Treat this like kitchen hygiene — not perfectionism, just sensible defaults you don't have to think hard about.
Red — never paste into cloud AI
| Examples | Why |
|---|---|
| Passwords, API keys, recovery codes | Instant account-takeover risk |
| Bank / card details, full payment info | Financial fraud |
| Customer medical or children's details | You may break both trust and the law |
| Unredacted contracts with names + figures | Client confidentiality |
| Someone else's private messages, forwarded in full | You don't own that consent |
The rule: if you wouldn't email it to a random help desk, don't paste it.
Amber — careful (anonymise, summarise, or wait)
| Examples | Safer approach |
|---|---|
| A real client scenario you want advice on | Change the names, amounts and location; say "fictional example" |
| Internal business numbers | Round them off; strip the identifiers |
| A draft policy you're unsure about | Paste your question, not the whole employee handbook |
| Competitor research with their branding | Describe the situation in your own words |
The rule: ask "if this leaked, who gets hurt?" If the answer isn't "nobody," it's amber.
Green — usually fine for learning and daily drafts
| Examples | Still check facts |
|---|---|
| Public facts, general how-to questions | AI can still be wrong |
| Your own marketing angle (no client secrets) | — |
| Code with no secrets in it (fake keys in exercises) | Use YOUR_API_KEY_HERE placeholders |
| Lesson exercises with the made-up shop "Example Ink Ltd" | — |
Amber is where I live most days, honestly — the real shape of a problem with fake names bolted on. "A customer in Sheffield, deposit dispute, £200" — not their actual Instagram handle and a screenshot of the invoice.
Quick self-test before you hit Enter
- Whose data is this? (Mine / a client's / someone else's)
- Could it identify a real person?
- Is there a smaller paste that still gets the job done?
Continue — five minutes inside your app's settings.