Why ChatGPT is a problem for European businesses #
ChatGPT has changed the way we work. But for European businesses, using it without safeguards is a real risk.
The numbers behind the problem #
- 77% of employees paste company data into ChatGPT
- 82% do so with personal accounts, outside IT control
- 65% of companies have no policy on generative AI use
- Italy has already fined OpenAI 15 million euros (December 2024)
The phenomenon is called shadow AI: employees using unauthorised AI tools with sensitive data. And the risk is not theoretical — Samsung, JP Morgan, Apple, and Deutsche Bank have already banned ChatGPT internally after data leakage incidents.
What happens to your data when you use ChatGPT #
When an employee uses ChatGPT (free or Plus plan), data is:
- Sent to OpenAI servers in the United States
- Potentially used for model training (opt-out available only on paid plans)
- Retained for 30 days even after the conversation is deleted
- Subject to the US Cloud Act, which allows US authorities to access the data
Even with ChatGPT Enterprise, data traverses US-based infrastructure. The EU-US Data Privacy Framework could be invalidated — as already happened with the Privacy Shield in 2020.
ORCA: what it does and how it compares to ChatGPT #
ORCA is HTX’s private enterprise chatbot — the leading ChatGPT alternative for business in Europe. It offers the same features as ChatGPT, but with an architecture designed for corporate data privacy.
Feature comparison #
| Feature | ChatGPT Enterprise | ORCA |
|---|---|---|
| Multi-model chat | GPT-4o/o1 only | DeepSeek, LLaMA, Mistral, Qwen, Claude |
| Document analysis | File upload (cloud) | RAG on internal documents (on-premise) |
| Web search | Yes (OpenAI servers) | Yes (within your perimeter) |
| Content generation | Yes | Yes |
| Where data resides | US servers (Microsoft Azure) | Your infrastructure or EU data centre |
| Training on your data | No (Enterprise) | Never, by contract |
| GDPR compliance | User’s responsibility | Included by design |
| AI Act compliance | User’s responsibility | Included by design |
| Pricing model | Per user/month ($60/user) | Per infrastructure |
| Vendor lock-in | Yes (OpenAI) | No (open-source models) |
| Full audit trail | Partial | Yes |
| Customisation | Limited (GPTs) | Full (fine-tuning, custom RAG) |
How ORCA works in practice #
ORCA runs on PRISMA, HTX’s private AI stack. In practice:
-
Connect your data: ORCA indexes internal documents, manuals, procedures, and contracts. The RAG system lets employees ask questions and receive answers based solely on company data.
-
Choose your model: you can use open-source models (DeepSeek R1, LLaMA, Mistral) or commercial models via API. With on-premise open-source models, no data ever leaves your network.
-
Integrate into workflows: ORCA integrates via API with your existing systems. Employees can use it as a chat assistant, an email helper, or an internal search tool.
The economic advantage of a private chatbot #
ChatGPT Enterprise costs $60 per user per month. For a company with 100 employees, that is $72,000 per year — and the price goes up if advanced features are needed.
ORCA has a different pricing model: you pay for infrastructure, not users. This means:
- Predictable fixed cost, independent of the number of users
- No incremental cost when you add employees
- Measurable ROI: the T&B Associati case study demonstrated a 180% ROI through product sheet automation and document analysis
For European SMEs with 20-200 employees, ORCA becomes economically advantageous from the first year — with the added benefit of zero data leakage risk and full regulatory compliance.
GDPR and AI Act: why compliance is not optional #
GDPR: the company is always responsible #
If an employee pastes personal data into ChatGPT, the company is liable as the data controller (Art. 24 GDPR). The consequences:
- Notification to the supervisory authority within 72 hours
- Fines up to 20 million euros or 4% of global turnover
- Reputational damage
With ORCA — a fully GDPR compliant AI platform — the issue does not arise: personal data never leaves your infrastructure. No extra-EU transfer, no risk of data breach to third parties.
AI Act: obligations already in force #
The AI Act (Reg. EU 2024/1689) has required AI literacy for all companies using AI tools since February 2025. Full obligations for high-risk systems take effect in August 2026.
ORCA is designed for AI Act compliance:
- Transparency: every response is traceable, with a full audit trail
- Human oversight: the system supports decisions, it does not make them
- Risk assessment: integrated documentation for risk classification
Real-world use cases #
T&B Associati — Document automation #
A consultancy firm with 15 professionals. They used ChatGPT to draft product sheets and analyse contracts. Problem: client data was ending up on OpenAI servers.
With ORCA:
- Product sheets: from 45 minutes to 8 minutes per sheet
- Contract analysis: automatic extraction of key clauses
- ROI: 180% in the first year
- Zero data leakage: all data stays on-premise
Healthcare — Clinical documents #
A hospital was using ChatGPT to summarise medical records. Immediate GDPR violation: health data (special category, Art. 9 GDPR) sent to US servers.
With ORCA on PRISMA:
- Clinical summaries generated on-premise
- No patient data leaves the hospital
- GDPR and AI Act compliance guaranteed
How to switch from ChatGPT to ORCA #
The migration is straightforward and does not require stopping operations:
- Assessment (1 week): we analyse how your company uses AI today
- Pilot (2-4 weeks): we install ORCA with a small group of users
- Rollout (2-4 weeks): we extend to all employees with AI literacy training
- Optimisation (ongoing): fine-tuning of models and RAG on your data
The entire process takes 4-8 weeks. Employees find a familiar interface — the learning curve is minimal.
Want to try ORCA? #
If your company uses ChatGPT and you want to switch to a compliant, secure solution under your control, get in touch. We will show you ORCA in a 30-minute demo, connected to your data.
This article was written by the team at HTX — Human Technology eXcellence. We design private artificial intelligence systems for healthcare and industry, from our data centre in Trieste.
Frequently Asked Questions #
What is the main difference between ORCA and ChatGPT?
ChatGPT sends your data to OpenAI servers in the US. ORCA runs on your own infrastructure or on HTX's European infrastructure. Your data never leaves your perimeter. Same features — chat, documents, web search — but with full GDPR and AI Act compliance.
Is ORCA really a ChatGPT alternative for business?
Yes. ORCA offers multi-model chat, document analysis with RAG, web search, and content generation. The difference is that it works on-premise or in a European cloud, your data stays under your control, and it is never used to train third-party models.
How much does ORCA cost compared to ChatGPT Enterprise?
ORCA has no per-user costs. Pricing is based on infrastructure, not on the number of employees. For a company with 50+ users, the per-user cost is significantly lower than ChatGPT Enterprise, with the added benefit of zero data leakage risk.
Can I use ORCA with my company documents?
Yes. ORCA includes a RAG (Retrieval Augmented Generation) system that indexes your internal documents. Employees can ask questions in natural language and receive answers based solely on company data, with source citations.
Does ORCA work with open-source models?
Yes. ORCA runs on PRISMA, HTX's AI stack, which supports open-source models such as DeepSeek, LLaMA, Mistral, and Qwen. You can choose the model best suited to your use case without being locked into a single vendor.