OpenAI collects a broad range of personal data including your name, email, payment details, everything you type or upload into its products, your device identifiers, IP address, and general location.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy identifies conversation content, uploaded files, images, and audio as data categories collected, which means that any personal, professional, or sensitive information submitted during a ChatGPT session is captured and subject to the uses described in this policy.
The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control…
The updated policy now explicitly authorizes OpenAI to promote products and services to users through direct marketing on third-party properties and to share limited information with select marketing…
The updated policy removes explicit language describing how OpenAI shares personal data with marketing partners through cookies and similar technologies. The policy previously stated that 'some of th…
The policy states that all content submitted by users including text conversations, uploaded files, images, and audio recordings is collected and processed, alongside technical identifiers including device ID, IP address, and location data derived from device or network settings.
Cross-platform context
See how other platforms handle Data Categories Collected and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect information you provide directly to us when you create an account, use our services, or communicate with us. This includes: name, contact information (email, phone), payment information, account credentials, and the content you submit, including text, files, images, and audio. We also collect usage data, device identifiers, IP addresses, browser type, operating system, pages visited, and location information derived from your IP address or device settings.— Excerpt from OpenAI's OpenAI Privacy Policy
REGULATORY LANDSCAPE: This provision engages CCPA and CPRA category-based disclosure requirements, which mandate that businesses disclose the specific categories of personal information collected at or before the point of collection. The policy's inclusion of audio data may engage additional state biometric or voice data laws depending on jurisdiction. Illinois's Biometric Information Privacy Act (BIPA) may apply if voice or other biometric identifiers are collected from Illinois residents. New York's SHIELD Act imposes specific obligations regarding private information categories. GOVERNANCE EXPOSURE: Medium. The breadth of categories collected, particularly the inclusion of conversation content, uploaded files, audio, and location data, creates a large data footprint that requires comprehensive data mapping, retention scheduling, and breach notification readiness. The combination of content data and technical identifiers creates potential for re-identification even where data is described as de-identified. JURISDICTION FLAGS: Illinois BIPA may apply to voice or facial recognition data if collected from Illinois residents. California CPRA classifies certain inferences drawn from personal data as a separate sensitive data category. Texas and Washington have enacted separate biometric data laws that may interact with the audio and image data collection disclosed in this provision. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm in their data processing agreements which specific categories of data are collected when their users access OpenAI products, and whether collection of audio or biometric-adjacent data triggers additional contractual protections or consent requirements. COMPLIANCE CONSIDERATIONS: Data mapping documentation should enumerate each category listed in the policy and annotate the applicable retention period, legal basis, and sharing destination. Privacy impact assessments may be warranted given the sensitivity of conversation content and uploaded files. Teams handling regulated data (healthcare, financial, legal) should implement controls preventing submission of regulated data through consumer-tier OpenAI products.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy identifies conversation content, uploaded files, images, and audio as data categories collected, which means that any personal, professional, or sensitive information submitted during a ChatGPT session is captured and subject to the uses described in this policy.
The policy states that all content submitted by users including text conversations, uploaded files, images, and audio recordings is collected and processed, alongside technical identifiers including device ID, IP address, and location data derived from device or network settings.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.