With the rapid spread of smartphones in Laos, the use of AI tools is becoming part of everyday life. A growing number of users are turning to generative AI such as ChatGPT and Claude for writing, translation, and information searches—yet few are aware of how the information they enter is processed and stored.

Laos enacted the "Electronic Data Protection Law (ກົດໝາຍວ່າດ້ວຍການປົກປ້ອງຂໍ້ມູນເອເລັກໂຕຣນິກ)" in 2017, establishing a basic legal framework governing the collection, use, and storage of personal data. A "Law on Prevention of Cybercrime (ກົດໝາຍວ່າດ້ວຍການຕ້ານອາຊະຍາກຳທາງຄອມພິວເຕີ)" was also enacted in 2015. However, a significant gap exists between the existence of these laws and users' day-to-day awareness of data protection.

It is not uncommon for users to enter medical information into a chat AI—asking "What disease could these symptoms indicate?"—or to send a screenshot of their BCEL One transaction history and request a "household budget analysis." The problem is that many users in Laos are using AI without recognizing these risks.

The majority of major AI services used in Laos process and store data on servers outside the country—in the United States, Singapore, and elsewhere. This means there is a possibility that data will end up in areas beyond the reach of Lao domestic law alone.

This article outlines the key personal data protection points that users living in Laos should know in order to use AI tools safely, drawing on Laos's legal framework and international best practices. No advanced security knowledge is required. Simply developing the habit of pausing for a moment before entering information can substantially reduce risk.

Data storage, usage, and privacy management policies vary significantly from one AI service to another. The right approach is neither "AI is dangerous" nor "AI is safe"—each service must be evaluated individually.

For example, some chat AIs use input content to train their models, but allow users to opt out through settings. Other services explicitly state that they do not store input data at all. Even within the same service, data handling often differs between enterprise plans and free personal plans.

For users in Laos, the location of data is a particularly important consideration. Almost no AI services have servers based within Laos. Data that users enter is transmitted to servers overseas—in the United States, the EU, Singapore, and elsewhere. While Laos's Electronic Data Protection Law governs data processing within the country, legal protection for data stored on foreign servers is limited.

The ASEAN Framework on Digital Data Governance establishes principles for cross-border data transfers, but enforcement is left to the domestic laws of each member state. Users in Laos must operate under the assumption that their data will be processed across national borders.

Before starting to use a new AI tool, it is worth developing the habit of checking the following points.

• Data retention policy: How long is entered content stored? Is it possible to request deletion?
• Use for training: Will your inputs be used as training data for the AI model? Can you opt out?
• Third-party sharing: Under what conditions is data shared with third parties? Is data shared for advertising purposes?
• History management: Can you control the saving and deletion of your chat history yourself?
• Data location: In which country are data stored? If data is sent outside Laos, are the privacy laws of that country adequate?

There is no need to read the entire privacy policy. Even skimming just the "Data Collection and Use" section will give you a general understanding of how a service handles your data. Spending five minutes the first time you use a service can continuously reduce your risk going forward.

The criterion is simple: if a piece of information could cause real harm if it were leaked, it should not be entered into an AI. Below is an overview of information that warrants particular caution in the Lao context.

The use of mobile banking apps in Laos—such as BCEL One and JDB Mobile—has grown rapidly, and there are cases of users sending screenshots of transaction screens to AI and asking it to "analyze my spending." However, those screenshots contain account numbers, balances, and counterparty information.

One easily overlooked category is other people's information. Screenshots of WhatsApp or LINE group chats, colleagues' email addresses, friends' phone numbers—there are cases where users inadvertently enter other people's personal information into AI. Under Laos's Electronic Data Protection Law, processing a third party's personal data without their consent is, as a general rule, prohibited.

The guiding principle for safe use is to ask yourself: "Would I be troubled if this data were made public?" If the answer is yes, you should either avoid entering it or use the anonymization techniques introduced in the next section.

The safest assumption is that "not all information entered into an AI is guaranteed to remain 100% private." Because all AI services available in Laos process data on overseas servers, this assumption is all the more important.

In practice, it is worth developing the following three habits.

1. Enter only the minimum information necessary

When asking an AI a question, there is no need to enter all background information. For example, if you want to ask "What are the legal risks in this contract?", it is safer to extract only the clause you are concerned about rather than copying the entire contract. Asking "What are the general legal risks of this type of clause?" will yield a useful answer without needing to include the specific names of contracting parties or monetary amounts.

2. Use placeholders

Instead of real names and actual numbers, use placeholders such as [Name], [Account Number], [Company Name], and [Date]. Because AI understands meaning from context, it can provide appropriate responses in most cases even without specific personal information.

