AI Model and Data Licence Agreements: Common Mistakes for New Zealand Businesses

An AI model and data licence can look deceptively simple. A provider says you can access a model, use an API, fine tune with your own data, or train on a dataset, and the commercial team wants to get moving. The problem is that many New Zealand businesses sign before they pin down who owns outputs, whether their data can be reused, and what happens if the model infringes someone else’s rights.

Three common mistakes come up again and again. First, businesses accept standard terms that let the supplier use prompts, inputs or customer data far more broadly than expected. Second, they assume the licence gives full freedom to commercialise outputs when the agreement actually restricts resale, high risk use cases, or product integration. Third, they skip privacy, confidentiality and liability checks because the document is framed as a simple technology subscription rather than a core contract review.

This guide explains what an AI model and data licence means in practice for New Zealand businesses, the legal issues to check before you sign, and the mistakes that most often create cost, delay and risk later.

Overview

An AI model and data licence sets the legal rules for access to an AI model, a training dataset, or both. It decides what you can use, how you can use it, who keeps ownership of inputs and outputs, and which party carries the risk if something goes wrong.

• Check exactly what is being licensed, the model, the dataset, the API, weights, documentation, outputs, or all of these.
• Confirm whether your business can use the tool internally only, embed it in a product, resell services based on it, or fine tune it.
• Pin down who owns your inputs, derived models, customisations and generated outputs.
• Review privacy, confidentiality and security terms if personal information or commercially sensitive data will be uploaded.
• Check whether the supplier can use your data to train or improve its model.
• Read warranty, indemnity and liability clauses carefully, especially around IP infringement, hallucinations, service outages and regulated use cases.
• Make sure termination rights, data return and transition support are workable before you rely on the provider’s platform.

What AI Model and Data Licence Means For New Zealand Businesses

An AI model and data licence is not just an IT procurement document. It is a core commercial contract that affects IP ownership, privacy compliance, customer promises and business continuity.

For some businesses, the licence is mainly about internal productivity. Staff may use a model to draft content, summarise documents, analyse data or automate support workflows. In that case, the main legal questions are usually confidentiality, personal information, output quality, and whether the supplier can reuse uploaded material.

For other businesses, the model or dataset sits inside the product they sell. A SaaS company might embed a third party model into customer-facing features. A retailer might use computer vision tools for inventory forecasting. A professional services firm might build client reports with a licensed foundation model and proprietary data. In these cases, the AI model and data licence often becomes one of the most important contracts in the business.

The wording matters because the agreement may cover several different assets at once.

• A licence to access a hosted AI model through an API.
• A licence to download model weights or software.
• A licence to use a dataset for training, validation or benchmarking.
• A right to create derivative models or fine tuned versions.
• A right to use generated outputs in internal operations or external products.

New Zealand businesses should also think about how this contract interacts with existing legal obligations. If you collect customer information and feed it into an AI tool, the Privacy Act 2020 is likely to be relevant. If you market an AI-enabled service to customers, statements about accuracy, automation or performance need to line up with the Fair Trading Act 1986. If your customer contract promises strict confidentiality, your upstream AI terms need to support that promise.

This is where founders often get caught. They negotiate price and volume, but not the practical legal fit between the AI supplier’s paper and the commitments already made to customers, investors or regulators.

Why the same licence can create different risks

The legal risk changes depending on how your business uses the technology. A basic internal chatbot may create a manageable contractual risk if no sensitive information is involved. A healthcare, finance, insurance or education workflow may create a much higher risk profile because errors, bias or data misuse could affect regulated decisions, vulnerable users or contractual service levels.

That does not mean every AI licence needs a heavily negotiated agreement. It does mean the contract should reflect the use case. Before you accept the provider’s standard terms, ask whether the licence fits the real way your team and customers will rely on the tool.

Legal Issues To Check Before You Sign

The safest approach is to treat an AI model and data licence like any other mission-critical supply contract. You need a clear scope, sensible risk allocation, and written terms that match how your business actually operates.

1. What exactly is licensed

The first question is basic but often missed. What are you actually getting rights to use?

Some agreements license only access to a hosted service. Others include rights over training datasets, APIs, SDKs, documentation, model outputs or derivative models. If the wording is vague, disputes can arise later about whether your team can:

• fine tune the model with internal data
• use outputs in customer-facing materials
• benchmark the model against competitors
• allow contractors or group companies to use the service
• build product features that depend on the licensed model

If your business model depends on external use, make sure the licence expressly allows commercial deployment and product integration. Internal use only restrictions are common.

