not a claim that your client's secret is now exposed, or that retention waives privilege. On a tier that binds the vendor to confidentiality, retention is not by itself a public disclosure, a privilege waiver, or a loss of trade-secret status. It is a custody fact - client material sitting in a system you do not control - and the consequences turn on the relationship, the purpose, and the terms, not on the storage alone.
The consumer app is where that breaks down. A court has now read those terms and found they let the provider share inputs with third parties, including the government (United States v. Heppner). There, the retained copy was not resting under a confidentiality obligation at all; it was sitting under terms that permit disclosure. Same retention, different question of whether anything holds it.
The problem is narrower and real: the gap between what you believe about that material and what is true. You believe it is gone. It is in a third party’s custody, exposed to preservation and discovery, for a period you may not be able to name. The danger is not catastrophe. It is the difference between perceived control and actual control, and that difference is exactly where a competence problem hides - the duty to take reasonable steps to protect client information runs to the copy you cannot see (Model Rule 1.6; 37 C.F.R. 11.106 before the USPTO).
Why a lawyer should care about the gap
If anyone ever asks how a piece of client material was handled - opposing counsel in discovery, the client, a grievance committee - “I deleted it” is not the same statement as “it was never retained.” The first describes your housekeeping. The second describes the contract. Only one of them answers the question, and you can only make it if you knew the retention term before you typed, not after.
What to do
Stop treating delete as a privacy control. It is a tidiness control. Before sensitive material goes into any tool, find the retention window for that exact path, model, and feature - and know where to look, because it is not on the marketing page. It is in the provider’s data-retention or data-processing terms, and for API use it is in the developer docs, not the chat settings. Then assume any provider-side copy outlives your session by that window, and that any file you attached may outlive it longer. If the window is too long for the matter, that is a signal to change the path - not to delete more carefully afterward.
This is the second in a series on what these tools keep, and what it takes to get it back out. Next: why an enterprise zero-retention agreement may not cover the way your firm actually uses the tool.
I am writing more about practicing law in the age of agentic AI - using these tools without surrendering judgment, privilege, or the duty of competence - at The Agentic Lawyer. www.theagenticlawyer.com
Educational only, not legal advice, and no attorney-client relationship is created. Views are my own, not my employer's. Attorney advertising in some jurisdictions.
Talk to your AI tools the way you'd talk to a colleague.
You don't send a colleague a three-word brief. You explain the context, the constraints, what you've already tried. But typing all that into ChatGPT takes forever — so you don't.
Wispr Flow lets you speak your prompts instead. Talk through your thinking naturally and get clean, paste-ready text. No filler words. No cleanup. Just detailed prompts that actually get you useful answers on the first try.
Millions of users worldwide. Works system-wide on Mac, Windows, and iPhone.