Data Privacy: Observations on DeepSeek's ToS & Privacy Policy

Anyone tracking the world of artificial intelligence (AI) and large language models (LLMs) would now be aware of DeepSeek, which delivered a $1 trillion blow to the otherwise buoyant US AI companies, especially the Magnificent 7. As we marked World Privacy Day recently, I considered using this occasion to analyze DeepSeek's terms of use and privacy policy to understand the possible risks, loopholes, or non-user-friendly terms that the LLM has. In this article, I use the term LLM instead of specific terms like generative AI, conversational AI, or AI language model.

Obviously, this does not mean DeepSeek alone has issues. Every LLM, CHATGPT, Perplexity, or Gemini has unilateral/ one-sided user terms that users cannot disagree with (the answer would be not to use it). So here's a purposefully longish analysis of risks, issues, and concerns regarding DeepSeek's ToS and Privacy Policy, accessible here and here.

A. Broad Data Collection (Privacy Policy – “What Information We Collect”)

• Issue: The clauses in this section inform users that the platform collects or may collect extensive data, including device identifiers, keystroke patterns, cookies, IP addresses, and user inputs such as chat history and uploaded files. The potential risk is that the level of detail in "keystroke patterns" and device tracking could facilitate invasive profiling. While such requirements pertain to technical use (and might be used by other LLMs), the concerns around data being used for unintended purposes may not be ruled out. The collection of such details goes beyond standard practice unless it is necessary for functionality.

B. Retention of Data Post Account Deletion (Privacy Policy – “How Long Do We Keep Your Information” & Terms 2.5)

• Issue: Another interesting aspect under Clause 2.5 of the Terms of Use says that DeepSeek may retain users' data “as necessary to comply with laws” or “for legal claims," even after account deletion. This hints at the platform keeping the data indefinitely and goes against the foundation of data privacy, where data is to be retained only for a reasonable period and for various reasons. Allowing indefinite retention is a serious red flag.

C. Data Localization and Transfer (Privacy Policy – “Where We Store Your Information”)

• Issue: Under this clause, DeepSeek says that all data is stored on servers in the People’s Republic of China, with provisions for cross-border transfers. This opens the data stored in China to government access under national laws (to be honest, this remains a concern in the Western nations as well. Time and again, many companies have been found to toe the line and grant illegal access to governments everywhere)

D. Government Cooperation Without Transparency (Privacy Policy – “How We Share Your Information”)

DeepSeek's Privacy Policy states that it may "Access, preserve, and share the information described in "What Information We Collect" with law enforcement agencies, public authorities, copyright holders, or other third parties if we have good faith belief that it is necessary to:."

• Issue: This clause means that the platform reserves the right to share data with authorities for legal compliance, potentially without user notice. A novice user may be unaware of the extent of data shared with authorities. Considering the overall narrative around data usage, this is a significant concern from a privacy perspective.

Other Issues

• DeepSeek can use the Inputs and Outputs for “service improvement” and compliance monitoring. This could mean repurposing data, even sensitive or proprietary data, for training AI models. Ethical AI practices require that a platform often provide clear opt-outs for using such data for training.
• Changes to the terms are deemed accepted with continued use without explicit user consent. Users may be unaware of material changes affecting their rights.

• While users retain some rights, DeepSeek retains broad rights to process and utilize this data.

I hope the above is helpful to you. DeepSeek is a great product and has rightly caused tremors in the world of AI. The purpose of this article is not to isolate DeepSeek and say that other LLMs adhere to best privacy practices. However, as DeepSeek is currently trending, and rightful concerns are being raised about censorship and data privacy, it is equally important to highlight them for any privacy-conscious person.

For more on DeepSeek's impact on US capital markets, read this:

1. https://www.ft.com/content/674758d7-ffdf-4b88-bb73-f539b56ac4b1
2. https://www.bloomberg.com/opinion/articles/2025-01-29/deepseek-calls-for-deep-breaths-from-big-tech-over-earnings