Your AI chatbot may be sharing your prompts with ad networks

Your private conversations with AI chatbots might not be as private as you think. A comprehensive study from UC Davis researchers has found that 17 out of 20 popular AI chatbot services share user information with third parties during regular chat sessions – and three of them are transmitting the actual text of your conversations to Microsoft’s tracking tools.

The research represents the first systematic measurement of web tracking across AI chatbot platforms. The findings raise significant privacy concerns as millions of users share increasingly sensitive information with AI assistants, from health questions to personal problems they wouldn’t typically discuss in other online forums.

The study methodology

Researchers Muhammad Jazlan, Ethan Wang, Yash Vekaria, and Zubair Shafiq from UC Davis tested 20 popular chatbots including ChatGPT, Gemini, Claude, and others. They used a consistent test prompt – “pregnancy test near me” – chosen because it combines health-related content with location data, representing the type of sensitive queries users commonly submit.

The team reported their findings in a paper submitted to arXiv, using Chrome browser to capture network traffic without built-in tracking protections. For each chatbot, they created fresh accounts and monitored all data transmitted while submitting the test prompt and receiving responses.

Their analysis went beyond simple text matching. The researchers checked for various encoding methods including:

• Base64 and URL encoding
• Hexadecimal formats
• Cryptographic hashes (MD5, SHA-1, SHA-2, and SHA-3)
• Other obfuscation techniques

Three chatbots leak full conversation text

The most concerning finding involves session replay technology. Four chatbots embed Microsoft Clarity, a behavioral analytics tool that records user interactions including mouse movements, clicks, and page content. Because chatbot pages display the full conversation, this tool can capture both prompts and responses.

Three services – Genspark, SeaArt, and ChatOn – transmitted complete conversation text in readable form to Clarity servers. The study documented Clarity receiving the exact test prompt “pregnancy test near me” along with portions of the AI responses, including “Here are a few pregnancy test options near you” and “Most pharmacies like CVS, Walgreens, or Rite Aid carry home pregnancy tests.”

Microsoft Copilot also uses Clarity but routes the data through its own servers and doesn’t appear to transmit plaintext conversation content – only message identifiers and ordering information.

Widespread third-party connections

The study identified 47 unique third-party companies receiving data from the chatbots, creating 178 distinct data-sharing relationships. Analytics services appeared on 17 of the 20 chatbots tested, while advertising services were present on 12 platforms.

Only three chatbots contacted no external third parties: Gemini, Meta AI, and Duck.ai. However, this doesn’t mean they share no data externally – Gemini still connects to Google-owned services like Google Analytics, which the study classified as “platform-party” rather than third-party connections.

SeaArt stood out for its extensive advertising network, connecting to 13 different ad platforms in a single session:

• Amazon and Google advertising
• Social platforms: Facebook, TikTok, Twitter/X, Pinterest, Reddit
• Search engines: Bing, Yahoo Japan, Yandex
• Content networks: Outbrain, Quora
• Chinese platform A8

How your prompts reach Google Maps

The study documented specific pathways for data exposure. Genspark, for example, embeds Google Maps widgets and passes the full user prompt directly in the URL: www.google.com/maps/embed/v1/search?q=pregnancy+test+near+me. This means Google receives the complete prompt as part of loading the map, potentially linking it to users’ Google accounts if they’re logged in.

The researchers suggest a more privacy-conscious approach: resolve location queries on the server side and only pass coordinates or sanitized place names to the mapping service, rather than the raw user prompt.

Chat identifiers and page titles as tracking vectors

Most chatbots assign unique URLs for each conversation that appear in your browser’s address bar. The study found 15 of the 20 chatbots transmit these URLs to third parties through standard analytics and advertising tags, reaching 29 different destinations.

Popular tracking tools automatically collect page URLs by default:

• Meta Pixel’s dl parameter
• Google Analytics collect endpoint
• Bing’s UET tag
• DoubleClick conversion tracking

While chat identifiers don’t reveal conversation content directly, they create a pointer to specific conversations that could be problematic if the URLs are shareable or if someone gains unauthorized access.

Page titles create another exposure path. Five chatbots – Kimi, Claude, Manus, Gemini, and Genspark – place user prompts or extracted keywords in page titles, which are then automatically collected by analytics and advertising systems.

Personal information exposure

Beyond conversation content, the study found extensive sharing of user identity information. Claude and Mistral automatically send users’ email addresses, names, and internal user IDs to Intercom’s support system when chat pages load – without any user interaction with support widgets.

Character.ai transmits user email addresses to both Sentry error monitoring and Statsig experimentation platforms. The Statsig integration also includes IP addresses and browser information alongside experiment data.

Several platforms share hashed email addresses with advertising networks. The Federal Trade Commission has noted that hashed emails function as persistent cross-site identifiers because the same email produces identical hashes across different platforms, enabling companies to track users across websites.

Private modes offer significant protection

The study found that private or temporary chat modes substantially reduce third-party data sharing. In private mode sessions, only 13 chatbot-to-third-party connections were observed, involving just 3 external companies: Datadog, Mapbox, and Google.

Most importantly, no identity or conversation content was transmitted to any third party during private chat sessions. This suggests that private modes provide meaningful privacy protection, even though their disclosure language typically focuses on chat retention and AI training rather than tracking prevention.

What this means for users and businesses

These findings have immediate implications as AI chatbots become more central to how people search for information and seek assistance. Unlike traditional search engines, users often share deeply personal information with AI assistants – health concerns, relationship problems, financial situations, and other sensitive topics.

For businesses evaluating AI tools, the study provides concrete data about which platforms embed which third-party services. This information is crucial for compliance with privacy regulations like GDPR and CCPA, which require transparency about data recipients.

The research also connects to the expanding ChatGPT advertising platform, which launched self-serve ads to all US businesses in May 2026. As AI chatbots become advertising platforms, the distinction between conversation partners and marketing channels continues to blur.

Users concerned about privacy should consider using private or temporary chat modes when available, as the study demonstrates these modes significantly reduce data sharing with third parties. The research also highlights the importance of reading privacy policies carefully – several platforms were found sharing data with companies not mentioned in their privacy disclosures.