Privacy and AI Assistants

How risky is it to let LLMs run code?

Giving an LLM the ability to execute Python and R code means that it can essentially do anything on your computer. This can be a concern, but we think this is reasonably safe today for a couple of reasons. First, the current frontier models tend not to run anything too risky and also respond well to prompts that discourage destructive or unwanted behavior. Second, our agents provide interfaces that allow the user to review and explicitly approve running code.

The ability to execute arbitrary code is also central to our tools’ usefulness. Combining access to specialized skills (e.g., reading R package documentation, inspecting session history) with the ability to execute arbitrary code can dramatically accelerate data science workflows in a way that is inaccessible to “safe”, read-only tools. Giving Databot the ability to execute code, for example, allows it to explore and visualize data however it is needed. Without this ability, Databot would be very limited in its ability to understand data.

Develop trust with your model provider

Posit, as the agent provider, does not store your data, but your model provider might. Therefore, to use LLM agents like Positron Assistant and Databot, it is important that you trust your model provider with your data and understand what they will and won’t do with that data.

You might ask, “I don’t want to expose my data to an LLM–can I obscure it from the model?” We think hiding your data, generally, is the wrong approach. Instead, you should reach an agreement with your model provider that lets you trust them with your data (see the next section for more details on these agreements).

Access to data is central to our tools’ ability to do their jobs. It is difficult to successfully anonymize information that’s passed to an LLM, especially if that LLM has access to execute arbitrary code. There’s typically nothing stopping the LLM from running code that lets them inspect the contents of a file or object. Further, hiding your data interferes with the model’s ability to operate successfully as a data science assistant. Using an AI data science agent while obscuring your data is similar to hiring a financial advisor but hiding the contents of your bank accounts. If you don’t trust a financial advisor to look at your accounts, they will be of little use to you and you probably shouldn’t hire them.

Luckily, there are many model providers that will contractually agree to specific privacy guarantees about your data, and these agreements are typically easy to come by. Posit’s BYO-key LLM tools allow you to connect to many different model providers, so you bring your model provider and specific contract with you when you use our AI tools.

An example: Anthropic’s Claude

To make this a bit more concrete, let’s talk about a specific model provider. Anthropic is the company behind Claude, a collection of frontier LLMs. At Posit, we often build our tools themselves with the help of Claude models, and Claude Sonnet is typically the default model recommended to users. Compared to the other major providers, Anthropic also has a relatively strong track record when it comes to data privacy.

Like other major AI labs, Anthropic serves its models via an API, which is how Positron Assistant and Databot access them.³ Below are some excerpts from Anthropic’s privacy policies. Visit their Privacy Center for complete and up-to-date information.

On data retention:

For Anthropic API users, we automatically delete inputs and outputs on our backend within 30 days of receipt or generation, except when you and we have agreed otherwise (e.g., zero data retention agreement), if we need to retain them for longer to enforce our Usage Policy (UP), or comply with the law…

On model training:

By default, we will not use your inputs or outputs from our commercial products (e.g., Claude for Work, Anthropic API, Claude Gov, etc.) to train our models.
If you explicitly report feedback or bugs to us (e.g., via our thumbs up/down feedback button) or otherwise choose to allow us to use your data, then we may use your chats and coding sessions to train our models.

Anthropic and other AI labs can also provide Zero Data Retention (ZDR) agreements to specific customers under which the provider does not store customer inputs or outputs “except where needed to comply with law or combat misuse.” They also can provide Business Associate Agreements (BAA), which provide some API services in compliance with HIPAA.

So, in broad strokes, Anthropic:

• Stores your requests for around 30 days by default.
• Does not use your data to train future models.
• Can make stronger privacy guarantees by prior arrangement.

Other providers

There are a few natural groupings of LLM providers when it comes to privacy.

• The three major AI labs, OpenAI, Anthropic, and Google Gemini, serve their models over APIs. The privacy guarantees for data sent over the API are generally stronger than for data provided via web interfaces. For the products that do not require you to pay for tokens, your data is likely being sold to third parties and/or used to train future models, unless you have a specific agreement with them.
  
• Enterprise-focused deployments like AWS Bedrock, Databricks, and Snowflake tend to serve models from the major AI labs with stronger privacy guarantees.
• Locally-hosted models are the most privacy-preserving option, but require significant resources to host near-frontier open models. Models that you can run on even the most capable laptops (in late 2025) leave much to be desired in terms of their agentic capabilities.