Zero Data Retention Isn't Zero Exposure: What ZDR Covers and What It Can't
ZDR is a promise about what happens after your data arrives. Carve-outs, model overrides, legal holds, your laptop — and whether Anthropic trains on your code.
Does a zero data retention (ZDR) agreement mean your data is never stored? No. It means the provider commits to deleting your inputs and outputs after processing instead of holding them for the default window. That promise comes with exceptions the providers themselves document: safety carve-outs, model-specific overrides, and court orders that can suspend deletion outright. ZDR is real, it’s worth having, and if your organization can negotiate it, you should. But notice what kind of thing it is: a policy about what happens to your data after it arrives.
That timing is the whole article. A retention policy can be revised: Anthropic attached a mandatory 30-day retention window to a class of its models on June 9, 2026, ZDR agreements included. It can be suspended: a US court ordered OpenAI to stop deleting ChatGPT logs on May 13, 2025. What no policy can do is reach backward and unsend something. The only data immune to every revision, carve-out, and preservation order is data that never left your machine. Disclosure before we go further: I maintain Sordino, a masking proxy built on exactly that premise. The bulk of this piece is provider documentation and court records though, and it stands on its own whether or not you ever touch my tool.
What does “zero data retention” actually cover?
A negotiated agreement, not a product default. OpenAI’s enterprise privacy page describes its API baseline: inputs and outputs may be retained for up to 30 days for abuse monitoring, and ZDR requires prior approval and doesn’t cover every endpoint. Anthropic’s version is similar in shape: ZDR applies to eligible APIs and to Claude Code with qualifying enterprise accounts, enabled per organization by the account team. Here is Anthropic’s own definition, from the Claude Code ZDR documentation:
When ZDR is enabled, prompts and model responses generated during Claude Code sessions are processed in real time and not stored by Anthropic after the response is returned, except where needed to comply with law or combat misuse.
Every clause is doing work. Processed in real time: the model and the infrastructure around it still handle your plaintext; ZDR governs storage, not access. Not stored after the response is returned: a disposal schedule, a promise about the after. Except where needed: the exceptions ride along inside the definition itself.
The same page is blunt about who has this: ZDR “is not included in the standard Claude for Enterprise plan and cannot be enabled from your admin settings.” If your mental model is “we’re on the enterprise plan, so nothing is retained,” that model is wrong by default.
The AI coding-tool retention reference
Since “check the current docs” is this article’s refrain, here is the current state in one place, with primary sources.
| Surface | Default retention | What’s exempt from deletion | Primary source | Effective date |
|---|---|---|---|---|
| Anthropic API & Claude Code | Inputs/outputs deleted within ~30 days; ZDR by negotiated per-org agreement | Flagged sessions up to 2 years; trust-and-safety classifier scores up to 7 years; Mythos-class models carry a mandatory 30-day window even under ZDR | Commercial data retention policy, Claude Code ZDR docs, Mythos-class retention notice | Mythos-class policy effective 2026-06-09 |
| OpenAI API | Up to 30 days for abuse monitoring; ZDR by prior approval, not all endpoints | Court-preserved logs under the NYT order (April through September 2025 data plus flagged accounts); ZDR API customers and ChatGPT Enterprise carved out | Enterprise privacy, Response to NYT data demands | Preservation order 2025-05-13, narrowed ~2025-09-26 |
Last verified: 2026-07-04.
What are the limitations of zero data retention?
Five places the promise doesn’t reach. None of this is speculation; every item comes from the providers’ own documentation or from the court record.
1. The carve-outs inside ZDR itself
Even with ZDR enabled, Anthropic still retains user-safety classifier results to enforce its Usage Policy, and flagged sessions can be kept even under ZDR. The durations, per Anthropic’s commercial data-retention policy:
We retain inputs and outputs for up to 2 years and trust and safety classification scores for up to 7 years if your chat is flagged by our automated trust and safety systems as violating our Usage Policy.