Here are examples of situations that commonly arise in practice in Laos.

As shown above, many questions do not require identifying a specific individual in order for the AI to provide an answer.

3. Remove personally identifiable information before sending

Before sending a file or message to an AI, check whether it contains personally identifiable information (PII). In Laos, there are cases where users copy WhatsApp or LINE messages and ask an AI to analyze them—but copying an entire message thread can include the sender's phone number, profile name, and information about group members. Taking the extra step of "extracting and pasting only the message body" protects both your own information and that of others.

These three habits require no technical knowledge. Simply pausing for a moment before entering information can significantly reduce the risk to personal data.

The risk is not limited to text input. Screenshots and files frequently contain personal information that was included unintentionally. When uploading files to AI tools with image recognition or OCR capabilities, even greater care is needed than with text input.

The following is personal information commonly found in screenshots that users in Laos tend to upload.

• Banking app screens: Transaction histories in BCEL One, JDB Mobile, LDB Mobile, and similar apps display account numbers, balances, and transfer recipient information
• LaoQR payment screens: Store names, transaction amounts, and in some cases personal account information encoded in QR codes
• WhatsApp / LINE chat screens: Not only your own information, but also the phone numbers, profile names, and message content of group members may appear
• Ride-hailing app screens (LOCA, etc.): Pickup locations, destinations, fares, and other behavioral patterns are included
• Email app screens: Email addresses and contacts may appear in notification banners or headers
• Photos of official documents: Photos of ID cards, passports, business licenses, and land title certificates

Laos's Electronic Data Protection Law requires data controllers to implement security measures for the safe management of personal data. While users who upload data to AI do so at their own responsibility, legal risk arises when that data includes information belonging to others.

The following measures should be taken before uploading.

• Cropping: Cut out only the necessary portion and exclude surrounding information
• Blurring: Blur identifiable information such as names, numbers, and facial photographs. This can be done using standard image editing features on smartphones (the "Markup" tool on iOS, or "Photo Editor" on Android)
• Removing metadata: Photo files contain EXIF data such as GPS coordinates and the date and time of capture. Location data from photos taken in Vientiane could be used to identify a person's home or workplace
• Reviewing file contents in advance: PDF and Excel files may retain personal information in comments, revision histories, or hidden sheets

It is worth keeping in mind that the seemingly casual act of "taking a screenshot and sending it as-is" carries the risk of leaking not only your own personal information, but that of others as well.

The risks to personal information stem not only from AI technology itself, but also from the trustworthiness of service providers claiming to offer AI. In Laos, many users download apps from sources other than official app stores, which means the risk of fraudulent apps claiming to be "AI-powered" is relatively high.

Below is a summary of patterns that users in Laos should be particularly cautious about.

How to identify trustworthy services

• Is the provider clearly identified?: Can you verify the developer's location, contact information, and track record? APK files for "free AI tools" shared via Facebook or Telegram are especially dangerous.
• Does a privacy policy exist?: If there is no policy, or if one exists but is extremely brief or vague, the risk is high.
• Are the requested permissions reasonable?: If an AI chat app requests access to your contacts, photo library, or SMS, is there a legitimate reason? A tool that only processes text should have no need for SMS read permissions.
• Are you downloading from an official store?: Avoid installing apps from sources other than the Google Play Store or Apple App Store (i.e., avoid sideloading).

Patterns to be especially wary of in Laos

• Unrealistic claims such as "completely free and better than GPT"—these are often spread through Facebook and TikTok ads.
• APK files shared via Telegram or Facebook groups—these may contain malware.
• Apps that advertise Lao language support but in reality only collect user data.
• Apps that request a blanket set of unnecessary permissions—such as SMS, contacts, and call history—at the time of installation.
• Apps that claim to integrate with BCEL One or LaoQR and request access to financial information.

Even when using major AI services (such as ChatGPT, Claude, or Gemini), always confirm that you are accessing them through the official website or official app store. Cases of phishing sites being shared on social media have been reported in Laos, making it important to develop the habit of carefully checking URLs.

Laos's Law on Prevention and Combating Cybercrime covers the unauthorized collection of data and phishing activities as punishable offenses. If you become a victim, you can report the incident to the Ministry of Technology and Communications (MoTC) or LaoCERT.

In addition to personal use, when businesses or sole proprietors operating in Laos use AI, the scope of data they handle expands from "their own information" to "information about customers and business partners." In such cases, the responsibility for protecting personal information becomes significantly greater.

The following types of information handled in the course of business in Laos should not be carelessly entered into AI tools.