2. Ownership of inputs, outputs and improvements

Ownership terms are often the heart of the deal. Do not assume you own everything you upload and everything the system generates simply because you paid for access.

Before you sign, look for separate treatment of:

• your pre-existing data and materials
• prompts, queries and other inputs
• outputs generated for your account
• fine tuned models or custom configurations
• feedback, evaluation data and usage analytics

Some providers let customers own their inputs and outputs, but still reserve broad rights to use them for model improvement, safety monitoring or service analytics. Others say outputs are assigned only to the extent permitted by law, or only where the output is not substantially similar to content produced for other users. Those distinctions matter if you plan to commercialise the result or promise exclusivity to clients.

3. Rights to use your data for training or improvement

This is one of the biggest pressure points for New Zealand businesses. If you upload customer information, commercially sensitive material or confidential know-how, broad model training rights can create a serious mismatch with privacy obligations and client expectations.

The agreement should clearly say whether the supplier may use your data:

• to provide the service only
• for internal analytics and troubleshooting
• to improve generic model performance
• to train future models
• to share with subcontractors or affiliates

If the answer extends beyond service delivery, pause and assess the legal and commercial consequences. You may need stricter restrictions, de-identification controls, opt-out rights, or a separate enterprise arrangement.

4. Privacy and cross-border handling

If personal information is involved, privacy terms should not be buried in the background documents. Your business needs enough visibility to explain what happens to that information and to meet its own obligations under New Zealand privacy law.

Key questions include where data is stored, which subprocessors can access it, whether overseas disclosures occur, what security standards apply, and how long data is retained. If your privacy notice, customer contracts or procurement commitments say one thing and the AI supplier terms say another, you may create a compliance problem before the product is even used at scale.

5. Confidentiality and security

A standard software clause is not always enough for AI. Prompts and training data can reveal strategic plans, pricing logic, legal advice, source code, customer lists or other sensitive material. If your staff will use the tool in day-to-day operations, weak confidentiality language can create avoidable exposure.

Look for clear confidentiality obligations, minimum security commitments, incident notification timing, subcontractor controls and restrictions on human review of your data. If the tool will process highly sensitive material, technical controls should sit alongside the contract.

6. Accuracy, performance and prohibited use

Most AI providers limit promises about reliability, factual accuracy and fitness for purpose. That is not surprising, but your business still needs to understand where the risk lands.

If the model will be used in decisions that affect customers, compliance processes or contractual deliverables, check for:

• service levels and uptime commitments
• known limitations and excluded use cases
• requirements for human review
• rules against high-risk or regulated decisions
• audit or testing rights

If your business sells an AI-enabled service, your own customer terms and marketing claims should reflect these realities. Overpromising on automated accuracy can create Fair Trading Act issues as well as contract disputes.

7. IP infringement risk and indemnities

The hard question is who pays if the model, dataset or output allegedly infringes someone else’s copyright, trade mark or other IP rights. This is not theoretical. AI disputes often centre on training data provenance, output similarity and rights in generated content.

Check whether the supplier gives an IP indemnity, how broad it is, and what exclusions apply. Some indemnities disappear if you use the model with your own data, combine it with other systems, fine tune it, or use outputs in a particular industry. Those carve-outs can leave the customer carrying most of the real-world risk.

8. Liability caps and excluded losses

Liability clauses tell you how much practical protection the contract gives. A low fee-based cap may be acceptable for minor internal tools, but it may be inadequate if your business relies on the model in customer-facing products or regulated workflows.

Focus on whether the cap applies equally to confidentiality breaches, privacy incidents and IP claims, and whether indirect loss exclusions are drafted so broadly that they wipe out meaningful recovery. If an outage or output failure could expose you to customer claims, the supplier’s liability position needs special attention.

9. Termination, suspension and exit

The main risk is dependency. If your product, workflow or customer deliverables rely on a third party AI service, suspension or termination can hurt quickly.

Before you sign, confirm:

• when the supplier can suspend access
• whether alleged misuse triggers immediate termination
• how you can retrieve data and outputs
• whether transition support is available
• what happens to fine tuned models and stored prompts after exit

It is much easier to negotiate these points before you spend money on setup and integration.

Common Mistakes With AI Model and Data Licence

Most disputes start with assumptions. Businesses assume the paper says what the sales conversation suggested, or that a familiar software contract structure covers AI-specific risks when it does not.

