Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is OpenAI's privacy disclosure page specifically for enterprise and business customers using ChatGPT Enterprise, ChatGPT Team, and the API. The most significant commitment the document states is that conversations and data submitted through these enterprise products are not used to train OpenAI's AI models by default, and API data is deleted within 30 days unless you opt in to longer retention. If your organization handles sensitive data, you should check whether you have an active Data Processing Addendum or Business Associate Agreement with OpenAI, as these are required to access GDPR and HIPAA-level protections.
This document is OpenAI's Enterprise Privacy page, governing data handling practices for ChatGPT Enterprise, ChatGPT Business (Team), and the API Platform, framed as a disclosure of privacy commitments rather than a binding contractual agreement in the traditional sense. The terms state that API and ChatGPT Enterprise/Team customers' inputs and outputs are not used to train OpenAI models by default, that data submitted via the API is retained for up to 30 days for abuse monitoring before deletion unless the customer has opted into longer storage, and that enterprise customers retain ownership of their inputs and outputs. The document asserts a Data Processing Addendum (DPA) is available for enterprise customers and references SOC 2 Type 2 compliance, GDPR compliance mechanisms, and HIPAA-eligible services under a Business Associate Agreement (BAA), though the page functions as a marketing and disclosure page rather than a full contractual instrument, meaning the precise enforceability of individual commitments depends on the operative terms of service and any executed DPA or BAA. The document engages GDPR, CCPA, HIPAA, and the EU AI Act regulatory landscape; GDPR applicability is acknowledged through references to Standard Contractual Clauses (SCCs) and a DPA, while HIPAA applicability is noted as available to qualifying customers via BAA. Compliance teams should note that the privacy protections described (no training on enterprise data, 30-day retention limits) are operationally conditional on the product tier used and may not apply to free or consumer-tier users, creating a tiered data governance structure with materially different implications depending on the customer relationship.
Institutional analysis available with Professional
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.
Start Professional free trialMonitoring
OpenAI has updated this document before.
Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
Professional Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Professional free trialCross-platform context
See how other platforms handle GDPR Data Processing Addendum and Standard Contractual Clauses and similar clauses.
Compare across platforms →OpenAI expanded its data sharing terms to include third-party marketing partners. The updated policy authorizes the use of personal data fo…
Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.