This weekly edition follows the AI Data Use Index methodology: official sources only, product-level scope, and no inference beyond the public record. Scan window: 19 to 26 May 2026 UTC.
Summary of material changes
| Vendor / product | Document | Last updated | Significance |
|---|---|---|---|
| Gemini Apps | Gemini Apps Privacy Hub & Notice | 19 May 2026 | Material: new agentic data flows (Spark, remote browser/computer, expanded Connected Apps) |
| ChatGPT (US) | US Privacy Policy | 18 May 2026 | Material: consolidated US disclosures on training, ads, contacts, and retention |
No new primary ToS or training-data policy revisions were identified for Anthropic, Microsoft 365 Copilot, Meta AI, Perplexity, or xAI consumer policies within the 19 to 26 May window. Index entries for those products are unchanged this week unless your org uses a separate enterprise agreement.
Google Gemini Apps (19 May 2026)
What changed
Google republished the Gemini Apps Privacy Notice and Privacy Hub on 19 May 2026, aligned with I/O 2026 announcements for Gemini Spark and broader agentic capabilities. The notice now documents dedicated sections for:
- Gemini Spark use of data with remote browser and remote computer features
- Expanded Connected Apps and Personal Intelligence personalization paths
- Screen automation on Android, Canvas user-generated apps, and imported chats from other AI platforms
- Retention rules for temporary chats, Keep Activity off, and human reviewer access (up to three years for reviewed chats)
Google states Gemini Apps chats are not used to show ads today, with a commitment to communicate if that changes. Training use remains tied to the Keep Activity setting and separate controls for audio and Gemini Live recordings.
Who it affects
Signed-in consumer and prosumer Gemini users on Android, iOS, and web; teams evaluating Spark or Daily Brief for workflow automation; and security teams reviewing default-on Google account integrations (Gmail, Workspace, third-party Connected Apps).
PSF mapping
- Data protection: new categories include remote browser cookies, screen captures, call/message logs when Gemini is the device assistant, and data exchanged with third-party Connected Apps. See PSF Domain 3.
- Human oversight: Google warns that agentic features can act on websites, purchases, or third-party sharing without explicit per-step approval. See PSF Domain 6.
- Input governance: unintended activations (for example, noise triggering Hey Google) still process audio per the notice. See PSF Domain 1.
- Observability: practitioner teams need logging outside Gemini for agentic actions Spark performs in connected apps. See PSF Domain 4.
Practitioner action
- Audit Gemini Apps Activity, Keep Activity, and Personal Intelligence connectors for users with company Google accounts.
- Disable or restrict Gemini Spark and remote browser profiles until data flows are mapped in your register of processing activities.
- Update acceptable-use guidance: Canvas apps and third-party Connected Apps can retain user-shared data outside Google retention controls.
OpenAI ChatGPT US policy (18 May 2026)
What changed
OpenAI published an updated US Privacy Policy effective 18 May 2026. Notable disclosures in the public record include:
- Explicit linkage between consumer Content and model improvement, with opt-out via Data Controls
- Contact upload and matching when users connect device contacts
- Advertising measurement for Free and Go tiers via data partners (with account-level opt-outs)
- Retention carve-outs for abuse, legal, and financial record-keeping beyond user deletion
- Temporary Chat and Atlas browser controls called out in the data controls section
API and business offerings remain outside this consumer policy scope, governed by separate customer agreements per OpenAI.
Who it affects
US-resident or US-policy-covered ChatGPT Free, Go, Plus, and Pro accounts; employees using personal ChatGPT on corporate devices; and procurement teams comparing consumer ChatGPT to ChatGPT Enterprise.
PSF mapping
- Data protection: training default and advertiser sharing for consumer tiers require documented opt-out verification. Align with Production AI Standard data minimisation expectations.
- Security: contact sync expands the blast radius of account compromise. Review PSF Domain 7 access controls.
Practitioner action
- Re-verify Data Controls: disable model improvement and marketing sharing for any consumer account used with work content.
- Block or monitor contact-sync features on managed devices if your policy forbids uploading address books to consumer AI.
- Route production workloads to Enterprise or API tiers where training exclusions are contractually defined.
Index note: PAI records public disclosures, not vendor intent. Status labels on /ai-data-use product pages will be refreshed when methodology review completes. Use Check my AI tools to compare your stack against this edition.
Sources (primary)
- Google, Gemini Apps Privacy Hub, last updated 19 May 2026
- Google, The Gemini app becomes more agentic (blog), 19 May 2026
- OpenAI, US Privacy Policy, updated 18 May 2026
- Production AI Institute, AI Data Use Index methodology
- Production AI Institute, AI Policy Change Watch (May 2026 baseline edition)
Turn the evidence into production practice.
Use the PSF, research library, and Lab material to review your own deployment. Credentials are available when a client, employer, or regulator needs public proof.