Anyone who has typed a personal question, a business idea, or a medical concern into an AI chatbot may have assumed the exchange stayed between them and the bot. A technical audit of five major AI chatbots, published as an academic preprint, found that some of those platforms transmit user prompts and responses in plaintext to third-party analytics and session-replay services, including Microsoft Clarity. The paper, titled “Tracking Conversations: Measuring Content and Identity Exposure on AI Chatbots,” systematically mapped how chatbot providers handle privacy disclosures and where conversation data travels after it leaves the chat window. The findings suggest that millions of users are feeding personal details into systems whose data pipelines extend well beyond the visible interface.
How chatbot data flows beyond the chat window
The core finding is straightforward: several of the five chatbots examined route snippets of user conversations to external tracking and analytics tools. The researchers identified cases where plaintext prompt and response data was shared with session-replay tooling such as Microsoft Clarity, according to the arXiv preprint. Session-replay tools record how users interact with a webpage, capturing clicks, scrolls, and, in this case, the actual text exchanged with an AI. That means a user discussing a salary negotiation strategy or a health symptom could have those words logged by a third-party service whose data-retention and sharing policies differ from the chatbot provider’s own terms.
The audit also mapped privacy disclosures across the chatbot providers and found inconsistencies between what users are told and what the network traffic reveals. Some providers’ privacy policies mention data collection for service improvement, but the specific transmission of conversation content to external replay and analytics vendors is not always spelled out in terms a typical user would notice or understand. The gap between disclosure language and observed data flows is where the practical risk sits for anyone treating a chatbot like a private notebook.
One testable implication of this data flow is whether chatbots embedding session-replay scripts produce measurably higher downstream ad-targeting precision for topics discussed in user sessions compared with chatbots that do not. In theory, if conversation content reaches analytics platforms that feed advertising ecosystems, a user who discusses running shoes in a chatbot session could see more shoe ads shortly afterward. Controlled A/B ad-campaign tests using synthetic conversation topics could verify this link, though no such experiment has been published yet. The hypothesis remains open, but the technical pathway for it, plaintext conversation data reaching third-party analytics infrastructure, is documented in the audit.
What the arXiv audit measured and how
The paper, catalogued under DOI 10.48550/arXiv.2604.27438, used a systematic audit methodology. Researchers examined the network traffic generated during chatbot sessions, identifying which external domains received data and what form that data took. The focus was not on whether chatbot companies store conversations on their own servers, a practice most providers acknowledge, but on whether conversation content leaks to third parties through embedded scripts and tracking pixels that users have no direct relationship with.
The distinction matters because a user who accepts a chatbot provider’s terms of service is consenting to that provider’s data practices, not necessarily to the practices of every analytics vendor embedded in the page. Session-replay services, for instance, may retain captured data for their own product-improvement or commercial purposes under separate agreements that the chatbot user never sees. The audit’s contribution is in documenting these specific transmission channels rather than relying on policy language alone.
The preprint is hosted on arXiv’s platform, a well-established open-access repository operated by Cornell University. The paper has not yet undergone formal peer review, which is standard for arXiv preprints. Its technical claims rest on observable network behavior rather than survey data or self-reported corporate disclosures, giving the findings a concrete, reproducible basis even as the broader interpretive conclusions await independent validation.
The authors relied on repeatable experiments: they created controlled chatbot sessions, captured network requests, and then analyzed which third-party domains appeared in the traffic. By varying prompts and session lengths, they could see whether longer or more detailed conversations produced different patterns of data sharing. In some cases, they observed entire prompts and responses embedded as parameters in web requests sent to analytics endpoints, rather than being truncated or anonymized.
To reduce the chance of misattributing benign telemetry to more invasive tracking, the researchers cross-referenced domain names with public documentation for analytics and session-replay products. Where possible, they confirmed that the scripts loaded on chatbot pages matched known tracking libraries. This approach does not reveal everything about how data is processed once it arrives at a vendor, but it does establish that the content leaves the chatbot environment in human-readable form.
Gaps in the evidence and what users should watch
Several questions remain unanswered. The audit identifies data flows but does not trace what happens to conversation snippets after they reach analytics vendors. Whether those vendors retain the data, aggregate it with other behavioral signals, or make it available for advertising targeting is not established in the paper. No public statements from Microsoft Clarity or other named analytics services address how they handle chatbot-derived conversation data specifically, and none of the five chatbot companies have issued responses to the audit’s findings.
The absence of raw session-replay captures in the published paper also limits independent verification. The researchers describe their methodology and summarize their network-traffic observations, but the underlying packet captures and replay recordings are not included in the preprint. Future replication by other research teams would strengthen or narrow the claims, especially if they can observe similar patterns across different geographic regions, browser configurations, and user consent settings.
Regulatory frameworks have not caught up with this specific data pathway. Existing privacy laws in the United States and Europe address data collection and consent in broad terms, but the scenario of a chatbot silently forwarding conversation text to a session-replay vendor occupies a gray area that few enforcement actions have tested. Questions about whether such sharing constitutes a “sale” of personal data, or whether it requires explicit opt-in consent, are likely to be answered piecemeal through future investigations and court decisions.
Users who want to limit exposure have limited options: reviewing a chatbot provider’s privacy policy for mentions of third-party analytics, using browser extensions that block known tracking domains, or simply avoiding sensitive topics in chatbot sessions. For technically inclined users, browser developer tools can reveal which third-party scripts load on a chatbot page and whether network requests include chunks of conversation text. However, this level of vigilance is unrealistic to expect from the average person who just wants quick answers from an AI assistant.
The practical first step for anyone concerned is to check whether the chatbot they use embeds session-replay or extensive analytics scripts and to assume that anything typed into the interface could be visible to more than one company. Treating chatbot conversations less like private diary entries and more like emails sent through a webmail provider-with all the attendant logging and tracking-can help recalibrate expectations. Organizations handling especially sensitive information, such as law firms or medical practices, may need to explore self-hosted or enterprise offerings that contractually limit data sharing with third parties.
Why independent infrastructure matters
The audit also underscores the importance of independent research infrastructure. Open repositories make it possible for other teams to scrutinize methods, reproduce experiments, and build on prior work. In this case, hosting the preprint on arXiv’s open-access infrastructure ensures that privacy advocates, policymakers, and industry engineers can all review the same technical evidence without paywalls or proprietary restrictions.
As AI chatbots become embedded in search engines, productivity suites, and customer-service portals, the quiet spread of session-replay and analytics scripts into these interfaces raises questions that go beyond any single company. Independent audits like this one are a reminder that the convenience of conversational AI often rests on a dense web of third-party services. Until providers clearly disclose how conversation data travels-and regulators clarify what counts as meaningful consent-users will have to navigate that web with incomplete information.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.