OpenAI collects a broad range of personal data including your name, email, payment details, everything you type or upload into its products, your device identifiers, IP address, and general location.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy identifies conversation content, uploaded files, images, and audio as data categories collected, which means that any personal, professional, or sensitive information submitted during a ChatGPT session is captured and subject to the uses described in this policy.
The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.
View change record →The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.
View change record →The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.
View change record →The policy states that all content submitted by users including text conversations, uploaded files, images, and audio recordings is collected and processed, alongside technical identifiers including device ID, IP address, and location data derived from device or network settings.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information you provide directly to us when you create an account, use our services, or communicate with us. This includes: name, contact information (email, phone), payment information, account credentials, and the content you submit, including text, files, images, and audio. We also collect usage data, device identifiers, IP addresses, browser type, operating system, pages visited, and location information derived from your IP address or device settings.— Excerpt from OpenAI's OpenAI Privacy Policy
REGULATORY LANDSCAPE: This provision engages CCPA and CPRA category-based disclosure requirements, which mandate that businesses disclose the specific categories of personal information collected at or before the point of collection. The policy's inclusion of audio data may engage additional state biometric or voice data laws depending on jurisdiction. Illinois's Biometric Information Privacy Act (BIPA) may apply if voice or other biometric identifiers are collected from Illinois residents. New York's SHIELD Act imposes specific obligations regarding private information categories. GOVERNANCE EXPOSURE: Medium. The breadth of categories collected, particularly the inclusion of conversation content, uploaded files, audio, and location data, creates a large data footprint that requires comprehensive data mapping, retention scheduling, and breach notification readiness. The combination of content data and technical identifiers creates potential for re-identification even where data is described as de-identified. JURISDICTION FLAGS: Illinois BIPA may apply to voice or facial recognition data if collected from Illinois residents. California CPRA classifies certain inferences drawn from personal data as a separate sensitive data category. Texas and Washington have enacted separate biometric data laws that may interact with the audio and image data collection disclosed in this provision. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm in their data processing agreements which specific categories of data are collected when their users access OpenAI products, and whether collection of audio or biometric-adjacent data triggers additional contractual protections or consent requirements. COMPLIANCE CONSIDERATIONS: Data mapping documentation should enumerate each category listed in the policy and annotate the applicable retention period, legal basis, and sharing destination. Privacy impact assessments may be warranted given the sensitivity of conversation content and uploaded files. Teams handling regulated data (healthcare, financial, legal) should implement controls preventing submission of regulated data through consumer-tier OpenAI products.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy identifies conversation content, uploaded files, images, and audio as data categories collected, which means that any personal, professional, or sensitive information submitted during a ChatGPT session is captured and subject to the uses described in this policy.
The policy states that all content submitted by users including text conversations, uploaded files, images, and audio recordings is collected and processed, alongside technical identifiers including device ID, IP address, and location data derived from device or network settings.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.