Is ChatGPT Confidential for Nonprofits in Canada?

Plain-language safety rules for staff, donor data, and client information.

Quick note: This is practical governance guidance, not legal advice. If you handle sensitive client data or operate under public-sector privacy rules, get privacy counsel involved.

Nonprofit staff are already using ChatGPT and similar tools for drafting, summarizing, and brainstorming. The risk is not that people are using AI. The risk is that they are using it without shared guardrails.

This guide answers the question nonprofit leaders are asking: Is ChatGPT confidential? What is safe to use it for at work, and what is not?

Quick answer: Is ChatGPT confidential?

No, you should not assume it is confidential by default. Treat public AI chat tools like a semi-public space unless you have an enterprise setup with clear contractual privacy terms, admin controls, and staff rules. Canada’s privacy regulator explicitly warns that what you enter may be collected and stored, and encourages limiting personal information in AI chatbots. (Office of the Privacy Commissioner)

What “confidential” means at work

Confidential means you would not want the information exposed, reused, or accessed outside your organization. If a piece of information could harm a client, donor, staff member, or your reputation if disclosed, it belongs in your “never-enter” category.

A useful test: If you would not put it in an email to the wrong recipient, do not put it in a chatbot.

Why this question is getting louder in Canada

Search is becoming more conversational and AI-driven, including in Canada. Google is rolling out AI Mode in Canada, designed for longer, multi-part questions and follow-ups. This is shifting how people seek advice and how quickly they expect answers. (blog.google)

This matters for nonprofits because “quick drafts” can become “quick decisions” if you do not set boundaries.

What happens to what staff type into an AI chatbot?

It depends on the tool, the settings, and your account type, but you should assume prompts may be logged and stored. The Office of the Privacy Commissioner of Canada advises people to be strategic because information entered into AI chatbots may be collected and stored. (Office of the Privacy Commissioner)

If your organization wants to use AI tools for work, the safest approach is: set clear rules, choose tools intentionally, and reduce sensitive inputs.

The nonprofit “Never-Enter” list

If your team remembers only one thing, make it this list. These items should not go into public AI chat tools, even “just for drafting.”

Never enter:

• Identifiable client or community member information (names, contact details, case details)

• Donor lists, giving history, wealth screening outputs, or donor notes

• HR records, performance notes, disciplinary details, medical details

• Passwords, access links, security procedures, or internal vulnerabilities

• Confidential board materials, legal drafts, contract negotiations

• Non-public financials or bank details

• Any combination of details that could identify a person, even if names are removed

This aligns with the Privacy Commissioner’s core guidance: limit personal information and protect privacy when using AI chatbots. (Office of the Privacy Commissioner)

What is safe to use ChatGPT for at work (low-risk uses)

Yes, there are safe, high-value uses if you keep inputs clean and require human judgment. Focus on drafting, structure, and language tasks using non-sensitive information.

Generally safe uses:

• Drafting internal emails and agendas using generic details

• Rewriting text for tone, clarity, or reading level

• Summarizing public webpages or reports you paste in that contain no sensitive data

• Brainstorming event themes, workshop outlines, or FAQ ideas

• Creating checklists, templates, and meeting scripts

• Turning your own notes into a cleaner first draft (with sensitive details removed)

Government of Canada guidance on generative AI also emphasizes responsible use and managing risks, which supports this “low-risk, bounded use” approach. (Canada)

What is not safe without extra safeguards

Some use cases look harmless but create high risk quickly. If the output could affect services, trust, or finances, you need stronger controls.

High-risk uses (do not do without governance and safeguards):

• Client-facing advice, triage, or service navigation without human oversight

• Anything involving vulnerable populations or safety-critical decisions

• Drafting public statements that include factual claims without verification

• Generating legal, HR, or financial guidance for real situations

• Personalizing donor outreach using donor data inside a chatbot

• Any integration that touches your CRM or case management system

If you serve vulnerable communities, treat client-facing AI as a governance project, not a quick add-on.

Staff rules that prevent 90% of AI incidents

You do not need a complex policy to prevent most harm. You need a short set of rules that staff can follow daily.

Minimum staff rules:

1. Do not paste anything from the “Never-Enter” list.

2. AI can draft, but a human must approve anything public-facing.

3. Verify facts, numbers, and quotes before publishing.

4. Use AI for structure and language, not decisions.

5. When unsure, pause and ask the designated internal owner.

Canada’s Cyber Centre also publishes practical risk and mitigation guidance for generative AI, reinforcing the value of simple controls and awareness. (Canadian Centre for Cyber Security)

How to handle hallucinations and misinformation

Assume AI can be confidently wrong. Require verification for anything public, anything financial, anything legal, and anything that could affect services or trust.

A simple verification rule:

• If you cannot confirm it from a reliable source, do not publish it.

• If it is sensitive, get a second human review.

If you want “enterprise safety,” ask these vendor questions

Buying a tool is a governance decision when data is involved. Before paying for an AI tool or integrating it into workflows, ask:

Vendor checklist:

• Are prompts and outputs used for training? Can we opt out?