Accepting standard terms without mapping the use case

The first mistake is treating the contract as routine SaaS procurement. A provider’s standard terms may be fine for low-risk experimentation, but unsuitable for customer-facing deployment, regulated industries or sensitive datasets.

Before you rely on a verbal promise, compare the actual licence against your intended use. If your team plans to embed the model into a paid platform, let third parties access outputs, or use confidential client material, the paper needs to say so.

Assuming outputs are fully owned and freely reusable

Many founders expect a simple answer here: we pay, therefore we own. AI contracts rarely work that neatly.

The agreement may give you broad use rights without true ownership, or may limit rights where outputs resemble third party content or content generated for other users. That can become a problem if you want to license deliverables onward, claim exclusivity, or build repeatable product features around the outputs.

Ignoring dataset provenance

A dataset licence deserves just as much scrutiny as a model licence. If the underlying dataset was assembled with weak rights clearance, the legal risk may flow downstream to your business.

This issue matters most where the dataset includes copyrighted material, personal information, industry-specific records or web-scraped content. Ask where the data came from, what permissions support the use, and whether any restrictions carry through to your outputs or trained models.

Letting customer data flow into model training by default

This is a very common operational mistake. Teams start using an AI tool and only later realise uploaded content may be used to improve the supplier’s wider system.

For a New Zealand business, that can trigger a chain of issues. Privacy notices may need updating. Customer contracts may not permit it. Internal confidentiality controls may be undermined. If the data includes third party secrets or regulated information, the commercial fallout can be larger than the legal wording alone suggests.

Overlooking downstream promises to your own customers

Your upstream AI licence and your downstream customer contract should fit together. If your customer agreement promises strict service levels, bespoke ownership, deletion on request, or no offshore disclosure, but your AI supplier refuses those commitments, your business may be left bridging the gap.

This is where founders often get caught during enterprise sales. The customer asks sensible due diligence questions, and the business realises too late that its AI supplier terms do not support the promises needed to close the deal.

Relying on broad disclaimers for high-risk use

Some businesses think they can solve AI risk with a disclaimer to customers. That is rarely enough if the technology is central to the service or marketed as reliable decision support.

If your business uses AI in areas like recruitment screening, eligibility assessments, compliance monitoring or industry-specific analysis, contract drafting should be paired with process controls, review steps and careful marketing language. The law will usually look at the substance of what your business is offering, not just the disclaimer wording.

Failing to plan for termination

The final common mistake is focusing on sign-up and forgetting exit. A model provider may change pricing, discontinue features, suspend your account after a policy dispute, or shift to new technical architecture.

If there is no practical exit plan, your business can be left scrambling to extract data, rebuild workflows and explain service changes to customers. Good contract review reduces that lock-in risk before it becomes urgent.

FAQs

Do New Zealand businesses need a written AI model and data licence?

If you are using a third party AI model or dataset for business purposes, a written agreement is strongly recommended. Even where access is provided through online terms, those terms should be reviewed like any other important supplier contract.

Who owns AI-generated outputs under a licence agreement?

That depends on the contract. Some agreements assign rights in outputs to the customer, some grant only a licence to use them, and some reserve broad provider rights for improvement or reuse. You need to read the output clause alongside the training, feedback and IP provisions.

Can a provider use our uploaded data to train its model?

Only if the agreement allows it, but many standard terms do allow some form of reuse. Before you sign, check whether the provider can use prompts, inputs, files or metadata for training, analytics or service improvement.

What if the AI output infringes someone else’s copyright?

The contract should address who bears that risk. Look for an IP indemnity, any exclusions to that indemnity, and whether your own use of prompts, training data or fine tuning could shift liability back to your business.

Are privacy issues relevant if we only use AI internally?

Yes. Internal use can still involve employee information, customer records, confidential documents or commercially sensitive material. Privacy, confidentiality and security checks still matter before your team starts uploading data.

Key Takeaways

An AI model and data licence deserves careful review before you sign, especially if the tool will touch customer data, valuable IP or core service delivery.

• Check what is actually being licensed, including models, datasets, outputs, APIs and derivative rights.
• Do not assume you own outputs or that your data will be excluded from training and improvement uses.
• Make sure privacy, confidentiality and cross-border data handling terms match your New Zealand legal obligations and customer promises.
• Review IP indemnities, warranty limits and liability caps closely, because these often decide who carries the real risk.
• Match the contract to the real use case, particularly if the AI tool sits inside your product or supports important customer decisions.
• Plan for suspension, termination and data exit before you become dependent on the provider.

If you want help with data use restrictions, IP ownership, privacy compliance, liability clauses, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.