Important: there are two different Geminis
Google ships two products under the Gemini name and they have materially different privacy postures. This is the single most common source of confusion in this database.
Consumer Gemini (gemini.google.com, Gemini Apps in Android, the Gemini side panel when you use it from a personal Google account). Training is on by default. Conversations retained for up to 18 months. Samples may be reviewed by human reviewers; reviewed conversations are kept for up to three years.
Workspace Gemini (the Gemini features inside paid Google Workspace plans — Gmail, Docs, Drive, Calendar, Meet when accessed from your work account). Training is contractually excluded by default. No human review. Data stays inside your organisation.
When SMB owners say "I use Gemini at work," they usually mean one of these and often do not know which. The distinction matters because the protection levels are different by an order of magnitude.
Plain-English risk rating: 3 of 5 (consumer Gemini) / 1 of 5 (Workspace Gemini)
We have split this into two ratings because the products are genuinely different.
Consumer Gemini sits at 3, similar to ChatGPT consumer and Claude consumer — training is on by default, opt-out exists but is buried, and the retention window is longer than competitors. Workspace Gemini sits at 1 (lowest risk) because the contractual no-training default, no-human-review default, and integration with existing Workspace access controls are genuinely the most privacy-protective configuration of any consumer-grade AI in this database.
Recommended for
- Sole proprietor on a personal Google account: Turn off Gemini Apps Activity. Use Temporary Chat for anything sensitive. Or upgrade to a Workspace Individual plan
- Small team (2-10 people): Workspace Business Standard or higher includes Gemini at no extra per-seat cost as of 2025. This is the best privacy-to-cost ratio in this database for SMB owners
- Regulated industry: Vertex AI through Google Cloud, with Zero Data Retention enabled on eligible endpoints. The Workspace tier is also acceptable for most regulated SMB use
- The honest answer for most 1-10 employee businesses already using Google Workspace: You are probably underusing the Gemini features inside Workspace. They are private by default, included in your existing plan, and respect your existing file permissions. The thing to avoid is letting employees use the consumer Gemini app for work tasks
Data retention default
Consumer Gemini:
- Conversations retained for up to 18 months by default
- Samples reviewed by human reviewers
- Conversations reviewed by humans retained for up to three years
- Setting at: myaccount.google.com → Data and Privacy → Gemini Apps Activity → set auto-delete to 3 months minimum, or turn off entirely
- Temporary Chat: conversations not saved, deleted after 72 hours, never used for training
Workspace Gemini (Business, Enterprise, Education, Public Sector):
- Standard Workspace retention rules apply
- Not retained for training
- Not reviewed by humans
- Respects existing Workspace data lifecycle controls
API / Vertex AI:
- 30 days standard
- Zero Data Retention available on eligible Vertex AI endpoints for qualifying customers
Training opt-out
Consumer Gemini — TRAINING IS ON BY DEFAULT. This is the same pattern as ChatGPT and Claude consumer tiers. The Google-specific quirk is that opting out requires turning off Gemini Apps Activity entirely, which also loses you the conversation history and personalisation. You cannot opt out of training while keeping your chat history — it is an all-or-nothing toggle. ChatGPT and Claude allow you to retain history while opting out; Gemini does not.
The setting lives at myaccount.google.com → Data and Privacy → Gemini Apps Activity → off.
Workspace Gemini — TRAINING IS OFF BY DEFAULT. No user-side toggle needed. The contractual exclusion is automatic for Workspace Business and Enterprise plans. Admins can further restrict Gemini access per organisational unit through admin.google.com → Apps → Google Workspace → Gemini.
Important quirk: If a Workspace user manually grants the consumer Gemini Apps access to their Workspace content from a personal Google account, that pulls the data into the consumer training pool. Workspace admins should disable cross-account integration to prevent this.
Zero Data Retention (ZDR) availability
- Vertex AI only (Gemini accessed through Google Cloud Platform)
- Available on certain endpoints, by request, for qualifying enterprise customers
- Not available for consumer Gemini or Workspace Gemini features (Workspace Gemini's defaults already exclude training, but the data is still retained per standard Workspace retention)
Plan tiers and pricing (as of early 2026)
| Tier | Price (USD) | Training on your data? | Suitable for |
|---|---|---|---|
| Gemini (free) | $0 | Yes, unless opted out | Personal experimentation only |
| Gemini Advanced | $20/month (Google One AI Premium) | Yes, unless opted out | Personal use; not appropriate for client work without opt-out |
| Workspace Business Starter + Gemini | ~$8.40/user/month | No — contractually excluded | Very small teams |
| Workspace Business Standard + Gemini | ~$16.80/user/month | No — contractually excluded | Small teams (best value for most SMBs) |
| Workspace Business Plus + Gemini | ~$26.40/user/month | No — contractually excluded | Small teams needing eDiscovery, advanced security |
| Workspace Enterprise + Gemini | Custom | No — contractually excluded | Larger organisations |
| Vertex AI | Pay-per-token | No, by default | Developers, custom applications |
Note: Google bundled Gemini into Workspace plans during 2024-2025, eliminating the previous separate Duet AI / Gemini for Workspace add-on. Pricing above reflects the bundled state.
