Can I train an AI model on customer or user data?

By SuLe · Updated 27 June 2026

You can, but only if you clear two separate layers: a lawful basis under UK GDPR to use personal data for training, and customer contracts that actually permit it. A clean data-protection position is worthless if your terms with the customer forbid using their data to train models, and vice versa — both must line up.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • Training on personal data needs a lawful basis under UK GDPR — usually consent or a carefully assessed legitimate interests basis.
  • Purpose limitation applies: if the data was collected for one purpose, reusing it to train a model is a separate question you must analyse.
  • Transparency is mandatory — your privacy notice must disclose that you train on personal data.
  • B2B customer contracts commonly restrict using customer data to train models, so the contract layer can block you even when UK GDPR would not.
  • Genuine anonymisation takes data outside UK GDPR, but pseudonymised data still counts as personal data.

Do I need a lawful basis to train on personal data?

Yes. If the data you want to train on identifies living individuals, it is personal data, and using it for model training is a processing activity that needs a lawful basis under UK GDPR.

For training, the realistic options are consent or legitimate interests. Consent must be specific and freely given; legitimate interests needs a documented balancing test weighing your commercial purpose against the individual's rights and reasonable expectations.

Neither basis is a formality. The ICO's guidance for organisations treats AI training as high-scrutiny processing, so choose the basis deliberately and write down your reasoning before you start.


Does it matter what I originally collected the data for?

It matters a great deal. UK GDPR's purpose-limitation principle means data collected for one purpose cannot be freely repurposed for another — and training a model is very often a new purpose.

If your sign-up flow said you collect data to deliver the service, quietly feeding that data into model training is a purpose-limitation problem, not just a transparency one. You need to show the new use is compatible with the original, or you need a fresh basis.

Data minimisation applies too: train on the least personal data you need, and prefer anonymised or pseudonymised inputs. This connects to what UK GDPR requires from an early-stage startup.


What do my customer contracts have to say about it?

This is the layer founders forget. Separately from UK GDPR, your commercial agreements often restrict what you can do with customer data — and B2B customer contracts commonly forbid using their data to train models at all.

That restriction is contractual, so it binds you even where the data is anonymised or where you would otherwise have a lawful basis. Breaching it is a breach of contract with your paying customer, which is its own commercial and legal exposure.

Check both layers every time: the data-protection basis and the contract terms. Where you use a third-party AI API to do the training, also check that provider's terms — see can I use OpenAI or Anthropic APIs and stay UK GDPR compliant.


What do I have to tell users and buyers?

Be transparent in your privacy notice. If you train on personal data, UK GDPR requires you to say so in language a user can understand — vague catch-all wording is not enough for a use this significant.

Beyond the legal duty, there is a market expectation. B2B AI products now commonly state whether customer data is used for training, with the default being not at all, or opt-in only, and buyers increasingly ask the question in procurement.

Update your Article 30 records of processing to include training as an activity, and make sure your data protection impact assessment covers it where the processing is high-risk.

Step before training on dataWhat it meansWhy it matters
Establish a lawful basisConsent, or documented legitimate interests testWithout it, the training itself is unlawful under UK GDPR
Check purpose limitationWas the data collected for this, or a compatible use?Repurposing service data for training may need a fresh basis
Check customer contractsDo your B2B terms permit training on their data?A contract ban blocks you even with a lawful basis
Minimise and anonymiseTrain on the least data; anonymise/pseudonymiseReduces risk; true anonymisation exits UK GDPR
Update transparencyPrivacy notice, Article 30 records, DPIA if high-riskSilent training breaches transparency and purpose limits

Worked example

Tomasz and Ruth run a logistics SaaS used by 40 UK haulage firms, and they want to train a route-prediction model on operational data that includes drivers' names and locations. That is personal data, so they document a legitimate interests basis and run the balancing test.

Then they read their own customer contracts and find a clause promising customers their data will not be used to train models. Even with a lawful basis, that clause blocks them. They redesign the feature to run on pseudonymised data and add a per-customer opt-in, and they spend £3,500 on legal input to update the contract, privacy notice and Article 30 record. The opt-in becomes a selling point when a new enterprise buyer asks the training question in procurement.


Where founders go wrong

  • Assuming a lawful basis is enough

    — the customer contract layer can forbid training even when UK GDPR would allow it.
  • Repurposing service data silently

    — data collected to run the service cannot be quietly diverted into training without a purpose-limitation analysis.
  • Calling pseudonymised data anonymous

    — pseudonymised data is still personal data; only genuine anonymisation exits UK GDPR.
  • Leaving the privacy notice untouched

    — training on personal data is exactly the kind of use that must be disclosed transparently.

Related questions

What lawful basis do I need to train on personal data?

Usually consent or a carefully assessed legitimate interests basis under UK GDPR. Legitimate interests needs a documented balancing test weighing your purpose against the individual's rights, and you must be able to show the data was not collected only for a different purpose. [More: What does UK GDPR require from an early-stage startup?]

Can my customer contracts stop me training on their data?

Yes, and B2B contracts commonly do. Many SaaS agreements restrict using customer data to train models, so even a clean UK GDPR position does not help if the contract forbids it. You have to clear both the data-protection layer and the contract layer.

Does anonymising the data solve the problem?

Genuine anonymisation takes the data outside UK GDPR, which removes the data-protection hurdle. But true anonymisation is hard, pseudonymised data still counts as personal data, and your customer contract restrictions can still bite regardless.

Do I have to mention training in my privacy notice?

Yes. Transparency is a core UK GDPR duty, so if you train on personal data your privacy notice must say so clearly. Silent training on data people gave you for another purpose is a purpose-limitation and transparency failure. [More: Do I need terms and conditions and a privacy policy for my startup?]

Is training on customer data a procurement issue?

Increasingly, yes. B2B buyers now commonly ask whether their data is used for training and expect the default to be no, or opt-in only. A clear stance has become a sales and procurement checklist item, not just a legal one.


Training on customer data is where data-protection law and your commercial contracts collide, and a template can only ever see one of those layers. A SuLe solicitor can check your lawful basis, your privacy notice and the exact wording of your customer terms together. Book a free consultation about your product's legals and get a regulated startup lawyer to clear both layers before you train.

Keep reading: Can I use OpenAI or Anthropic APIs and stay UK GDPR compliant? · Who owns AI-generated code or content? · What should an AI product's terms of service cover? · What does UK GDPR require from an early-stage startup? · Can I transfer user data outside the UK? · What is a data processing agreement (DPA) and when do I need one?

Primary sources: ICO — For organisations (UK GDPR guidance incl. AI)

AI-generated content. General information, not legal advice.