AI delivers real productivity. Where do your data go when you paste a PDF into the chat?
OpenAI, Anthropic and Google have made AI an everyday tool, and the productivity is real. But every time an employee pastes a contract, those data cross into a server outside the EU. For most, that trade-off is fine. For certain sectors, it no longer is.
Worth starting with what's true and nobody disputes here: ChatGPT, Claude and Gemini have done something difficult to overstate. They've turned AI into an everyday tool — for the marketing team writing a brief, the legal department reviewing a contract, the developer asking for refactors. The productivity they deliver is real, measurable and, for most companies, beyond doubt. This article isn't about that.
It's about what happens exactly the moment an employee presses Enter — an operational detail most organisations haven't stopped to look at, and that for some is becoming a problem.
The data's journey when you press Enter
When you paste a contract, a quarterly balance sheet, an internal email or an RFP PDF into any of the major providers' assistants, that content travels to a datacenter outside the EU — typically the United States. The connection is encrypted in transit, yes, but data residency (where it lives, under what jurisdiction it's processed) and what's done with it once there are different things, governed by each provider's T&Cs and privacy policy.
What providers themselves publicly document about their consumer products (not their paid APIs, which have different policies):
Data residency
Primary servers outside the EU in most cases. EU residency options exist in enterprise plans — not by default on individual or team plans.
Use for training
On by default in consumer plans (with manual opt-out). Off by default in paid enterprise plans — but the option to enable it remains and depends on admin configuration.
Conversation retention
Typically 30 days after deletion, retained for abuse or security review — even when the chat is deleted.
Legal jurisdiction
US companies are subject to the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) — which lets US authorities request data stored by US companies regardless of where the servers physically live.
None of the above is a secret. It's all in each provider's privacy pages, accessible to anyone who wants to read them. And for the vast majority of companies, it's not a problem: the data they send isn't sensitive, the providers are serious, the security policies are robust, and the productivity-vs-residency trade-off lands clearly on the productivity side. That's the normal case.
For some companies, however, it is
There's a group of organisations for which this trade-off has stopped being comfortable. They share two traits: they work with intrinsically sensitive data, and they operate under regulatory frameworks that make them responsible for where that information ends up. Mainly:
- Central and regional public administration — citizen data, ENS Medium or High category as an obligation.
- Healthcare — clinical histories under reinforced GDPR (Article 9, special categories of personal data).
- Defence and security — national classification, critical-supplier dependency.
- Banking, insurance, financial services — DORA, banking secrecy, ECB / Bank of Spain supervision.
- Legal sectors — attorney-client privilege, confidentiality of ongoing proceedings.
- Pharmaceutical industry — IP on clinical trials, formulations, regulatory dossiers.
For these sectors, the question "where is this processed?" isn't a technical detail — it's an answer the regulator can ask for in writing. And it's an answer that has become more demanding in recent months with the effective enforcement of NIS2 (Spanish transposition in RD-ley 7/2025), the European AI Act (rolling enforcement through 2025-2026) and the bar being raised on ENS towards Medium and High categories as a public-procurement requirement.
The shift that makes all of this solvable
Two years ago, telling a regulated company "use open-source models on your own infrastructure" was bad advice. Open models were two generations behind closed ones, and operating them required an MLOps team most organisations don't have. That advice has aged poorly.
The competitive open-source models of 2026 — Qwen 3.6, Gemma 4, GLM 5.1, NVIDIA's Nemotron family, DeepSeek V3.5 — have reached parity with closed ones on many tasks that matter in enterprise: reasoning, code, multilingual analysis, vision-language. Not on all: at some frontiers (complex agents, deep reasoning) the closed ones still set the pace. But for 80% of an organisation's daily work, end users no longer notice the difference.
What's still expensive is running them. Keeping an updated version of each model, serving it with low latency, encrypting data end-to-end and demonstrating all of that to an ENS auditor isn't done over a weekend. That's why we built OdiModel.
OdiModel: same chat experience, different data geography
OdiModel is our AI assistant: a standard chat interface, with built-in web search and native bidirectional voice, that gives access to the strongest open-source models at any given time. Today's catalogue: Gemma-4-E4B, Qwen 3.6 (including the recently added 27B), Qwen 3 / 3.5, Nemotron-VL-8B, Nemotron-30B and GLM-5.1-FP8. The list is open — if a customer needs a specific model that isn't in the catalogue, we deploy it within 24 hours provided it meets open-source conditions.
What changes versus a commercial assistant lives underneath: every conversation is processed on a dedicated NVIDIA HGX B200 cluster in a Spanish datacenter, with AES-256 end-to-end encryption, account-level session and storage isolation, and no use of conversations for training. GDPR native, ENS, ISO 27001 — not as a premium tier, but as the only way the product exists.
There's an additional differentiator built for a very specific audience: voice. OdiModel synthesises voice natively in Spanish, English, Catalan, Basque and Galician. It's the only AI assistant on the market with full coverage of Spain's four official languages, which makes it a direct answer for regional administrations, multilingual public services, regional media and companies with real operations in Catalonia, the Basque Country or Galicia. For those customers, there's no comparable functional alternative on the market today.
“OdiModel isn't a cheaper or more powerful alternative to ChatGPT. It's the alternative that keeps the data at home.”
When each tool
This isn't about "stop using ChatGPT". It's about reading clearly which tool fits which case. If your marketing team is writing emails and blog posts with non-sensitive data, ChatGPT or Claude are excellent and inexpensive tools. If your legal department is dropping contract drafts into a chat, or your IT team is asking an assistant to analyse a log dump with personal data, or your public administration is serving a citizen in their official language, the conversation changes.
OdiModel is in public beta today, open with no commitment, free during beta, at odimodel.gpusolutions.ai. If your organisation is in one of the sectors above and you want to compare open-model performance on your own use cases before discussing enterprise plans, that's the place.