If OpenAI is sold, merged, or acquires another company, your personal data may be transferred to the new entity as part of that transaction, including during the negotiation phase before any deal closes.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision authorizes transfer of personal data during corporate transactions, including during the negotiation phase, without requiring individual user notification prior to the transfer, which may affect the continuity of the privacy protections users accepted.
The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.
View change record →The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.
View change record →The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.
View change record →The policy states that personal data including conversation history, account information, and usage data may be transferred to an acquiring or merging entity; users are not guaranteed advance individual notice of such a transfer under this provision's terms.
How other platforms handle this
In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal data may be transferred to a successor entity or third party as part of that transaction.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may share or transfer personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.— Excerpt from OpenAI's OpenAI Privacy Policy
REGULATORY LANDSCAPE: This provision engages CCPA and CPRA, which require that consumers be notified if their personal data is transferred to a successor entity and that the successor be bound by the original privacy policy's terms or obtain fresh consent for materially different uses. The FTC Act applies where a corporate transaction results in data being used in ways materially inconsistent with representations made at the time of collection. State privacy laws in Virginia, Colorado, and Connecticut also impose requirements regarding notice of material changes to data processing following a business transfer. GOVERNANCE EXPOSURE: Medium. The inclusion of 'during negotiations' as a transfer trigger is notable because it potentially authorizes sharing personal data with a prospective acquirer before any transaction is finalized, which could precede any user notification. The practical scope of this exposure depends on what data categories are shared during due diligence processes. JURISDICTION FLAGS: California creates heightened exposure given CPRA's requirements for successor entities. The EU GDPR, while not addressed in this US policy, would impose additional notification and lawful basis requirements for EU-resident users if a transaction affected their data processing. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should assess whether their data processing agreements with OpenAI include provisions requiring notification of corporate transactions and successor entity obligations. The 'during negotiations' language may create a disclosure to a third party before users or enterprise customers are aware of the potential transaction. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the policy's successor entity language adequately commits the acquirer to honor existing privacy commitments, or whether a material change notice and re-consent obligation would be triggered. Data mapping documentation should flag conversation content and account data as categories subject to potential corporate transaction transfer.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision authorizes transfer of personal data during corporate transactions, including during the negotiation phase, without requiring individual user notification prior to the transfer, which may affect the continuity of the privacy protections users accepted.
The policy states that personal data including conversation history, account information, and usage data may be transferred to an acquiring or merging entity; users are not guaranteed advance individual notice of such a transfer under this provision's terms.
ConductAtlas has identified this type of provision across 23 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.