Direct answer
Without a vetted data agreement, do not send: customer PII, regulated records, source code under restrictive licenses, unreleased financials, security material, or third-party confidential data.
Why
Consumer AI endpoints have varying retention, training, and access rules. Treat them like external contractors with no NDA until you can prove the boundaries match your obligations.
What to do instead
- Use vendor agreements with explicit no-training and retention terms
- Redact PII before prompting
- Keep sensitive workflows in self-hosted or enterprise endpoints