Short answer: for most confidentiality-bound professionals, putting client-identifiable information into a consumer AI chat tool violates the duties you've already agreed to — before any AI-specific rule even enters the picture. This page explains the reasoning so you can check it against your own obligations, and what your practical alternatives are.
Professional confidentiality frameworks — attorney conduct rules, accountant confidentiality standards, HIPAA for health information, plain NDAs — share one structure: client information may not be disclosed to third parties without consent or a vetted, contracted service arrangement. A consumer AI chatbot is a third-party service. Pasting client information into it is a disclosure, whether or not anything bad ever happens with the data. Bar associations that have issued AI guidance have consistently emphasized this point: the technology is new, the duty is not.
Opt-outs and enterprise tiers reduce risk; they don't eliminate the disclosure. The data still transits to and is processed on a third party's infrastructure, may be retained for abuse monitoring, and is subject to legal process against that provider. An enterprise agreement with a DPA, negotiated by your firm, can make cloud AI defensible — that's what enterprise legal AI vendors sell, at enterprise prices. A consumer subscription with a settings toggle is not that.
Analysis that runs entirely in your browser — risk flagging, clause and key-term extraction, PII redaction, summaries — never discloses anything, because nothing is transmitted. It won't draft a brief, but it makes the reading, checking, and redacting parts of confidential work meaningfully faster while keeping you inside your obligations. Redacting locally first can also be the bridge that makes a public-safe excerpt usable in cloud tools.
This page is general information, not legal advice — check your own jurisdiction's rules and your firm's policy.
We're building a browser extension for exactly this problem: drop a PDF or DOCX and get risk flags, clause extraction, PII redaction, and summaries — 100% on your device. No account, no server, no subscription. One-time license. By hakeemify, maker of Roost.
We'll email you once, at launch. Nothing else.
In most professional frameworks, sending client-identifiable information to any unvetted third-party service is a disclosure, and consumer AI chat tools are third-party services. Enterprise agreements with data-processing terms are the exception, not consumer subscriptions.
It reduces risk but doesn't change the core issue: the data still leaves your control and is processed on third-party infrastructure. Most confidentiality duties turn on the disclosure itself, not on what the recipient does afterward.
Two paths: an enterprise AI tool your firm has vetted and contracted, or on-device tools where analysis runs locally and nothing is transmitted. The second requires no procurement because there is no data flow to approve.
Sometimes, if done rigorously — but manual anonymization is error-prone and distinctive facts can re-identify a document. Redacting locally with automated detection plus human review, then sharing only genuinely public-safe excerpts, is the defensible version of this approach.
By hakeemify — maker of Roost (tab manager) and "WatchBird" (Website Change Monitor). We build local-first, one-time-license browser tools.