Data you send through OpenAI's API is automatically deleted after 30 days by default, and customers can request that no data be retained at all.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The 30-day retention limit with automatic deletion is a specific, time-bounded data handling commitment that is material for organizations with data minimization obligations under GDPR or other regulations.
Interpretive note: The document does not specify whether the 30-day retention period applies to metadata, logs, or only to raw inputs and outputs, creating some ambiguity about the full scope of the deletion commitment.
This provision's specific mention of zero-data-retention option was removed, though the 30-day default is preserved in the new consolidated data retention provision.
View full change record →API customers' inputs and outputs are stated to be deleted after 30 days by default, and a zero-retention option is available upon request, which may support data minimization and deletion obligations under GDPR and similar frameworks.
How other platforms handle this
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"By default, API data is retained for 30 days, at which point inputs and outputs are deleted. Customers may request zero data retention.— Excerpt from OpenAI's OpenAI Enterprise Privacy
REGULATORY LANDSCAPE: This provision engages GDPR Article 5(1)(e) on storage limitation, which requires personal data to be kept no longer than necessary. The 30-day default and the availability of zero data retention are operationally relevant to demonstrating storage limitation compliance. CCPA deletion rights and similar state privacy laws may also be engaged. GOVERNANCE EXPOSURE: Medium. The commitment is specific and time-bounded, which supports compliance documentation. However, the document does not specify whether the 30-day clock begins at submission or at the end of a session, and the scope of data covered (inputs only, outputs only, metadata) is not fully defined in the text reviewed. JURISDICTION FLAGS: EU/EEA customers face the highest exposure because GDPR storage limitation is a binding legal requirement, not a default setting. Healthcare sector customers must also evaluate whether the 30-day retention period is consistent with their HIPAA minimum necessary and retention obligations. Illinois and New York customers should evaluate state-specific retention requirements. CONTRACT AND VENDOR IMPLICATIONS: The zero data retention option requires a customer request, implying it is not automatic. Procurement teams should document whether this option has been requested and confirmed in writing, as the default 30-day retention may not satisfy all regulatory minimization requirements without the zero-retention option being activated. COMPLIANCE CONSIDERATIONS: Compliance teams should update data retention schedules to reflect the 30-day default, confirm whether the zero-retention option has been activated for sensitive use cases, and verify that the deletion mechanism covers all relevant data categories including metadata and logs.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The 30-day retention limit with automatic deletion is a specific, time-bounded data handling commitment that is material for organizations with data minimization obligations under GDPR or other regulations.
API customers' inputs and outputs are stated to be deleted after 30 days by default, and a zero-retention option is available upon request, which may support data minimization and deletion obligations under GDPR and similar frameworks.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.