This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
When you type a prompt into ChatGPT, ask Claude to summarise a document, or use Microsoft Copilot in your email, that information travels over the internet to a server operated by the tool's provider. For most major AI tools, those servers are in the United States. For Australian businesses handling customer information, employee records, or commercially sensitive content, this matters under the Privacy Act 1988 and Australian Privacy Principle 8, which addresses disclosure of personal information to overseas recipients. This guide is a plain-English reference on where the major AI tools store and process data, what controls are available, and what the Privacy Act implications are.
In short: ChatGPT, Claude, Google Gemini, and Notion AI all primarily process and store data on US-based infrastructure. Microsoft Copilot through M365 is the significant exception: Australian Microsoft 365 customers can have their data stored in Microsoft's Australian data centres for core M365 services, with Copilot processing subject to the tenant's M365 data location commitments. No major general-purpose AI tool guarantees Australian data residency for prompt data without specific enterprise agreements. For businesses with Privacy Act obligations around personal information, understanding where data goes and what safeguards exist is part of responsible AI tool adoption.
Last reviewed: June 2026 | Next review: September 2026
Why Data Residency Matters Under Australian Privacy Law
Australian Privacy Principle 8 (APP 8) addresses what happens when an Australian Privacy Act-covered entity discloses personal information to an overseas recipient. Before doing so, the entity must take reasonable steps to ensure the overseas recipient will handle the information in a way that is at least consistent with the APPs. This is not an absolute prohibition on overseas data transfer, but it creates an obligation to consider and address the cross-border data question.
When a business employee uses ChatGPT and types a customer's name and contact details into the prompt, that information has been disclosed to an overseas recipient (OpenAI, based in the US). Whether this triggers a serious APP 8 concern depends on the nature of the information, the available safeguards, and whether the information is genuinely personal information under the Act. For most business AI use that involves no personal information (drafting generic templates, summarising public information, brainstorming business ideas), the overseas transfer question is largely academic. For use that involves customer records, employee information, or sensitive data, it is a real consideration.
The OAIC's guidance on AI and privacy, including the overseas transfer question, is at oaic.gov.au/privacy/guidance-and-advice/ai. The OAIC does not prohibit the use of overseas-hosted AI tools, but it does expect businesses to have considered the Privacy Act implications of their AI tool choices and use practices.
Per-Tool Data Residency: The Comparison
The table below summarises the data residency position for the major AI tools used by Australian businesses as of June 2026. Data handling terms change: verify current terms with each vendor before making decisions based on data residency claims. Last-verified dates are provided for each tool's specific commitments.
AI Tool Data Residency Comparison (Australia)
| ChatGPT | Claude (Anthropic) | Microsoft Copilot | Google Gemini | Notion AI | |
|---|---|---|---|---|---|
| Primary data location | US (OpenAI / Microsoft Azure US) | US (AWS US East) | AU available for M365 tenants (Azure AU) | US primarily (varies by Workspace tier) | US (Notion Labs / AWS US) |
| Australian data centre available | No | No | Yes (Azure AU for M365 core data) | Partial (Google Cloud AU for some Workspace data) | No |
| Training on your data (default) | Yes for Free/Plus (opt out available) | Yes for Claude.ai (opt out available) | No (M365 Business Standard+) | Workspace: No for Workspace data. Consumer: Yes | Business/Enterprise: opt out. Free: may train |
| Training opt-out available | Yes (settings, or use API) | Yes (settings, or use API) | N/A (no training on M365 data) | Yes (Admin console for Workspace) | Yes (Business and Enterprise plans) |
| Data Processing Agreement available | Yes (Enterprise only, standard ToS for lower tiers) | Yes (Claude for Enterprise) | Yes (M365 DPA included in subscription terms) | Yes (Google Workspace DPA) | Yes (Business and Enterprise plans) |
| Best tier for business data protection | ChatGPT Team or Enterprise | Claude for Enterprise | M365 Business Standard and above | Google Workspace Business or Enterprise | Notion Business or Enterprise |
ChatGPT: US Infrastructure, Tiered Controls
OpenAI operates on Microsoft Azure infrastructure, primarily in the United States. When you use ChatGPT, your prompts and any uploaded files are processed on OpenAI's US servers. OpenAI does not currently offer Australian data residency for any ChatGPT subscription tier.
