OpenAI · OpenAI Privacy Policy · View original document ↗

Data Retention Policy

Medium severity Medium confidence Explicitdocumentlanguage Common · 65 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity OpenAI recorded 16 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

OpenAI keeps your personal data for as long as needed to run its services and meet legal requirements, with no fixed deletion timeline specified in the policy.

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The clause authorizes data retention across multiple operational categories (service provision, legal obligations, dispute resolution, contract enforcement) without specifying fixed retention timelines, establishing a principle-based rather than time-bound retention framework.

Interpretive note: The policy does not specify retention periods or maximum timeframes, making it difficult to assess compliance with GDPR storage limitation requirements without additional operational documentation.

Recent Activity

This document changed recently

Medium Jun 12, 2026

The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.

View change record →
Medium Jun 9, 2026

The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.

View change record →
Medium May 27, 2026

The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.

View change record →

Clause Stability Stable

0
Changes
3
Months Monitored
Apr 3, 2026
First Seen
May 11, 2026
Last Seen
This clause type exists across 343 other provisions on other platforms.

Consumer impact (what this means for users)

Your personal data including conversation history may be retained indefinitely under the 'legitimate business purposes' standard unless you actively request deletion through OpenAI's Privacy Portal.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Visit privacy.openai.com and submit a data deletion request to have your personal data removed from OpenAI's systems. You may also email privacy@openai.com with your deletion request.

How other platforms handle this

Microsoft Azure Medium

Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...

Meta Ads Medium

We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...

Binance.US Medium

BAM retains your Personal Information for as long as is necessary for the purposes set out in this Privacy Policy and to the extent necessary to comply with our legal and regulatory obligations (i.e., if we are required to retain your data or the information you provided to us to comply with applica...

See all platforms with this clause type →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
We retain your Personal Data for as long as necessary to provide you with our services or for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Retention periods will vary depending on the type of data and the purpose for which it was collected.

— Excerpt from OpenAI's OpenAI Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary (storage limitation principle). The absence of specific retention schedules in the policy may be inconsistent with GDPR transparency obligations under Articles 13 and 14, which require disclosure of retention periods or the criteria used to determine them. CCPA also requires disclosure of retention practices under CPRA amendments. (2) GOVERNANCE EXPOSURE: Medium. The policy uses broad language ('as long as necessary') without specifying criteria or maximum periods, which is a commonly observed industry approach but may face regulatory scrutiny under GDPR's storage limitation requirements. For AI training data specifically, indefinite retention combined with model training use creates compounded exposure. (3) JURISDICTION FLAGS: EEA and UK users have the strongest regulatory backing to challenge indefinite retention through data subject deletion requests. California users have analogous CPRA rights. Other jurisdictions with storage limitation requirements (Brazil, Canada) may also be implicated. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should contractually specify maximum retention periods for their users' data in data processing agreements with OpenAI, rather than relying on the policy's open-ended standard. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request OpenAI's internal data retention schedule as part of vendor due diligence, confirm that deletion requests are honored within the timeframes required by applicable law, and assess whether their own data governance policies align with OpenAI's retention approach.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has authority over data retention practices that may constitute unfair or deceptive acts under Section 5 of the FTC Act, particularly where retention periods are not clearly disclosed.
    File a complaint →

Applicable regulations

CCPA/CPRA
California, USA
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
UK GDPR
United Kingdom

Provision details

Document information
Document
OpenAI Privacy Policy
Entity
OpenAI
Document last updated
May 5, 2026
Tracking information
First tracked
May 10, 2026
Last verified
May 10, 2026
Record ID
CA-P-000090
Document ID
CA-D-00010
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
9fedd919cc6d99e951ea6b8c198d3ded6d0673342d8c265778e44a35720b9b49
Analysis generated
May 10, 2026 22:24 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: OpenAI
Document: OpenAI Privacy Policy
Record ID: CA-P-000090
Captured: 2026-05-10 22:24:41 UTC
SHA-256: 9fedd919cc6d99e9…
URL: https://conductatlas.com/platform/openai/openai-privacy-policy/data-retention-policy/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's Data Retention Policy clause do?

The clause authorizes data retention across multiple operational categories (service provision, legal obligations, dispute resolution, contract enforcement) without specifying fixed retention timelines, establishing a principle-based rather than time-bound retention framework.

How does this clause affect you?

Your personal data including conversation history may be retained indefinitely under the 'legitimate business purposes' standard unless you actively request deletion through OpenAI's Privacy Portal.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.