What are the privacy implications of using LLMs with user data?

Our company wants to use GPT-4 to analyze customer support tickets and suggest responses. Legal and compliance teams are concerned about:

1. Data retention: Does OpenAI store our API requests?
2. Training data: Will our data be used to train future models?
3. GDPR compliance: How do we handle EU customer data?
4. Sensitive information: What if tickets contain PII or confidential info?

Options we're considering:

• Use OpenAI's zero-retention API
• Self-host an open-source LLM (Llama 3, Mistral)
• Implement PII redaction before sending to LLM
• Use Azure OpenAI for enterprise compliance

What's the current best practice for using LLMs in privacy-sensitive contexts? Has anyone successfully navigated GDPR compliance with LLM-powered features?