Privacy & compliance guide
Claude privacy & compliance: Individual, Team & Enterprise
Can your admin see your chats? Does Anthropic train on your data? What compliance does Claude actually hold? A plain-English guide for Malaysian teams weighing a rollout — compiled from Anthropic's Privacy Center, Trust Center, and Help Center.
The short answer
“Can my admin see my Claude chat?”
On a personal plan (Free, Pro, Max), no — there is no admin, and only you see your chats. On a company plan (Team or Enterprise), treat Claude like work email: it is not casually monitored, but your organisation can access your conversations when it has a reason — a Primary-Owner data export on Team, and the Compliance API on Enterprise.
01 · Privacy & compliance at a glance
| Individual | Team | Enterprise | |
|---|---|---|---|
| Who can see your chats | |||
| Who can read your conversations | Only you — there is no admin | You; the Primary Owner can export your data | You; the org can also access content via the Compliance API |
| Visible to teammates? | No | Only Projects you choose to share | Only Projects you choose to share |
| Data use & retention | |||
| Used to train Claude? | Your choice (opt-in since 8 Oct 2025) | Never, by default | Never, by default |
| Data retention | 30 days (declined) to 5 years (allowed) | Standard; deleted chats are removed | Custom period, min 30 days; audit-logged |
| Governance & compliance | |||
| Central admin controls | — | Seats, SSO, spend caps, usage analytics | + SCIM, role-based access, audit logs |
| Compliance API (content access) | — | — | Yes |
| Compliance certifications | Consumer plan — not covered | SOC 2, ISO 27001 & 42001 | SOC 2, ISO 27001 & 42001 |
| HIPAA BAA available | — | — | Yes — sales-assisted |
Compiled from Anthropic's Privacy Center, Trust Center, and Help Center, accurate at July 2026. Certifications cover commercial products (Claude for Work and the API), not consumer plans.
02 · Who can see your chats, plan by plan
The honest answer for each plan
Individual · Free / Pro / Max
Private to you — but you choose on training
No admin, no organisation. Only you can see your chats, and Anthropic staff access is limited (safety classifiers may review flagged content). Since 8 October 2025 you decide whether your chats improve Claude: allow it and retention runs to 5 years, decline it and it stays at 30 days.
Team · 5–150 seats
Not casually monitored — but the owner can export
Regular admins get seat, spend, and usage controls, not a window into your chats. The Primary Owner, however, can request a data export that may include your conversations and files. Your data is never used for training. Personal chats stay private unless you share a Project.
Enterprise · regulated & large orgs
Full governance — including content access
Everything in Team plus SSO/SCIM, role-based access, audit logs, custom retention, and a Compliance API that gives the organisation programmatic access to usage data and conversation content for eDiscovery and monitoring. This is the plan for organisations that must be able to access and govern content — by design.
03 · Training & data retention
Does Anthropic train on your data, and for how long is it kept?
The single most important distinction is consumer versus commercial. On Team, Enterprise, and the API, Anthropic does not use your prompts and responses to train its models by default — this is the reason most businesses should put sensitive work on a commercial plan rather than a personal one.
On individual Free, Pro, and Max plans the position changed on 8 October 2025: you now choose whether your chats improve Claude. Allow it and retention extends to five years; decline it and the standard 30-day window applies. Deleting a chat removes it from your history, after which it is cleared from Anthropic's back-end systems per their policy. On Enterprise, a Primary Owner or Owner sets a custom retention period — a minimum of 30 days, with data kept indefinitely unless a period is configured — and every retention change and deletion is written to an audit log.
04 · What this means for PDPA in Malaysia
Using Claude with PDPA-regulated data
For a Malaysian business subject to the Personal Data Protection Act, the model is only half the picture. A commercial Claude plan gives you the raw ingredients — no training on your data, configurable retention, SOC 2 and ISO 27001/42001 assurance, and on Enterprise the audit logs, role-based access, and a data-processing agreement or BAA that regulated work needs.
But PDPA compliance turns on how you deploy and govern it: minimise the personal data you send, control who can access it, sign the right processor agreement, and be deliberate about where inference runs. That is the work we scope with clients — and it is a conversation for your data protection officer or counsel, not something the model settles on its own. This page is a starting point, not legal advice.
05 · Frequently asked questions
Can my company or admin read my Claude chats on a Team or Enterprise plan?
Not through a casual admin dashboard. On the Team plan, regular admins have no feature to browse your conversations — but the organisation's Primary Owner can request access to your user data through a data export, which may contain your conversations, uploaded files, and usage patterns. On Enterprise, the organisation can additionally access conversation content programmatically through the Compliance API and set data-retention rules. So on a company plan, treat Claude like work email: it is not casually monitored, but the company can access it when it has a legitimate reason. On a personal Free, Pro, or Max plan there is no admin — only you can see your chats.