• How long is data retained? Can we delete it?

• Where is data stored and processed?

• Do we have admin controls, audit logs, and user management?

• Can we restrict file uploads or sensitive categories?

• What happens if we cancel the service? How do we export or delete data?

• What security certifications or controls exist?

This aligns with the Government of Canada’s responsible-use guidance, which emphasizes risk management and oversight. (Canada)

What to do if someone pastes sensitive info into ChatGPT

Plan for mistakes and make reporting safe. Staff will make errors. The key is quick containment and clear escalation.

Incident book:

1. Report immediately to the designated owner (no blame, speed matters).

2. Record what was shared and when (minimal necessary details).

3. If possible, delete the chat history or the content, following tool guidance.

4. Pause similar use until you understand what happened.

5. Assess whether this is a privacy breach and whether notification obligations apply.

Your board does not need to manage this incident, but it does need to ensure the organization has a plan.

Simple policy vs staff guidelines

(So boards can govern without micromanaging)

Put stable rules in policy and practical examples in staff guidelines. This keeps governance durable while letting staff practices evolve as tools change.

Policy (stable):

• Purpose, boundaries, data rules, prohibited uses, accountability, vendor expectations, incident response, review cadence

Staff guidelines (update often):

• Safe prompt examples, red-flag scenarios, do and do not screenshots, “what to do when unsure”

Frequently Asked Questions

Is ChatGPT confidential for work?

Not by default. Treat it as non-confidential unless you have a managed organizational setup with clear privacy terms, admin controls, and staff rules. (Office of the Privacy Commissioner)

Can I paste donor data into ChatGPT to write a better fundraising email?

Do not paste donor lists, giving history, or donor notes into public AI chat tools. If your organization wants AI-assisted personalization, use a controlled system with strict data boundaries and governance.

What data should never go into an AI chatbot?

Client or community member information, donor data, HR records, passwords, confidential internal documents, and anything that could cause harm if exposed. Start with a short “never-enter” list and train staff on it. (Office of the Privacy Commissioner)

How do we reduce hallucination risk?

Require verification for anything public, financial, legal, or service-impacting. Use AI for drafting and structure, not decisions.

Do small nonprofits need an AI policy?

Yes, but it can be short. One page that defines allowed uses, prohibited uses, the never-enter list, and who owns oversight is enough to start.

In closing

AI tools are becoming normal parts of how people search, write, and make decisions. In Canada, that shift is accelerating as AI-driven search experiences expand. (blog.google)

Your job as a nonprofit leader is not to block AI. It is to protect trust while giving staff usable boundaries. Start with the never-enter list, a few approved uses, and a simple incident plan. Then build from there.

Need help turning ideas into a board-ready policy and a staff-safe-use guide?

Consulting + Advisory

Sarah Downey

Sarah Downey is a Canada-based consultant helping nonprofits adopt AI safely, ethically, and confidently through governance clarity and policy development.

Resource List

Canadian privacy, security, and public-sector guidance

• Office of the Privacy Commissioner of Canada. (2025, May 6). AI chatbots and your privacy. https://www.priv.gc.ca/en/privacy-topics/technology/artificial-intelligence/ai_chatbots/ (Office of the Privacy Commissioner)

• Government of Canada. (2025, June 3). Guide on the use of generative artificial intelligence. https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/responsible-use-ai/guide-use-generative-ai.html (Canada)

• Canadian Centre for Cyber Security. (2025, December 10). Generative artificial intelligence (ITSAP.00.041). https://www.cyber.gc.ca/en/guidance/generative-artificial-intelligence-itsap00041

• Office of the Privacy Commissioner of Canada. (2024, May 1). PIPEDA requirements in brief. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/ (Office of the Privacy Commissioner)

GPT Platform specifics:

• OpenAI. (2025, June 27). Privacy policy. https://openai.com/policies/row-privacy-policy/ (OpenAI)

• OpenAI. (2025, June 4). Enterprise privacy at OpenAI. https://openai.com/enterprise-privacy/ (OpenAI)

• OpenAI. (2025, April 28). How your data is used to improve model performance. https://openai.com/policies/how-your-data-is-used-to-improve-model-performance/ (OpenAI)

• OpenAI. (n.d.). Data Controls FAQ. Retrieved January 23, 2026, from https://help.openai.com/en/articles/7730893-data-controls-faq (OpenAI Help Center)

• OpenAI. (n.d.). Data usage for consumer services FAQ. Retrieved January 23, 2026, from https://help.openai.com/en/articles/7039943-data-usage-for-consumer-services-faq (OpenAI Help Center)

Province Specific (Alberta and BC)

• Government of Alberta. (n.d.). Personal information for non-profits and other organizations. Retrieved January 23, 2026, from https://www.alberta.ca/personal-information-for-non-profits-and-other-organizations (Alberta.ca)

• Office of the Information and Privacy Commissioner for British Columbia. (n.d.). For private organizations. Retrieved January 23, 2026, from https://www.oipc.bc.ca/for-private-organizations/ (oipc.bc.ca)