Hey fellow developers, using AI in our coding workflow has become pretty standard, but there's a big catch you need to watch out for: your secrets could be leaking! Many of us hit an error, copy the whole stack trace, and ask an AI model to «just figure this out fast.» The problem is, sometimes buried deep in that trace is a `DATABASE_URL` with a live password. In a matter of seconds, you get your answer, but now your secret is somewhere you can't reach or delete. Those chat windows with large language models (LLMs) aren't as private as we might think. They're outbound requests that fan out to several places, and exactly where depends on what you're paying for. On free and consumer tiers, your inputs are often kept and might be used to improve the model. On paid Pro, Team, and Enterprise tiers, providers typically contract not to train on your data and have shorter or zero retention windows, offering a genuinely safer experience. However, «not trained on» isn't the same as «never stored.» Request logs, systems for detecting misuse, human review exceptions, and sub-processors all still exist and might hold onto your information. Your data can leak across this boundary in three ways: 1. **What you explicitly paste:** Like the stack trace, config files, or code snippets. 2. **What the tool auto-attaches:** Modern coding assistants pull in context you never explicitly gave them, such as open files, the surrounding code repository, or terminal output. 3. **What the model emits:** The model might echo back a secret you fed it earlier, appearing in a commit, a pull request description, or a log line. The key takeaway here is that the AI provider isn't an adversary. They're a trusted-but-unverifiable third party. The risk isn't that they're lying about training; it's that you can't audit their internal pipeline, and their policies, sub-processors, and exposure to breaches can all change. So, use AI with a clear threat model in mind, not just a vague feeling that it's safe. Stay vigilant!