Does Anthropic train Claude on my conversations?
On Team, Enterprise, and the API (including Amazon Bedrock and Google Vertex AI), no — customer prompts and responses are not used to train Anthropic's models by default. On individual Free, Pro, and Max plans the rule changed on 8 October 2025: you now choose. Allow your chats to improve Claude and retention extends to 5 years; decline and the standard 30-day retention applies.
How long are my Claude conversations kept?
On individual plans, 30 days if you decline model training, or up to 5 years if you allow it; deleting a chat removes it from your history and it is then removed from Anthropic's back-end systems per their retention policy. On Team, standard retention applies and deleted chats are removed. On Enterprise, a Primary Owner or Owner sets a custom retention period (minimum 30 days; data is retained indefinitely unless a period is set), and all retention changes and deletions are recorded in audit logs.
Is Claude SOC 2 or HIPAA compliant?
For its commercial products — Claude for Work (Team and Enterprise) and the Anthropic API — Anthropic maintains SOC 2 Type I and Type II, ISO/IEC 27001:2022, and ISO/IEC 42001:2023, plus a HIPAA-ready configuration with a Business Associate Agreement (BAA) available on sales-assisted Enterprise and the first-party API. Consumer Free/Pro/Max plans are not the vehicle for these commitments. Current certifications and the sub-processor list are published in Anthropic's Trust Center.
Can I use Claude with PDPA-regulated personal data in Malaysia?
Yes, with the right plan and setup. Commercial plans do not train on your data and support retention controls; Enterprise adds audit logs, role-based access, a Compliance API, and a BAA/data-processing-agreement path. But PDPA compliance is mostly about how you deploy and govern Claude — data minimisation, access control, a processor agreement, and where inference runs — not the model alone. Treat this page as a starting point for your DPO or counsel, not legal advice.
Are my chats private from other people on my team?
Yes. Your individual chats are private to you unless you explicitly share a Project or conversation. Sharing a Project gives the people you choose 'Can view' or 'Can edit' access to that project's chats, knowledge, and instructions — but your other personal chats stay private and are not exposed to teammates.
What is the difference between Team and Enterprise for privacy and compliance?
Both keep your data out of model training and give you central admin and SSO. Enterprise adds SCIM provisioning, fine-grained role-based access control, audit logs, the Compliance API for programmatic access to usage data and content, custom data-retention timelines, and options such as customer-managed encryption keys, US-only inference, and a HIPAA BAA — the governance controls regulated organisations typically need.
06 · Sources
Verified against Anthropic's own documentation
Every claim on this page is drawn from Anthropic's primary sources, listed here so you can verify each point directly rather than take our word for it:
- Anthropic Privacy Center — Who owns and manages the data of my team? — the Primary Owner can request access to member data via data exports that may include conversations, files, and usage.
- Anthropic — Claude Code and new admin controls for business plans — the Enterprise Compliance API gives real-time programmatic access to usage data and customer content.
- Anthropic — Updates to Consumer Terms and Privacy Policy — the 8 October 2025 model-training choice for Free/Pro/Max and the 5-year vs 30-day retention split; does not apply to commercial plans.
- Anthropic Privacy Center — Custom data retention controls for Claude Enterprise — minimum 30-day retention, indefinite by default, and audit logging of all retention changes.
- Anthropic Privacy Center — Do you have SOC 2 or HIPAA certifications? — SOC 2 Type I & II, ISO/IEC 27001:2022, ISO/IEC 42001:2023, and HIPAA-ready with a BAA for commercial products.
- Anthropic Trust Center — the authoritative, always-current list of certifications and sub-processors.
Disclaimer
All privacy and compliance information on this page is compiled from publicly available information on Anthropic's Privacy Center, Trust Center, and Help Center and is provided for reference and research only, accurate at July 2026 and subject to change at Anthropic's discretion. It is not legal advice; confirm your obligations with your own data protection officer or counsel. Anchor Sprint is a member of the Anthropic Claude Partner Network — a deployment and rollout partner, not a reseller. Anchor Sprint is not affiliated with, authorized by, or endorsed by Anthropic; Claude and Anthropic are trademarks of Anthropic, PBC. For authoritative security and compliance documentation, see Anthropic's Trust Center.
免费咨询
Rolling out Claude on sensitive or PDPA-regulated data?
Tell us your team size, the data Claude will touch, and your compliance obligations. We will recommend the right plan and configure a PDPA-aligned deployment — access controls, retention, and processor agreements — then help you roll it out. We do not resell seats.