Jurisdiction
- Primary processor: Google LLC, Mountain View, California, USA
- Cloud infrastructure: Google Cloud Platform
- Workspace data residency options available for Enterprise tier customers (specific regions can be selected)
- For Vertex AI, data processing region is configurable when the project is created
Breach history (public incidents)
February 2024 — Gemini chats indexed in Google Search Shortly after Gemini's public release, Google's own web crawler indexed publicly-shared Gemini conversations. The cause was a missing robots.txt file in the root directory of the gemini.google.com subdomain. Users who had created shareable links to their conversations (a feature Gemini provides) had those conversations appear in Google search results until Google added the robots.txt directive. Conversations contained personal information, work content, and in some cases sensitive material that users had not intended to be publicly searchable. Source: The Cyber Express; New Design Group analysis, February 2024
August 2025 — SafeBreach Calendar prompt injection demo SafeBreach researchers demonstrated a prompt injection attack where a malicious Google Calendar invite could be used to hijack Gemini's agentic capabilities and exfiltrate sensitive data. The malicious instructions were embedded in calendar event titles or descriptions; Gemini, when summarising the user's calendar or processing event content, would execute the embedded instructions as if they were from the user. Source: SafeBreach research, August 2025
January 2026 — Gemini Calendar data leak (production exploit pattern) BleepingComputer reported a Gemini agent vulnerability that allowed prompt injection via malicious Calendar event titles to leak Google Calendar data. The attack pattern was substantially the same as the August 2025 SafeBreach demo but observed in the wild. Google patched the specific issue; the broader architectural challenge of trusted-content boundaries in AI agents that read user data remains open. Source: BleepingComputer, January 2026
Ongoing 2025-2026 — Indirect prompt injection in Workspace features A broader pattern across Gmail summarisation, Docs analysis, and Drive search features has been the subject of multiple security research disclosures. The shared vulnerability: when Gemini reads user data (emails, documents) that contains content from external senders, the external content can include instructions that Gemini will follow. Google has implemented several rounds of mitigation. The fundamental problem — that LLMs cannot reliably distinguish "this is data I should summarise" from "this is an instruction I should follow" — is an industry-wide architectural challenge, not Google-specific.
Note on infrastructure: No public confirmed breach of Google's core Gemini infrastructure (the model serving infrastructure or training pipeline) has been reported as of May 2026. The incidents above are application-layer issues (search indexing, prompt injection in features) rather than core platform breaches.
What this means in plain English for SMB owners
Three honest takeaways:
- If you use Google Workspace for your business and you are not yet using the Gemini features inside it, you are probably leaving a privacy advantage on the table. Workspace Gemini is the most privacy-protective AI option in this database that is also genuinely productive for everyday SMB work. It costs nothing extra on most Workspace plans.
- If your employees use the consumer Gemini app for work tasks while logged into a personal Google account, you have an undocumented data exposure. Their work prompts are being retained for up to 18 months, are subject to human review, and are training Google's consumer model unless each employee has individually opted out. This is the Workspace-equivalent of the ChatGPT Plus / Claude Pro trap.
- Gemini's agentic features (reading your calendar, summarising your inbox, taking actions on your behalf) are where the interesting new attack surface lives. Two public demos and one in-the-wild exploit have shown that Gemini will follow instructions hidden inside data it is asked to read. Until this category of vulnerability is structurally solved, treat any AI agent with access to your inbox as a potential exfiltration vector. Restrict agentic features to trusted contexts.
Sources
- Google Workspace Privacy Hub for Gemini: https://knowledge.workspace.google.com/admin/gemini/generative-ai-in-google-workspace-privacy-hub (verified 2026-05-22)
- Google Workspace blog: Gemini for Workspace announcement (verified 2026-05-22)
- Terms.Law: Google Gemini Output Ownership 2026 (March 2026)
- Anarlog.so: Google Gemini data retention policy (March 2026)
- i10x.ai: Gemini Training Data Consumer vs Enterprise (November 2025)
- Technerdo: How to Stop Gemini Training (2026)
- mePrism: Gemini opt-out guide (2026)
- The Cyber Express: Google Gemini AI data leak (February 2024)
- New Design Group: Why did Google Gemini leak chat data (February 2024)
- BleepingComputer: Gemini tricked into leaking Google Calendar data (January 2026)
- LayerX Security: Gemini Data Breach analysis (December 2025)
- Fello AI: How to Stop AI from Training (2026)
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how Gemini (Google) stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like Gemini (Google) can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.