OpenAI · OpenAI Privacy Policy · View original document ↗

Cross-Border Data Transfers

Medium severity High confidence Explicitdocumentlanguage Common · 82 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity OpenAI recorded 16 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

If you use OpenAI services from outside the US, your personal data is transferred to and stored in the United States, with EU and UK transfers covered by Standard Contractual Clauses.

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The clause establishes the jurisdictional framework and legal mechanism for international data flows, clarifying that personal data collected from non-U.S. users will be subject to U.S. law and processed in U.S. infrastructure. This addresses regulatory requirements under EU and UK data protection frameworks for lawful cross-border data transfers.

Recent Activity

This document changed recently

Medium Jun 12, 2026

The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.

View change record →
Medium Jun 9, 2026

The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.

View change record →
Medium May 27, 2026

The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.

View change record →

Clause Stability Stable

0
Changes
3
Months Monitored
Apr 3, 2026
First Seen
May 11, 2026
Last Seen
This clause type exists across 1153 other provisions on other platforms.

Consumer impact (what this means for users)

Your personal data, regardless of where you are located, is stored in the US and subject to US law; EEA and UK users are covered by Standard Contractual Clauses as the transfer safeguard, though the adequacy of US surveillance law protections remains a subject of ongoing regulatory evaluation.

How other platforms handle this

Fiverr Medium

Your personal information may be transferred to and processed in countries outside your country of residence, including the United States and Israel, which may have data protection laws that differ from those in your country. We rely on appropriate safeguards, such as standard contractual clauses ap...

DocuSign Medium

When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to other countries that have not been found to provide an adequate level of data protection, we use legal mechanisms such as Standard Contractual Clauses approved by the European Commission to h...

Peloton Medium

Your personal information may be transferred to, processed and stored in countries other than the country in which you are resident, including the United States, Australia, Canada, the European Union and the UK. We take appropriate safeguards to protect your personal information in accordance with t...

See all platforms with this clause type →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
OpenAI is based in the United States and the information we collect is governed by U.S. law. If you are accessing our services from outside of the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States and by those third parties with whom we may share your information as described in this Privacy Policy. We use Standard Contractual Clauses approved by the European Commission for transfers of personal data from the EEA or UK to the United States.

— Excerpt from OpenAI's OpenAI Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision implicates GDPR Chapter V (international transfers), specifically the use of Standard Contractual Clauses (SCCs) as a transfer mechanism following the Schrems II ruling, which invalidated the EU-US Privacy Shield. The EU-US Data Privacy Framework adopted in 2023 provides an alternative adequacy mechanism, but SCCs remain commonly used. The UK GDPR imposes equivalent transfer restriction requirements. The Irish DPC and other national DPAs retain authority to challenge the adequacy of US transfer safeguards. (2) GOVERNANCE EXPOSURE: Medium. The use of SCCs is a recognized and commonly deployed transfer mechanism, but organizations must conduct Transfer Impact Assessments (TIAs) under current regulatory guidance to confirm SCCs are effective given US surveillance law. The policy does not describe TIA procedures, which may be a gap for enterprise procurement. (3) JURISDICTION FLAGS: EEA and UK users are primary. Switzerland has analogous transfer restrictions. Transfers from other jurisdictions (e.g., Brazil under LGPD, Canada under PIPEDA) may require separate analysis not addressed in the policy. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EEA or UK should confirm that their data processing agreements with OpenAI incorporate current-version SCCs and that OpenAI has conducted or can provide documentation of Transfer Impact Assessments. The policy's reference to SCCs without specifying the version or module may require supplementary contractual review. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that SCCs in place with OpenAI reflect the 2021 European Commission updated SCC templates; assess TIA documentation; and confirm UK IDTA or addendum is in place for UK-specific transfers.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has enforcement authority over US-based entities' adherence to international data transfer frameworks including the EU-US Data Privacy Framework.
    File a complaint →

Applicable regulations

BIPA
Illinois, USA
CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
OpenAI Privacy Policy
Entity
OpenAI
Document last updated
May 5, 2026
Tracking information
First tracked
May 10, 2026
Last verified
May 10, 2026
Record ID
CA-P-000086
Document ID
CA-D-00010
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
9fedd919cc6d99e951ea6b8c198d3ded6d0673342d8c265778e44a35720b9b49
Analysis generated
May 10, 2026 22:24 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: OpenAI
Document: OpenAI Privacy Policy
Record ID: CA-P-000086
Captured: 2026-05-10 22:24:41 UTC
SHA-256: 9fedd919cc6d99e9…
URL: https://conductatlas.com/platform/openai/openai-privacy-policy/cross-border-data-transfers/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's Cross-Border Data Transfers clause do?

The clause establishes the jurisdictional framework and legal mechanism for international data flows, clarifying that personal data collected from non-U.S. users will be subject to U.S. law and processed in U.S. infrastructure. This addresses regulatory requirements under EU and UK data protection frameworks for lawful cross-border data transfers.

How does this clause affect you?

Your personal data, regardless of where you are located, is stored in the US and subject to US law; EEA and UK users are covered by Standard Contractual Clauses as the transfer safeguard, though the adequacy of US surveillance law protections remains a subject of ongoing regulatory evaluation.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 82 platforms. See the full comparison.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.