Step 4 of 7 · Private

The 5-question test.

The fastest vendor screen that exists.

Yesterday you read three privacy policies. Today we go back to the same three vendors and ask the harder questions — the ones policies usually skip.

Portability on cancel. Stack transparency, including the upstream AI model provider — not just the vendor's own company. Input sanitization — what stops a customer from typing an SSN into your chatbot. Advertising inference — whether your conversation topics get classified into ad-targeting buckets (OpenAI started doing this in Feb 2026; others may too). These rarely show up in public policy. When they don't, THEY DON'T SAY is the answer.

Same three vendors. Five questions. Watch what they won't commit to.

60-second action

Three audits. Three vendors. Pick one. Watch what they won't commit to.

Same three vendors as yesterday — your POS (Square), your email tool (Mailchimp), the AI you use (ChatGPT). Same paste-and-go structure, same proof-of-read. But today's five questions are the ones privacy policies usually skip: portability on cancel, stack transparency, upstream AI training, input sanitization, and advertising inference. Pick one, copy its block, paste into Claude. Expect more THEY DON'T SAYs than yesterday. That's the lesson.

Want to see what 'good answers' sound like? Run the same 5 questions against Bearing at getbearing.co/privacy — same audit pattern, different vendor. These five questions are what Bearing's privacy page was built to answer.

Option A — Your POS (Square)

Fetch and read Square's privacy policy at https://squareup.com/us/en/legal/privacy AND Square's security/trust page at https://squareup.com/us/en/security — the full pages, not search snippets. Before you answer, quote one specific sentence from either page so I know you actually read it. If you can't open them, stop and say "I couldn't fetch — paste the text here and I'll try again." Don't guess from memory.

Then answer these five questions in plain English, using only what Square publicly commits to:

1. If I cancel, do I walk with everything? Customer list, payment history, custom settings, transaction data — and how do I actually export it?

2. Who's in their stack? Every third party — hosting, database, AI model provider, analytics, fraud detection. Specifics, not categories. What does each one see?

3. Does anyone train AI on merchant or customer data? Including whichever underlying AI model Square uses for features like smart receipts, item recommendations, or fraud detection (OpenAI, Anthropic, internal model, etc.)?

4. What stops sensitive info at the door? If a customer types a credit card number, SSN, or medical detail into a Square form, chat, or receipt — where does it end up?

5. Do you use merchant or customer data — or inferences drawn from it — for advertising? Your own ads, partner ads across Block's ecosystem (Cash App, Afterpay/Clearpay, TIDAL, Square Financial Services), or third-party data-broker relationships. Topic-based or behavior-based targeting counts. Different answers by tier?

If they don't publicly commit to any of these, answer "THEY DON'T SAY" — that's an answer too. Don't guess. Don't pad.

Option B — Your email tool (Mailchimp)

Fetch and read Mailchimp's privacy policy at https://mailchimp.com/legal/privacy/ AND Mailchimp's security page at https://mailchimp.com/legal/security/ — the full pages, not search snippets. Before you answer, quote one specific sentence from either page so I know you actually read it. If you can't open them, stop and say "I couldn't fetch — paste the text here and I'll try again." Don't guess from memory.

Then answer these five questions in plain English, using only what Mailchimp publicly commits to:

1. If I cancel, do I walk with everything? Subscriber list, email history, automations, templates — and how do I actually export it?

2. Who's in their stack? Every third party — hosting, database, AI model provider (for features like Content Optimizer, subject-line AI, send-time optimization), analytics, deliverability. Specifics, not categories. What does each one see?

3. Does anyone train AI on my subscriber data or email content? Including whichever underlying AI model Mailchimp uses for their AI features (OpenAI, Anthropic, internal model, etc.)?

4. What stops sensitive info at the door? If a subscriber's health info, financial detail, or other sensitive content ends up in a Mailchimp list or template — where does it go?

5. Do you use my data — or inferences drawn from it — for advertising? Your own ads, partner ads across Intuit's product family (QuickBooks, TurboTax, Credit Karma, Mint), or third-party data-broker relationships. Topic classification from email content or subscriber behavior counts. Different by tier?

If they don't publicly commit to any of these, answer "THEY DON'T SAY" — that's an answer too. Don't guess. Don't pad.

Option C — The AI you use (ChatGPT)

Fetch and read OpenAI's privacy policy at https://openai.com/policies/privacy-policy/ AND OpenAI's enterprise privacy page at https://openai.com/enterprise-privacy/ AND OpenAI's ad policies page at https://openai.com/policies/ad-policies/ — the full pages, not search snippets. Before you answer, quote one specific sentence from any of them so I know you actually read them. If you can't open them, stop and say "I couldn't fetch — paste the text here and I'll try again." Don't guess from memory.

Then answer these five questions in plain English, using only what OpenAI publicly commits to — and call out any differences between free, Go, Plus, Pro, Team, Enterprise, Edu, and API tiers:

1. If I cancel, do I walk with everything? Conversations, custom GPTs, saved memory, fine-tuning data — and how do I actually export it?

2. Who's in their stack? Every third party — hosting (Azure?), CDN, safety review vendors, analytics. Specifics, not categories. What does each one see?

3. Does anyone train AI on my conversations? OpenAI IS the model provider — but what about free/Go vs Plus/Pro vs Team vs Enterprise vs API? Different answers per tier?

4. What stops sensitive info at the door? If a user types an SSN, medical record, API key, or password into ChatGPT — is there any input detection or redaction? Where does it end up?

5. Do you use my conversations — or inferences drawn from them — for advertising? The Feb 2026 policy shift added ads to Free and Go tiers. I want specifics: topic classification for ad targeting, third-party purchase-data partner relationships, cross-device tracking. Exactly which tiers have ads, which don't, and what data powers the targeting?

If they don't publicly commit to any of these, answer "THEY DON'T SAY" — that's an answer too. Don't guess. Don't pad.

What you’ll get

Five clear answers — or five dodges. Either tells you everything. Honest vendors will answer plainly because they've already written the answers down. Dodgy vendors will offer marketing copy, deflect to their AE, or quote the privacy policy word-for-word without answering the actual question.

These five questions are the promise Bearing is built around. Read ours in 90 seconds at getbearing.co/privacy — including the three things we explicitly don't do yet (HIPAA medical records, attorney-client privileged work, strict-privacy financial verticals). We say no out loud so the yeses mean something.

Tomorrow we move from private to programmable — workflows instead of chatbots. The shift from AI you talk to to AI that runs your Tuesday.

Tomorrow · Step 5

Workflows, not chatbots.

Step 3 — Where does your data go?Step 5 — Workflows, not chatbots.