China-developed DeepSeek AI has raised plenty of privacy and security concerns since its launch, with some governments no longer offering the service at all or launching investigations into its data-handling practices. In terms of privacy, however, the Chinese chatbot may not be the worst offender.
As per recent data from Surfshark, one of the best VPN providers on the market, Google Gemini takes the gold medal for the most data-hungry AI chatbot app. DeepSeek comes, in fact, only fifth out of the 10 most popular applications for aggressive data collection.
Surfshark researchers also found a worrying 30% of the analyzed chatbots share user data, such as contact details, location, and search and browsing history, with third parties, including data brokers.
The real cost of using AI chatbots
As Tomas Stamulis, Chief Security Officer at Surfshark, explains, the apps we use every day regularly collect our personal information. While some of this data is necessary for the applications' functionality, others are linked to our identities. He said: "AI chatbot apps can go even further by processing and storing conversations."
To determine the real privacy price tag affixed to AI chatbots, Surfshark researchers looked at the privacy details of the 10 most popular apps on the Apple App Store. They then compared how many types of data each app collects, whether it collects any data linked to its users, and whether the app includes third-party advertisers.
The analysis uncovered an average of 11 different types of data out of the 35 possible. As mentioned earlier, Google Gemini stands out as the most data-hungry service, collecting 22 of these data types, including highly sensitive data like precise location, user content, the device's contacts list, browsing history, and more.
Among the analyzed applications, only Google Gemini, Copilot, and Perplexity were found to collect precise location data. The controversial DeepSeek chatbot stands right in the middle, collecting 11 unique types of data, such as user input like chat history. The main issue here – and what attracted privacy complaints under GDPR rules – is that the provider's privacy policy claims to retain this data for as long as it's necessary on servers located in China.
Its rival, ChatGPT, is hot on Gemini's heels, with 10 types of data collected. These include contact information, user content, identifiers, usage data, and diagnostics. It's also worth noting that, while ChatGPT also collects chat history, you can opt to use temporary chats instead to ensure this info gets deleted after 30 days – or ask for the removal of personal data from its training sets.
Apps' data collection is only one side of the privacy problem, though.
This is because, Stamulis explains: "This data could be used within the company or shared across third-party networks, potentially reaching hundreds of partners, and leading to highly targeted ads or an increase in spam calls."
Researchers also found that 30% of these chatbot apps track user data, too. This means that the user or device data collected from the app is linked with third-party data for targeted advertising or advertising measurement purposes.
Copilot, Poe, and Jasper are the three apps that collect data used to track you. Essentially, this data "could be sold to data brokers or used to display targeted advertisements in your app," Surfshark experts noted. Copilot and Poe only collect device IDs for this purpose, while Jasper gathers device IDs, product interaction data, advertising data, and other usage data, which refers to "any other data about user activity in the app".
"As a rule, the more information is shared, the greater the risk of data leaks," said Stamulis, adding that cybercriminals are known to exploit these incidents to create personalized phishing attacks that could lead to massive financial losses.
Stamulis recommends being mindful of the information you provide to chatbots, reviewing your sharing settings, and disabling chat history whenever possible.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