Classifiers flag things; that’s their job, and some fraction of what they flag will be yours by mistake. So under the strictest retention agreement on offer, a session an automated system took interest in can exist on the provider’s side for years. “Zero” ships with footnotes.
2. The override: Mythos-class models (June 9, 2026)
Effective June 9, 2026 — less than a month before this article — Anthropic’s data-retention practices for Mythos-class models took effect:
Prompts submitted to, and outputs generated by, Mythos-class models are retained for 30 days to support our safety work, on every platform where these models are offered.
It applies even to organizations with ZDR agreements: to use a covered model at all, an org has to explicitly enable 30-day retention for the workspace making the call; requests that don’t are refused outright. For a ZDR customer the choice is accept the retention or skip the model class.
The practitioner reaction on Hacker News is worth your time: objections centered on the hedged “almost all cases” phrasing, on what unilateral revision does to B2B trust, and on the retroactive feel of the whole thing — an agreement you already negotiated acquiring a new exception after signature. That last one is the part to sit with. Nothing about the episode suggests it’s the last revision.
Large organizations have noticed. In late June 2026, Meta reportedly restricted employee use of Claude Code and OpenAI Codex, citing proprietary-code exposure and distillation risk, as reported by The Information.
3. Legal holds: the NYT v. OpenAI timeline
The clearest public demonstration that a court outranks a deletion policy, in three dated steps:
- May 13, 2025 — a federal court in The New York Times’ copyright suit orders OpenAI to preserve ChatGPT output logs it would otherwise have deleted. OpenAI publicly objected, saying the demand conflicted fundamentally with the privacy commitments it had made to its users.
- June 26, 2025 — the order is affirmed.
- ~September 26, 2025 — the order is narrowed: standard 30-day deletion resumes for most consumer users, while chat data from roughly April through September 2025, plus flagged accounts, stays preserved. ZDR API customers and ChatGPT Enterprise are explicitly carved out of the preservation requirement.
OpenAI was right to object, and it lost anyway. That’s the lesson: a provider’s deletion promise is subordinate to legal process, no matter how sincerely the provider means it. Deletion promises are revocable, retroactively. Sending is not revocable at all. Hold onto that carve-out detail; it comes back below.
4. Your own laptop
I verified this on a live install this week (July 2026): Claude Code stores session transcripts as plaintext JSONL under ~/.claude/projects/, and no provider agreement has anything to say about that directory. Every credential that crossed a recent session — pasted by you, or read off disk by a tool call — is sitting in those files until local cleanup prunes them. Where they live, how long they persist, and what to do about them is covered in the local-transcripts section of The Full Life of a Pasted Secret.
5. Your employer’s admin console is a retention system too
Enterprise AI accounts give organization admins audit and export access to conversation history (Anthropic’s enterprise docs list audit logs among the admin capabilities that run alongside ZDR); that’s ordinary governance, the same visibility your employer has over work email, and a retention surface in its own right, because an export is a copy on someone else’s schedule. It means “who can see my prompts” has answers that have nothing to do with provider retention. The full answer, tier by tier, is in who can see my prompts at work.
So is ZDR worthless?
No, and the strongest evidence is inside the preservation order itself: when the court forced OpenAI to keep everyone else’s logs, ZDR API customers and ChatGPT Enterprise were excluded, per OpenAI’s own statement. The contract held precisely where it applied: data that was never retained wasn’t there to be preserved. That’s the best empirical argument for ZDR I know of, and it’s why I’d tell any org that can get it to get it.
The carve-out is worth staring at, though, because it generalizes. The customers in the strongest position when the order landed were the ones whose data didn’t exist on OpenAI’s servers. ZDR approximates that position contractually, with a boundary drawn by someone else’s litigation and the provider’s own exceptions — and four of the five gaps above sit entirely outside anything you can sign with a provider. ZDR narrows the window on the provider’s side of the wire. It does nothing about the act of sending. You can get closer to the strong position structurally: data that never arrives needs no carve-out analysis, doesn’t depend on a model-class policy holding steady, and can’t be swept into a preservation order.
