All articles
Compliance6 min·11 June 2026

Is putting your clients' data into ChatGPT legal?

Most accounting firms are quietly pasting payslips and tax filings into public AI tools. Here is what the GDPR and the EU AI Act actually say — and the one architecture that solves it.

It happens in every firm. A colleague pastes a balance sheet, a payslip or an URSSAF letter into ChatGPT to "go faster". Nobody flags it, because nobody talks about it. Yet that single copy-paste may put your firm in breach of the law.

What actually happens to that data

  • It leaves for servers located outside the EU, mostly in the United States.
  • You lose control over who can access it and how long it is retained.
  • You transfer personal data outside the EU without a clear legal basis (GDPR, art. 44 et seq.).
  • Depending on the provider's terms, it may be used to train future models.
The problem is not that AI is dangerous. The problem is that consumer tools were never designed for the professional secrecy your firm is bound by.

Why accountants are uniquely exposed

You handle the most sensitive data there is: salaries, tax positions, banking details, financial health. As the data controller, you are accountable for every transfer — even one made informally by a junior on a Friday afternoon. The CNIL does not distinguish between "a quick test" and a deliberate export.

The EU AI Act makes this stricter, not looser

As the AI Act rolls out, the obligations of transparency, traceability and risk management on AI systems keep growing. "We didn't know where the data went" is becoming an indefensible position. Firms that get ahead of this now will turn compliance into a selling point with their own clients.

The good news: it's not AI OR privacy

You can run a capable AI assistant entirely on the firm's own machine. No cloud, no third-party server, working even offline. The client file never leaves your walls — there is simply no endpoint for it to leave through. That is the architecture Locaible is built on: inference runs locally via Ollama, and we cannot read your data because it never reaches us.

No firm should have to choose between saving time and protecting its clients.

If you're an accountant weighing AI, the right first question isn't "which model is best?" — it's "where does my data physically go?". Answer that, and the rest follows.

Sovereign by architecture

Run AI without a single file leaving your office.

100% on-device, GDPR & EU AI Act compliant by design. See it on your own use case.