What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://openai.com/contact-sales/', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': 'Contact OpenAI to request zero data retention for your API account if your use case requires immediate deletion of inputs and outputs.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has authority to evaluate whether data retention and deletion commitments are implemented as disclosed to enterprise customers.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this API Data Retention and 30-Day Deletion clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

API Data Retention and 30-Day Deletion — OpenAI

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity OpenAI recorded 5 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Data you send through OpenAI's API is automatically deleted after 30 days by default, and customers can request that no data be retained at all.

ⓘ

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The 30-day retention limit with automatic deletion is a specific, time-bounded data handling commitment that is material for organizations with data minimization obligations under GDPR or other regulations.

⚠

Interpretive note: The document does not specify whether the 30-day retention period applies to metadata, logs, or only to raw inputs and outputs, creating some ambiguity about the full scope of the deletion commitment.

Consumer impact (what this means for users)

API customers' inputs and outputs are stated to be deleted after 30 days by default, and a zero-retention option is available upon request, which may support data minimization and deletion obligations under GDPR and similar frameworks.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Contact OpenAI to request zero data retention for your API account if your use case requires immediate deletion of inputs and outputs.

Cross-platform context

See how other platforms handle API Data Retention and 30-Day Deletion and similar clauses.

Compare across platforms →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
By default, API data is retained for 30 days, at which point inputs and outputs are deleted. Customers may request zero data retention.

— Excerpt from OpenAI's OpenAI Enterprise Privacy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision engages GDPR Article 5(1)(e) on storage limitation, which requires personal data to be kept no longer than necessary. The 30-day default and the availability of zero data retention are operationally relevant to demonstrating storage limitation compliance. CCPA deletion rights and similar state privacy laws may also be engaged. GOVERNANCE EXPOSURE: Medium. The commitment is specific and time-bounded, which supports compliance documentation. However, the document does not specify whether the 30-day clock begins at submission or at the end of a session, and the scope of data covered (inputs only, outputs only, metadata) is not fully defined in the text reviewed. JURISDICTION FLAGS: EU/EEA customers face the highest exposure because GDPR storage limitation is a binding legal requirement, not a default setting. Healthcare sector customers must also evaluate whether the 30-day retention period is consistent with their HIPAA minimum necessary and retention obligations. Illinois and New York customers should evaluate state-specific retention requirements. CONTRACT AND VENDOR IMPLICATIONS: The zero data retention option requires a customer request, implying it is not automatic. Procurement teams should document whether this option has been requested and confirmed in writing, as the default 30-day retention may not satisfy all regulatory minimization requirements without the zero-retention option being activated. COMPLIANCE CONSIDERATIONS: Compliance teams should update data retention schedules to reflect the 30-day default, confirm whether the zero-retention option has been activated for sensitive use cases, and verify that the deletion mechanism covers all relevant data categories including metadata and logs.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has authority to evaluate whether data retention and deletion commitments are implemented as disclosed to enterprise customers.
File a complaint →

Provision details

Document information

Document

OpenAI Enterprise Privacy

Entity

OpenAI

Document last updated

May 12, 2026

Tracking information

First tracked

May 12, 2026

Last verified

May 12, 2026

Record ID

CA-P-011969

Document ID

CA-D-00825

Evidence Provenance

Source URL

https://openai.com/enterprise-privacy/

Wayback Machine

View archived versions →

Content hash (SHA-256)

ac048cebc19346f5fd75309f8820fd04c36648bc8cece90f5edd62740c55d0de

Analysis generated

May 12, 2026 16:41 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: OpenAI
Document: OpenAI Enterprise Privacy
Record ID: CA-P-011969
Captured: 2026-05-12 16:41:02 UTC
SHA-256: ac048cebc19346f5…
URL: https://conductatlas.com/platform/openai/openai-enterprise-privacy/api-data-retention-and-30-day-deletion/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's API Data Retention and 30-Day Deletion clause do?

How does this clause affect you?

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.