Can I use OpenAI or Anthropic APIs and stay UK GDPR compliant?

By SuLe · Updated 7 May 2026

Yes — plenty of UK startups do — but a US-based AI API is an international transfer of personal data, so compliance depends on the paperwork and settings around it. You need the provider's data processing agreement, an appropriate transfer safeguard, the right retention and training controls, and an updated privacy notice and record of processing.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • Sending personal data to a US-based AI API is a restricted international transfer under UK GDPR.
  • Cover the transfer with an appropriate safeguard: the provider's DPA plus an IDTA, SCCs with the UK Addendum, or a UK-US data bridge certification.
  • Business API tiers typically do not train on your API data by default — but confirm the retention and training settings for your exact tier.
  • Put a data processing agreement in place with the provider before sending real user data.
  • Update your privacy notice and Article 30 records of processing to reflect the AI provider and any international transfer.

Is using a US AI API an international data transfer?

Usually, yes. If your product sends personal data to an AI provider hosted in the United States, that is a restricted international transfer under UK GDPR, and transfers cannot happen without an appropriate safeguard in place.

The point catches founders off guard because the API call feels like an ordinary technical integration. Legally, though, personal data is leaving the UK for a third country, which triggers the transfer rules regardless of how routine the request feels.

The ICO's guidance for organisations sets out the transfer mechanisms, and getting one in place is the foundation for everything else here.


What safeguards do I need for the transfer?

You need one of the recognised transfer tools. The common options are the provider's DPA combined with an International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, or reliance on a UK-US data bridge certification where the provider is certified.

Whichever route you take, the DPA itself matters: it names the provider as your processor and pins down security, sub-processing and deletion obligations. Get it executed before real user data flows, not afterwards.

This is the same international-transfer analysis that applies whenever you move user data offshore — see can I transfer user data outside the UK.


Do OpenAI and Anthropic train on the data I send?

For business API tiers, the providers typically do not train on your API data by default. That is the general position, but it is a terms-and-settings question, not something to assume for your specific integration.

Check the retention and training controls for the exact product and tier you use, and confirm the position in the contract rather than in a blog post. Retention windows for abuse-monitoring can still mean the provider holds data briefly, which your privacy notice should reflect.

If you separately want to train your own model on user data, that is a different question with its own hurdles — see can I train an AI model on customer or user data.


What do I have to document and disclose?

Two things: your outward-facing privacy notice and your internal records. Users should be told, in plain terms, that you use a third-party AI provider and that data may be transferred internationally where that applies.

Internally, add the processing to your Article 30 records so your documentation matches reality, and run a data protection impact assessment where the processing is high-risk — for example if you handle sensitive data at scale.

Be especially cautious with special category data such as health or biometric information: minimise what you send, and do not route it through a third-party API without specific legal cover and a DPIA.

UK GDPR step for an AI APIWhat to doCommon gap
Data processing agreementExecute the provider's DPA before live data flowsGoing live on trust, no signed DPA
Transfer safeguardIDTA, SCCs + UK Addendum, or UK-US data bridgeIgnoring that a US API is an international transfer
Training/retention settingsConfirm business tier does not train; check retentionAssuming defaults without checking the tier
Privacy noticeDisclose the AI provider and international transferNotice silent on third-party AI processing
Records and DPIAUpdate Article 30; DPIA if high-riskDocumentation that does not match reality

Worked example

Aisha runs a London edtech startup and adds an AI feedback feature powered by a US-based AI API, sending pupils' written answers for analysis. Because the answers identify individuals and leave the UK, she treats it as a restricted international transfer.

She signs the provider's DPA, relies on the provider's UK-US data bridge certification for the transfer, and confirms on the business tier that the provider does not train on her API data. Because pupil data can be sensitive, she runs a DPIA and minimises what she sends — stripping names before the call where she can. She updates the school-facing privacy notice and her Article 30 record, and budgets £2,000 of legal time to review the DPA and transfer position before launch.


Where founders go wrong

  • Treating the API call as "just an integration"

    — sending personal data to a US provider is an international transfer with its own paperwork.
  • Assuming no training without checking

    — business tiers typically do not train on API data, but you must confirm it for your tier.
  • Going live without a signed DPA

    — the processor agreement should be in place before real user data flows.
  • Forgetting the privacy notice

    — users should know a third-party AI provider processes their data and that it may go abroad.

Related questions

Is sending data to a US AI API an international transfer?

Usually yes. If personal data leaves the UK to a US-based provider, that is a restricted international transfer under UK GDPR, so you need an appropriate safeguard such as the provider's DPA plus an IDTA, SCCs with the UK Addendum, or reliance on a UK-US data bridge certification. [More: Can I transfer user data outside the UK?]

Do OpenAI and Anthropic train on my API data?

Business API tiers typically do not train on your API data by default, but this is a settings-and-terms question, not an assumption. Check the retention and training controls for the exact product and tier you use, and confirm it in the contract.

Do I need a DPA with the AI provider?

If the provider processes personal data on your behalf, yes — you need a data processing agreement setting out the provider's obligations as your processor. The major providers offer one; put it in place before you send real user data through the API. [More: What is a data processing agreement (DPA) and when do I need one?]

What do I tell my users about using an AI API?

Update your privacy notice to reflect that you use a third-party AI provider and, where relevant, that data may be transferred internationally. Add the processing to your Article 30 records so your documentation matches what actually happens.

Can I send special category or highly sensitive data to the API?

Take extra care. Health, biometric and similar special category data needs a stronger lawful basis and tighter safeguards, and you should minimise or avoid sending it through third-party APIs unless you have specific legal cover and a DPIA.


Wiring an AI API into your product is a data-transfer and processor-contract question as much as an engineering one, and the defaults you assume may not match your tier. A SuLe solicitor can check your DPA, transfer route and privacy notice so the compliance matches the integration. Book a free consultation about your product's legals and get a regulated startup lawyer to review your AI stack before launch.

Keep reading: Can I train an AI model on customer or user data? · What should an AI product's terms of service cover? · Do I need an AI use policy for my startup? · Can I transfer user data outside the UK? · What is a data processing agreement (DPA) and when do I need one? · What does UK GDPR require from an early-stage startup?

Primary sources: ICO — For organisations (UK GDPR guidance incl. AI)

AI-generated content. General information, not legal advice.