• Customer lists: Names, contact details, and transaction history—many small and medium-sized businesses in Laos manage customer data in Excel or Google Sheets, making it easy to inadvertently send this data directly to an AI.
• Pricing and quotation information: Disclosure to competitors can cause harm. Laos has a small market, and information spreads quickly within industries.
• Contracts and NDAs: Documents subject to confidentiality obligations. Contracts with foreign companies in particular may contain clauses prohibiting processing with AI tools.
• Employee information: Salaries, performance reviews, passport details, and work permit numbers—Laos labor law also designates the protection of employees' personal data as an employer's obligation.
• Tax documents: Corporate tax returns, VAT filings, and documents submitted to the Tax Department (ກົມສ່ວຍສາອາກອນ).

This is especially relevant for the growing number of foreign company subsidiaries and freelancers in Laos, where it is common to encounter situations involving "processing a client's data using personal tools." Even if an NDA with a client contains no clause regarding the use of AI tools, entering a customer's confidential information into a third-party AI service carries the risk of undermining trust.

Safe operational guidelines for business use are as follows:

1. Verify the sensitivity level of data before entering it into AI: Use the standard of "Is it acceptable for this information to leave the organization?" as your guide.
2. Anonymize personally identifiable information: Consistently apply the placeholder method described earlier.
3. Use enterprise plans: Many AI services offer guarantees under their enterprise plans that data will not be used for training.
4. Establish internal policies: While few companies in Laos have yet developed AI usage guidelines, it is recommended to at minimum put in writing what information "may be entered into AI" and what "must not be entered."

Laos's Electronic Data Protection Law obligates data controllers (including companies) to implement appropriate security management measures when processing personal data. Entering data into AI tools may fall within the scope of this obligation.

Here are five habits you can start practicing today to use AI safely. None of them require technical knowledge—simply being mindful of them can significantly reduce the risk to your personal information.

1. Only enter information that is truly necessary

When asking AI a question, avoid entering all background information "just in case." Narrow down your input to only the information essential to the core of your question. For example, if you want to ask AI to "review this Lao-language contract," it is safer to extract only the clause you are concerned about and ask about that. There is no need to include the name of the other party or the contract amount.

2. Use placeholders instead of real names and numbers

Replace sensitive details with placeholders such as [Name], [Account Number], [Date], and [Company Name]. Because AI understands context, this approach will yield sufficient answers in most cases. Instead of entering your BCEL One account number or ID card number, simply write [Account Number].

3. Crop and blur screenshots before uploading them

When sending a BCEL One or LaoQR screen to an AI, always blur any portions showing account numbers or balances. If a WhatsApp or LINE chat screen includes the names or phone numbers of other members, crop those out. The standard image editing features on a smartphone are sufficient for this purpose.

4. Review your privacy and history settings

Before you start using an AI service, check the settings screen for the following:

• Whether chat history saving is turned on (turn it off if unnecessary)
• Whether there is an option for your data to be used for model training (and whether you can opt out)
• Whether there is an option to delete past data

Most services allow you to adjust these settings in just a few clicks from the settings screen. Spending five minutes configuring this on your first use will continuously reduce your risk going forward.

5. Do not delegate financial, legal, or medical decisions to AI

AI is useful for organizing information and conducting preliminary research, but it is not a substitute for important decisions. Questions such as "Is it safe to sign this land sale contract?", "What illness do these symptoms indicate?", or "Is this investment opportunity trustworthy?"—for decisions like these, you should always consult a qualified professional (lawyer, doctor, or certified public accountant), even if you use AI output as a reference. Laos has its own distinctive legal system and business practices, and there are many cases where the general answers AI has been trained on do not apply to the situation in Laos.

AI is a versatile tool that can be applied to everything from daily work tasks to personal consultations, but users in Laos bear the responsibility of "choosing what information to enter." In Laos in particular, there is a structural challenge: because all AI service data is processed on servers located outside the country, it is difficult to manage information once it has been entered.

The following is a summary of the measures introduced in this article.

