From “Service Improvement” to AI Exploitation: How Customer-Side Counsel Should Manage Vendor Data-Use Clauses

Time 4 Minute Read
Legal Update

HubSpot’s recent and quickly reversed attempt to expand its use of customer CRM data to support a new AI-powered lead-generation feature and potentially share certain customer data elements across its platform is the latest example of a broader contracting issue facing enterprise customers: technology vendors are increasingly seeking to convert general data-use language into permission to develop AI features, train or improve models, and, in some cases, create value across their customer base using data contributed by individual customers.

For customer-side counsel, the lesson is not limited to one vendor or one product category. It is that familiar SaaS concepts, such as “service improvement,” “analytics,” and “product development,” can take on very different meanings in the AI era if they are not carefully constrained.

Historically, many customers accepted broad vendor rights to use their data “to provide, maintain, support, and improve” the service. Before AI, that language was often understood to cover ordinary operational needs, such as debugging, security monitoring, and performance optimization. Today, however, those same words may be read to authorize training AI systems, building new features from patterns in customer data, generating cross-customer insights, or otherwise using one customer’s data to enhance the vendor’s broader product offering.

That risk becomes especially acute where the relevant data is not merely technical telemetry, but substantive business information. CRM data, customer lists, pipeline details, pricing history, contract status, and sales strategy are often among a company’s most commercially sensitive assets. Even when public disclosure is not in play, many customers will object to a vendor using that information in ways that help other customers, improve generally available AI functionality, or otherwise dilute the competitive value of the underlying data set.

The first priority for customer-side counsel, therefore, is to separate categories of data and rights with greater precision than many legacy technology agreements do. Customer content and business records should not be treated the same as usage metadata or service telemetry. Agreements should make clear that the vendor’s license to customer data is limited to what is necessary to provide the contracted services and related support, and not for broader product development or AI training purposes absent the customer’s affirmative agreement.

Customer-side counsel should also examine provisions permitting use of “aggregated,” “anonymized,” or “de-identified” data. These are often framed as low-risk, but in practice they can give vendors wide latitude to extract value from customer data for secondary purposes. In many enterprise settings, the concern is not only whether data can be traced back to an individual company, but whether sensitive operational information is being used to improve the vendor’s products or create advantages for others in the market.

The HubSpot experience also highlights the need to control the process, not just the substance. As we discussed in our previous post, vendors increasingly introduce AI-related changes through hyperlinked terms, privacy policies, feature notices, or product-specific terms rather than through negotiated amendments. Customer-side counsel should be wary of contractual structures that permit unilateral changes to data-use rights during the contract term, especially where those changes affect customer content, confidentiality expectations, or AI-related processing. Our next installment will examine ways to mitigate the impact of hyperlinked terms in preliminary vendor negotiations, including by making clear in the order-of-precedence clause that any hyperlinked, online, or other extra-contractual terms are subordinate to the negotiated agreement and cannot override its terms.

The takeaway is straightforward: broad vendor rights that may have seemed benign in a traditional technology agreement can carry materially different risk once AI is in the picture. Data-use provisions and any applicable hyperlinked or extra-contractual terms deserve a fresh look, with particular care given to purpose limitation, secondary use, cross-customer benefit, and contractual controls on future updates to such terms.  As vendors face competitive pressure and customer sensitivity around AI, many are willing to narrow data-use language when the issue is clearly framed.

Related Insights

Jump to Page