Phronesis LogoPhronesis
Trust & compliance

Who Controls Your Data?

Understanding GDPR, Privacy and AI in Phronesis

Addressing the biggest concern about AI-powered HR support

Artificial Intelligence is rapidly changing the way businesses access professional advice.

From HR and employment law guidance to document creation and policy support, AI can now provide answers in seconds that previously required hours of research or expensive consultancy time.

Yet despite the benefits, one question arises in almost every conversation we have about Phronesis:

“If I enter sensitive information, who can see it? Does OpenAI own it? Could it be shared with other users?”

It's an entirely reasonable concern.

Employment issues often involve confidential business information, employee situations, disciplinary matters, grievances, restructures, redundancies, and commercially sensitive decisions. Organisations need confidence that any AI platform they use has been designed with privacy, security and governance at its core.

The good news is that the reality is often very different from what many people assume.

The Myth: “Everything I Type Into AI Becomes Public”

Many people's perception of AI has been shaped by consumer tools and media headlines.

As a result, some assume that every question entered into an AI system is automatically used to train future models or becomes visible to other users.

That is not how Phronesis operates.

Phronesis is built using the Pickaxe platform and OpenAI's API services, creating a secure processing chain:

UserPhronesisPickaxeOpenAI API

Information remains within that processing chain and is used solely to generate responses and operate the service.

Importantly, information entered into Phronesis is not published publicly, shared with other users, or made available for general browsing.

Understanding the Difference Between ChatGPT and OpenAI's API

One of the most important distinctions is the difference between the public consumer version of ChatGPT and OpenAI's business API platform.

Phronesis uses OpenAI's API infrastructure through Pickaxe.

This matters because different data protection rules apply.

When organisations use OpenAI's API services, OpenAI states that customer inputs and outputs are not used to train AI models by default. This means information submitted through Phronesis is not automatically incorporated into future AI model training datasets.

In practical terms:

  • Questions entered into Phronesis are not automatically fed back into future AI models.
  • Your conversations are not used to train public AI systems.
  • Other users cannot access your information.
  • Confidential business information remains within the service delivery chain.

For most SMEs, this is one of the most important safeguards available when selecting an AI-powered business tool.

Who Owns and Controls the Data?

This is where many people are surprised.

A common misconception is that when an organisation enters information into an AI platform, ownership or control of that information somehow transfers to the platform provider.

In reality, the opposite is usually true.

When an organisation uses Phronesis to obtain HR guidance, the organisation entering the information typically remains the Data Controller under UK GDPR.

This is because the organisation:

  • Decides what information is entered into the platform.
  • Determines why the information is being processed.
  • Chooses the lawful basis for processing.
  • Controls the employee and business information involved.
  • Retains responsibility for the underlying data.

The organisation remains in control of its own data throughout the process.

Phronesis simply processes information on behalf of the customer in order to generate HR guidance and support.

This is the same principle used by many cloud software providers, including HR systems, payroll providers, accounting platforms and CRM systems.

Understanding the GDPR Roles

Within the Phronesis technology ecosystem, the roles are typically:

Customer Organisation (Employer)

Data Controller

The customer decides:

  • What information is entered.
  • Why it is being processed.
  • Which employees are involved.
  • The lawful basis for processing.

Stroika International Ltd / Phronesis

Data Processor

Phronesis processes information solely to provide the service requested by the customer.

Pickaxe

Sub-Processor

Pickaxe provides the infrastructure used to build and operate the AI agents.

OpenAI API Services

Sub-Processor / Infrastructure Provider

OpenAI provides the underlying AI capability used to generate responses.

This structure means that customer HR data remains under the control of the customer organisation rather than the platform provider.

How Data Is Protected

Security is about more than simply restricting access.

The data also needs to be protected while it is being transmitted and stored.

OpenAI states that API data is encrypted:

  • In transit using TLS encryption.
  • At rest using AES-256 encryption.
  • Behind strict access-control processes.

These are the same categories of controls commonly used by major SaaS providers, financial institutions and enterprise technology platforms.

While no technology platform can ever claim to be completely risk-free, these measures help ensure information is protected throughout the processing lifecycle.

International Data Transfers

Another common concern relates to where information is processed.

Because OpenAI is a US-based organisation, some processing may occur outside the UK.

However, OpenAI states that international transfers are supported through recognised legal mechanisms, including:

  • Standard Contractual Clauses (SCCs)
  • UK GDPR Addendum protections
  • Other recognised international transfer safeguards where applicable.

International data transfers are already common across many business systems used every day.

The key issue is not whether data crosses borders, but whether appropriate legal safeguards are in place when it does.

Privacy Is Only Part of the Story

At Phronesis, responsible AI extends beyond security and legal compliance.

It also requires transparency, governance and clear operational guardrails.

That is why Phronesis has been designed around a framework intended to help users understand not only the answer provided, but also how that answer was reached.

Confidence Ratings

Every response includes a confidence rating, helping users understand the level of certainty associated with the guidance being provided.

Source Transparency

The platform provides references to legislation, ACAS guidance and other authoritative sources wherever relevant. Users can see the basis for the guidance rather than relying on a “black box” answer.

No Invented Authorities

The system is specifically instructed not to invent legislation, case law, statistics or references. If information cannot be verified, it says so.

Human Escalation

Where matters become complex, high-risk or highly fact-sensitive, users are directed towards experienced HR professionals rather than relying solely on AI-generated guidance.

This reflects a simple principle:

AI should support professional judgement, not replace it.

What Organisations Should Still Avoid

Even with strong safeguards in place, good data governance remains important.

Organisations should avoid entering unnecessary Special Category Data into AI systems unless appropriate safeguards and assessments have been completed.

Examples include:

  • Health information
  • Ethnicity
  • Religious beliefs
  • Political opinions
  • Biometric data
  • Criminal offence information

As with any technology platform, organisations should follow their own internal data protection policies and ensure employees understand appropriate usage.

Trust Matters More Than Technology

The future of HR technology will not be determined simply by who has the most advanced AI.

It will be determined by who can combine powerful technology with strong governance, transparency and accountability.

At Phronesis, we believe organisations should remain in control of their own data.

That's why customer information entered into the platform remains under the control of the organisation that provides it. Phronesis processes that information solely for the purpose of generating HR guidance and support, while operating within a framework designed around privacy, transparency and responsible AI use.

Combined with confidence scoring, source transparency, HR-specific guardrails and access to experienced human HR professionals when issues become complex, Phronesis has been designed to help organisations adopt AI responsibly rather than simply automate decision-making.

AI can transform access to HR expertise.

But trust, governance and transparency are what make that transformation sustainable.

Phronesis — AI Answers. HR Clarity. Business Confidence.

Contact usHow Phronesis answers

For our formal website privacy notice, see GDPR & Privacy notice. For cookies, see Cookies.