The complement: data that never arrives
Data that never arrives is the premise Sordino is built on: a local masking proxy for Claude Code and OpenAI Codex that swaps detected secrets and PII for opaque deterministic tokens before the bytes leave your machine, then restores the originals locally on the way back. On the masked wires it’s fail-closed: mask or refuse, never silently forward unmasked. The token-to-value table lives on your machine, encrypted (AES-256-GCM), and the proxy itself is loopback-only with no telemetry; there is nothing on the provider’s side to reverse. The recognizers, the determinism that keeps prompt caching and multi-turn sessions stable, and per-project isolation are covered in the docs. What matters here is what tokenization does to every gap above: a safety classifier that flags your session retains tokens. A Mythos-class 30-day window retains tokens. A preservation order preserves tokens. An admin export shows tokens. The line we use on the site is “not zero data retention — zero data access”: the model never had the value to begin with.
What this doesn’t solve
Three limits matter here. First, gap 4 is untouched: those plaintext transcripts under ~/.claude/projects/ are still on your disk, because Sordino doesn’t change local storage; the guarantee is about the wire and the provider. Second, the scope is the LLM wire: Sordino masks the egress from your coding tool to the provider’s API. It is not a sandbox (an agent with shell access can still read local files; that’s a permissioning problem), and it doesn’t sit on non-LLM egress like a curl in a tool call or a git push. Third, detection is pattern-based plus an optional ML model: recall is not 100%, and a value nothing recognizes goes through unmasked — the one unconditional guarantee is for values you explicitly register as secrets. Pretending a masking layer covers any of those would be exactly the kind of overclaim this article is complaining about.
Does Anthropic train on my code?
It depends on your tier, and both answers are dated; treat this as a sourced snapshot. On commercial tiers (the API, Claude for Work), Anthropic’s Commercial Terms, effective June 17, 2025, state it flatly: “Anthropic may not train models on Customer Content from Services.” On consumer tiers (Free, Pro, Max, including Claude Code on those plans), your data is not used for training by default; training happens only if you opt in via the Privacy Settings toggle that asks to “allow us to use your chats and coding sessions to improve Claude.” Carve-outs apply even around those defaults: safety-flagged conversations may be used and analyzed for Usage Policy enforcement, thumbs up/down feedback is stored for up to 5 years (de-linked from your user ID before any training use), and Incognito chats are never used. So: verify your tier and your toggle. And the structural point survives every future revision — training terms, like retention terms, only govern data that arrives. A value that was never sent can’t end up in anyone’s training set, under any terms.
Can my AI chats be subpoenaed?
Yes. While they exist on a provider’s systems, they’re reachable by legal process like any other business record. The clearest public example is a preservation order rather than a subpoena — the NYT v. OpenAI timeline above — but the mechanism is the same: a court outranks a deletion policy, retroactively. The only data reliably beyond a subpoena served on your provider is data your provider never had.
Is ZDR included with Claude Code on an enterprise plan?
No. Per Anthropic’s documentation, ZDR is limited to qualified accounts, requires separate enablement by the Anthropic account team rather than a switch in your admin settings, and applies per organization — a new org under the same account needs its own enablement. If ZDR is a compliance requirement for you, verify that it is actually enabled, in writing, for each org. Don’t infer it from the plan name.
Where this leaves you
Get ZDR if you can; the NYT carve-out shows it’s worth real money when it counts. Then be honest about its shape: a promise about the provider’s side of the wire, revisable on their timeline, suspendable on a court’s, silent about your own disk and your employer’s console. Layer accordingly: negotiate the contract, know where your local transcripts live, and shrink what crosses the wire in the first place. If you’re the person writing the policy rather than the one subject to it, the map of which controls actually live at which layer is in Is Claude Code Safe for Company Code? Where Bans, DLP, and ZDR Stop Working.
If I’ve got a fact wrong here, email me (javair@sordino.sh); I’d rather fix the article than defend it. And if you’re evaluating this for an organization and need custom masking rules plus live visibility into exactly what was sent versus what was masked, that’s Sordino Enterprise.