• Check the privacy policy for each AI service: Not all AI handles data in the same way. In particular, confirm which country the data is stored in, and use these services with the understanding that your data will be transmitted outside of Laos.
• Do not enter into AI any information whose leakage would cause you harm: As a general rule, avoid entering national ID card numbers, bank account numbers (BCEL, LDB, etc.), passwords, medical information, and land title certificate details.
• Use placeholders and provide only the minimum necessary information: Simply replacing details with [Name], [Account Number], and similar placeholders allows AI to understand the context and provide a response.
• Crop and anonymize screenshots and files in advance: Screens from BCEL One or WhatsApp contain personal information about yourself and others. Removing metadata is also effective.
• Be wary of fake AI apps and exaggerated advertising: Avoid APK files shared via Facebook or Telegram. Only download from official stores, and decline unnecessary permission requests. Report any incidents to MoTC or LaoCERT.
• When using AI for business, make protecting customer data the top priority: In accordance with Laos's Electronic Data Protection Law, handle customers' confidential information in anonymized form. Also consider using enterprise plans and establishing internal policies.
• Do not delegate financial, legal, or medical decisions to AI: Laos's legal system and business practices have their own distinctive characteristics, and AI's general answers may not apply. Always consult a professional for important decisions.

What is needed to make the most of AI's convenience while protecting your privacy is not advanced technical knowledge. "Pause for a moment before entering information, and ask yourself whether you would be harmed if it were leaked"—this brief moment of judgment is the most powerful line of defense for protecting the personal information of both yourself and those around you.

Below is a compilation of frequently asked questions regarding the protection of personal information when using AI in Laos.

No major AI services with servers located within Laos currently exist. ChatGPT (OpenAI) processes data in the United States, Claude (Anthropic) in the United States, and Gemini (Google) on a US-centered global infrastructure.

This means that the moment you input data into an AI from Laos, that data is transmitted outside the country. Laos's electronic data protection law governs data processing within the country, but its legal enforceability over data stored on overseas servers is limited.

Many major services offer opt-out settings for chat history retention and use in model training. The first step is to check the settings of the service you are using and understand how your data is being handled. If you have concerns, consider manually deleting your past chat history.

In the future, data localization requirements within the ASEAN region may be strengthened, but for now, users' own self-protective measures remain the most important safeguard.

The highest-risk information is that which, if leaked, could directly lead to financial harm or identity theft. In the Lao context, the following are particularly relevant.

• National ID card number (ເລກບັດປະຈໍາຕົວ): In Laos, an ID card is required for opening a bank account, purchasing a SIM card, and completing official procedures, making a leaked number highly susceptible to misuse for identity theft.
• Bank account information: Account numbers and OTPs for BCEL, LDB, JDB, and other banks — mobile banking use in Laos is growing rapidly, making it an easy target for unauthorized access.
• Passwords and PIN codes: BCEL One PINs, email passwords, and social media login credentials — these can lead to account takeovers.
• Land title certificate (ໃບຕາດິນ) information: Real estate is a primary asset in Laos, and the leaking of land title information poses a serious risk to property ownership.
• Medical information: Diagnoses and prescription details — beyond privacy violations, these can lead to discrimination in insurance or employment.

In addition, customer information handled in the course of business is also classified as high-risk. Laos's electronic data protection law stipulates penalties for the unauthorized disclosure or processing of personal data. You may be held legally liable not only for leaking your own information, but also for leaking the information of others.

As a general rule, you should not upload screenshots of banking apps directly to an AI. Screens from BCEL One, JDB Mobile, LDB Mobile, and similar apps contain the following information:

• Account numbers (full or partial)
• Account balance
• Recipient account numbers and names
• Transaction dates, times, and amounts
• QR codes (which may have account information encoded within them)

If you absolutely need to ask an AI to analyze your household finances or categorize transactions, anonymize the data using the following steps:

1. Crop: Cut out the account number, balance, and the app's header section.
2. Blur: Apply a blur to recipient names and account numbers. This can be done with standard image editing tools on your smartphone (the "Markup" feature on iOS, or "Photo Editor" on Android).
3. Convert to text: It is even safer to avoid screenshots altogether and manually transcribe your transaction data as text. Pass it to the AI in a format that does not allow for personal identification, such as "Food expenses 50,000 LAK" or "Communications 200,000 LAK."

The same caution applies to LaoQR payment screens. QR codes may contain store or personal account information, and AI image recognition features could potentially read this data.

• Lao Electronic Data Protection Law (2017) "ກົດໝາຍວ່າດ້ວຍການປົກປ້ອງຂໍ້ມູນເອເລັກໂຕຣນິກ"
• Lao Law on Prevention of Cybercrime (2015) "ກົດໝາຍວ່າດ້ວຍການຕ້ານອາຊະຍາກຳທາງຄອມພິວເຕີ"
• Lao Ministry of Technology and Communications (MoTC / ກະຊວງເຕັກໂນໂລຊີ ແລະ ການສື່ສານ)
• ASEAN "Framework on Digital Data Governance"
• NIST "Cybersecurity, Privacy, and AI"
• NIST "AI RMF Generative AI Profile (AI 600-1)"