If you use OpenAI services from outside the US, your personal data is transferred to and stored in the United States, with EU and UK transfers covered by Standard Contractual Clauses.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes the jurisdictional framework and legal mechanism for international data flows, clarifying that personal data collected from non-U.S. users will be subject to U.S. law and processed in U.S. infrastructure. This addresses regulatory requirements under EU and UK data protection frameworks for lawful cross-border data transfers.
The updated policy now explicitly states four privacy rights that apply depending on your location and subject to applicable exceptions: the right to know about and access your personal data in portable format, the right to request deletion, the right to correct inaccurate data, and the right to be free from retaliation for exercising these rights. Previously, the policy referenced these rights only through procedural language about how to submit requests. The explicit enumeration establishes clearer notice of what protections the policy recognizes. You can exercise these rights by submitting a request through privacy.openai.com or dsar@openai.com.
View change record →The updated policy now explicitly discloses that OpenAI receives information from advertisers and data partners, including details about purchases you make, and uses this data to personalize ads shown to Free and Go users. Previously, the policy referenced ad effectiveness measurement without disclosing the specific source (advertiser data) or the personalization component. Under the revised terms, Free and Go users can use advertising controls in account settings to control what data OpenAI uses to personalize ads. You can access these controls through your OpenAI account settings to adjust ad personalization.
View change record →The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control what data is used to personalize ads shown on the service. The revised terms now establish a broader direct marketing authority, stating the company may promote products and services to users through direct marketing and on third-party properties to assess effectiveness, subject to user choices and controls. The policy adds a reference to a Korea Addendum for Korean users. You can review the linked resources to understand what choices and controls remain available.
View change record →Your personal data, regardless of where you are located, is stored in the US and subject to US law; EEA and UK users are covered by Standard Contractual Clauses as the transfer safeguard, though the adequacy of US surveillance law protections remains a subject of ongoing regulatory evaluation.
How other platforms handle this
Roblox is based in the United States, and your personal information may be transferred to and processed in the United States or other countries where Roblox or its service providers operate. These countries may have data protection laws that differ from the laws of your home country. By using the Ro...
Uber operates globally and may transfer the personal data of drivers and delivery people to countries other than the country in which they reside. These countries may have different and less protective data protection laws than those of your country of residence. Uber uses standard contractual claus...
Shopify is a global business. We may transfer your personal information to countries other than the country in which it was originally collected, including to Canada and the United States where our servers are located. These countries may not have the same data protection laws as your country. When ...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"OpenAI is based in the United States and the information we collect is governed by U.S. law. If you are accessing our services from outside of the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States and by those third parties with whom we may share your information as described in this Privacy Policy. We use Standard Contractual Clauses approved by the European Commission for transfers of personal data from the EEA or UK to the United States.— Excerpt from OpenAI's OpenAI Privacy Policy
(1) REGULATORY LANDSCAPE: This provision implicates GDPR Chapter V (international transfers), specifically the use of Standard Contractual Clauses (SCCs) as a transfer mechanism following the Schrems II ruling, which invalidated the EU-US Privacy Shield. The EU-US Data Privacy Framework adopted in 2023 provides an alternative adequacy mechanism, but SCCs remain commonly used. The UK GDPR imposes equivalent transfer restriction requirements. The Irish DPC and other national DPAs retain authority to challenge the adequacy of US transfer safeguards. (2) GOVERNANCE EXPOSURE: Medium. The use of SCCs is a recognized and commonly deployed transfer mechanism, but organizations must conduct Transfer Impact Assessments (TIAs) under current regulatory guidance to confirm SCCs are effective given US surveillance law. The policy does not describe TIA procedures, which may be a gap for enterprise procurement. (3) JURISDICTION FLAGS: EEA and UK users are primary. Switzerland has analogous transfer restrictions. Transfers from other jurisdictions (e.g., Brazil under LGPD, Canada under PIPEDA) may require separate analysis not addressed in the policy. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EEA or UK should confirm that their data processing agreements with OpenAI incorporate current-version SCCs and that OpenAI has conducted or can provide documentation of Transfer Impact Assessments. The policy's reference to SCCs without specifying the version or module may require supplementary contractual review. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that SCCs in place with OpenAI reflect the 2021 European Commission updated SCC templates; assess TIA documentation; and confirm UK IDTA or addendum is in place for UK-specific transfers.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes the jurisdictional framework and legal mechanism for international data flows, clarifying that personal data collected from non-U.S. users will be subject to U.S. law and processed in U.S. infrastructure. This addresses regulatory requirements under EU and UK data protection frameworks for lawful cross-border data transfers.
Your personal data, regardless of where you are located, is stored in the US and subject to US law; EEA and UK users are covered by Standard Contractual Clauses as the transfer safeguard, though the adequacy of US surveillance law protections remains a subject of ongoing regulatory evaluation.
ConductAtlas has identified this type of provision across 76 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.