Under the free ChatGPT plan, OpenAI's default is to use conversation data for model improvement, though users can opt out in settings. Under ChatGPT Plus (individual paid plan), the same data handling applies with the option to turn off model training in settings. Under ChatGPT Team, OpenAI commits to not training models on workspace data by default, and provides a workspace management console. Under ChatGPT Enterprise, OpenAI provides a data processing agreement and more formal security commitments (SOC 2 Type 2, encryption at rest and in transit). For businesses with Privacy Act obligations, the Team or Enterprise tier provides meaningfully clearer data handling terms than the free or Plus plans. OpenAI's privacy policy is at openai.com/privacy.
Claude (Anthropic): US Infrastructure
Anthropic operates on AWS infrastructure, primarily in the US East region. Claude.ai processes prompts and conversations on Anthropic's US servers. Anthropic does not offer Australian data residency for Claude.ai.
Under the Claude.ai free and Pro plans, Anthropic may use conversations to improve Claude unless the user opts out in privacy settings. Under Claude for Teams, Anthropic provides stronger data handling commitments. Under Claude for Enterprise, Anthropic provides a data processing agreement, enterprise security controls, and SSO. For API customers, Anthropic provides zero data retention options (prompts are not stored beyond the API call). Anthropic's privacy information is at anthropic.com/privacy.
Microsoft Copilot: Australian Data Centre Available
Microsoft Copilot within Microsoft 365 is the significant data residency exception in this comparison. Australian Microsoft 365 commercial tenants can have their core M365 data, including Exchange Online, SharePoint, and Teams data, stored in Microsoft's Australian data centres (Azure Australia East in New South Wales, Azure Australia Southeast in Victoria). Microsoft's data residency commitments for M365 are published in their trust centre documentation.
However, the data residency position for Microsoft 365 Copilot (the AI feature) is more nuanced. Copilot interactions may be processed in a different geography to where core M365 data is stored. Microsoft publishes guidance on Copilot data residency as part of its M365 Copilot documentation at learn.microsoft.com/copilot/microsoft-365. For Australian businesses with specific data residency requirements, reviewing that current documentation and discussing your tenant's specific configuration with a Microsoft partner is the appropriate step rather than relying on general summaries. Microsoft does commit that customer data in Microsoft 365 is not used to train foundation AI models.
Google Gemini: Varies by Product and Tier
Google operates significant infrastructure in Australia (Google Cloud Sydney region), but the data handling for Gemini specifically depends on which product and tier you are using. Google Gemini for Workspace (the enterprise AI integrated into Google Workspace) provides better data handling commitments for paying Workspace customers: Workspace data is not used to train Google's general AI models, and Google provides a data processing addendum under its Workspace terms.
Consumer Gemini (the standalone AI assistant at gemini.google.com) has different terms: conversations may be reviewed by human reviewers and used for training. For business use of AI within Google Workspace, the Workspace Gemini add-on is the appropriate product, not the consumer Gemini assistant. Google's data residency and data handling information for Workspace is at workspace.google.com/terms/data-processing-amendment.
Notion AI: US-Based, Business Controls Available
Notion stores data on AWS infrastructure in the United States. Notion AI, the AI writing and summarisation feature within Notion, processes requests on Notion's US-based infrastructure. Notion does not offer Australian data residency.
Notion's AI features are powered by third-party AI providers including Anthropic and OpenAI via API, subject to Notion's data processing agreements with those providers. For Notion Business and Enterprise plans, Notion commits that customer data (including AI interactions) is not used to train AI models. Notion's data handling and security documentation is at notion.com/security.
What to Do with This Information
Knowing where your AI tool data goes is the first step. The second step is deciding whether your current AI tool use is consistent with your Privacy Act obligations, given what you now know. For most business AI use that involves no personal information, the overseas data transfer question is largely academic. For use that involves customer records, employee information, or sensitive business data, the question is substantive.
