The document states that API conversation data is not retained beyond 30 days by default except for safety purposes, while ChatGPT Enterprise stores conversations with administrator-level controls for data management and deletion.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Data retention terms directly affect enterprise customers' compliance with GDPR storage limitation principles, CCPA deletion rights obligations, and internal data governance policies. The distinction between API retention (30-day default) and ChatGPT Enterprise retention (stored with admin controls) creates different compliance profiles for the two product tiers.
Interpretive note: The scope and duration of the safety exception to the 30-day API retention default is not defined in this document, creating uncertainty for GDPR storage limitation compliance.
This provision adds clarity on the different retention policies between API and Enterprise products and introduces the concept of administrative control over conversation data deletion.
View full change record →Under these terms, API customers have a default 30-day data retention limit on conversation data, while ChatGPT Enterprise customers have conversations stored with administrator tools for management and deletion. Enterprise administrators can manage and delete conversation data through the admin console.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"By default, API users' prompts and responses are not stored by OpenAI beyond 30 days, except as required for safety purposes. ChatGPT Enterprise customers have conversations stored but administrators can manage and delete data.— Excerpt from OpenAI's OpenAI Enterprise Privacy
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 5(1)(e) storage limitation, which requires personal data to be retained no longer than necessary for the stated purpose. CCPA deletion rights may also be relevant where California residents' personal data is processed. The carve-out for safety purposes is not defined in detail in this document, which may create uncertainty for GDPR records of processing. (2) GOVERNANCE EXPOSURE: Medium. The 30-day API retention default is operationally relevant for organizations that must demonstrate compliance with data minimization obligations. The exception for safety purposes is not quantified (duration, scope, or access controls), which may require clarification in DPA negotiations. (3) JURISDICTION FLAGS: EU/EEA customers must assess whether the 30-day retention period and the safety exception satisfy GDPR storage limitation requirements under their specific processing purposes. Healthcare organizations should verify that retention practices align with HIPAA minimum necessary standards. Organizations in jurisdictions with mandatory data localization requirements should confirm where retained data is stored. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should confirm in their DPA whether the 30-day API retention default is contractually binding or subject to change. The scope of the safety exception should be clarified, including who can access retained data and under what circumstances. ChatGPT Enterprise administrators should document their data deletion procedures as part of vendor management records. (5) COMPLIANCE CONSIDERATIONS: Data protection officers should include OpenAI's retention terms in their Article 30 records and assess whether the safety exception creates residual processing that must be disclosed in privacy notices. Teams should also verify whether usage metadata, logs, or fine-tuning artifacts are subject to the same retention terms as conversation data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Data retention terms directly affect enterprise customers' compliance with GDPR storage limitation principles, CCPA deletion rights obligations, and internal data governance policies. The distinction between API retention (30-day default) and ChatGPT Enterprise retention (stored with admin controls) creates different compliance profiles for the two product tiers.
Under these terms, API customers have a default 30-day data retention limit on conversation data, while ChatGPT Enterprise customers have conversations stored with administrator tools for management and deletion. Enterprise administrators can manage and delete conversation data through the admin console.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.