OpenAI keeps your personal data for as long as needed to run its services and meet legal requirements, with no fixed deletion timeline specified in the policy.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause authorizes data retention across multiple operational categories (service provision, legal obligations, dispute resolution, contract enforcement) without specifying fixed retention timelines, establishing a principle-based rather than time-bound retention framework.
Interpretive note: The policy does not specify retention periods or maximum timeframes, making it difficult to assess compliance with GDPR storage limitation requirements without additional operational documentation.
The updated policy now explicitly states four privacy rights that apply depending on your location and subject to applicable exceptions: the right to know about and access your personal data in portable format, the right to request deletion, the right to correct inaccurate data, and the right to be free from retaliation for exercising these rights. Previously, the policy referenced these rights only through procedural language about how to submit requests. The explicit enumeration establishes clearer notice of what protections the policy recognizes. You can exercise these rights by submitting a request through privacy.openai.com or dsar@openai.com.
View change record →The updated policy now explicitly discloses that OpenAI receives information from advertisers and data partners, including details about purchases you make, and uses this data to personalize ads shown to Free and Go users. Previously, the policy referenced ad effectiveness measurement without disclosing the specific source (advertiser data) or the personalization component. Under the revised terms, Free and Go users can use advertising controls in account settings to control what data OpenAI uses to personalize ads. You can access these controls through your OpenAI account settings to adjust ad personalization.
View change record →The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control what data is used to personalize ads shown on the service. The revised terms now establish a broader direct marketing authority, stating the company may promote products and services to users through direct marketing and on third-party properties to assess effectiveness, subject to user choices and controls. The policy adds a reference to a Korea Addendum for Korean users. You can review the linked resources to understand what choices and controls remain available.
View change record →Your personal data including conversation history may be retained indefinitely under the 'legitimate business purposes' standard unless you actively request deletion through OpenAI's Privacy Portal.
How other platforms handle this
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Statement, unless a longer retention period is required or permitted by law (such as for legal, tax, accounting, fraud prevention, or other legitimate business reasons). In determining the appro...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain your Personal Data for as long as necessary to provide you with our services or for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Retention periods will vary depending on the type of data and the purpose for which it was collected.— Excerpt from OpenAI's OpenAI Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary (storage limitation principle). The absence of specific retention schedules in the policy may be inconsistent with GDPR transparency obligations under Articles 13 and 14, which require disclosure of retention periods or the criteria used to determine them. CCPA also requires disclosure of retention practices under CPRA amendments. (2) GOVERNANCE EXPOSURE: Medium. The policy uses broad language ('as long as necessary') without specifying criteria or maximum periods, which is a commonly observed industry approach but may face regulatory scrutiny under GDPR's storage limitation requirements. For AI training data specifically, indefinite retention combined with model training use creates compounded exposure. (3) JURISDICTION FLAGS: EEA and UK users have the strongest regulatory backing to challenge indefinite retention through data subject deletion requests. California users have analogous CPRA rights. Other jurisdictions with storage limitation requirements (Brazil, Canada) may also be implicated. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should contractually specify maximum retention periods for their users' data in data processing agreements with OpenAI, rather than relying on the policy's open-ended standard. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request OpenAI's internal data retention schedule as part of vendor due diligence, confirm that deletion requests are honored within the timeframes required by applicable law, and assess whether their own data governance policies align with OpenAI's retention approach.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause authorizes data retention across multiple operational categories (service provision, legal obligations, dispute resolution, contract enforcement) without specifying fixed retention timelines, establishing a principle-based rather than time-bound retention framework.
Your personal data including conversation history may be retained indefinitely under the 'legitimate business purposes' standard unless you actively request deletion through OpenAI's Privacy Portal.
ConductAtlas has identified this type of provision across 64 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.