A practical approach: establish a staff AI use policy that distinguishes between information types that are appropriate to enter into general-purpose AI tools (generic business information, templates, public research questions) and information types that are not (customer personal details, employee records, financial records, health information, commercially sensitive data). This distinction resolves most practical Privacy Act data residency concerns without requiring a switch to different AI tools for most tasks.
For businesses that do need to process sensitive data through AI tools, enterprise tiers with data processing agreements, and for some use cases Microsoft 365 with its Australian data centre options, are the relevant alternatives to investigate. Our guide on AI data sovereignty for Australian business covers the vendor assessment questions in detail.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified in AUD at the vendor's published rates or converted at current exchange rates. Compliance notes reference the legislation and regulatory guidance relevant to each article's scope. Tools are assessed for suitability by a business with no dedicated IT department.
Related reading: our AI data residency in Australia.
Does using a US-based AI tool automatically breach the Australian Privacy Act?
No, not automatically. APP 8 requires that before disclosing personal information to an overseas recipient, an organisation takes reasonable steps to ensure the recipient will handle the information in a way that is at least consistent with the APPs. If your business uses a US-based AI tool in a way that involves personal information, the APP 8 question is whether you have taken reasonable steps, not whether the tool is overseas. For general-purpose AI use that does not involve personal information, APP 8 is not engaged. For use involving personal information, reviewing the vendor's data handling terms and your staff's AI use practices is the relevant step. The OAIC's guidance at oaic.gov.au/privacy/guidance-and-advice/ai covers this in more detail.
Is Microsoft Copilot safer than ChatGPT for Australian businesses?
Microsoft Copilot through M365 offers better-defined data handling for Australian business customers than free or standard ChatGPT subscriptions, primarily because Microsoft provides a data processing addendum, does not train on M365 customer data, and offers Australian data centre hosting for core M365 data. For businesses already in the Microsoft 365 ecosystem that are evaluating AI tools, Copilot's data handling position is clearer and more enterprise-ready than free or Plus-tier ChatGPT. However, the right comparison for most businesses is not the tool brand but the subscription tier: ChatGPT Enterprise and Copilot for M365 at the Business Standard tier are both materially better than their free counterparts for business data handling.
Does an AI tool use my data to train its models?
It depends on the tool and the subscription tier. Most tools default to not training on paying business customers' data and provide an opt-out or automatic exclusion at business subscription levels. Free consumer tiers typically default to using conversation data for training, with an opt-out available in settings. Always check the current privacy settings and terms for the specific tool and tier you are using, because these defaults have changed over time and may change again. The comparison table above reflects the position as of June 2026; verify current terms directly with each vendor.
Is there an AI tool with Australian data residency?
Among the major general-purpose AI tools, Microsoft Copilot through M365 is the closest to Australian data residency for Australian commercial customers, as Microsoft operates data centres in New South Wales and Victoria and commits to storing core M365 customer data in the region. The specific Copilot data processing position requires review of Microsoft's current Copilot data residency documentation. No major general-purpose AI tool (ChatGPT, Claude, Gemini, Notion AI) currently offers Australian data residency. For non-AI cloud storage used alongside AI tools, providers like pCloud offer European data centre options as an alternative to US-based storage for sensitive documents.
How often does data residency information change?
AI tool data residency and data handling commitments change regularly. Vendors update their terms, add new data centre regions, and revise their model training policies. This article is reviewed quarterly: the last review date is shown at the top of the article. Before making significant decisions about AI tool adoption based on data residency considerations, always check the current vendor documentation rather than relying on summaries. Microsoft's trust centre, OpenAI's privacy policy, Anthropic's privacy documentation, and Google Workspace's data processing addendum are the primary sources for each tool.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Once you know where your AI tool data goes, the next step is assessing what questions to ask before signing up with any AI vendor. Our AI data sovereignty guide covers the ten questions to ask and what acceptable answers look like.
Read the AI Data Sovereignty Guide