OpenAI states it keeps your personal data for as long as needed to run its services and meet legal requirements, after which it will delete or anonymize it.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy does not specify fixed retention periods for individual data categories, which means the duration for which conversation content, uploaded files, and account data may be retained is not precisely defined for users.
Interpretive note: The policy does not specify retention periods by data category, making it difficult to assess whether specific data types such as conversation content or uploaded files are retained for different durations.
The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.
View change record →The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.
View change record →The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.
View change record →The policy authorizes retention of personal data including conversation content and account information for an unspecified period described as 'as long as necessary,' without stating specific timelines for individual data categories such as conversation history or uploaded files.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. When we no longer need personal information, we will delete or anonymize it, or if this is not possible, we will securely store and isolate it from further processing.— Excerpt from OpenAI's OpenAI Privacy Policy
REGULATORY LANDSCAPE: CCPA and CPRA require that privacy policies disclose the period for which personal information will be retained, or the criteria used to determine that period. The absence of specific retention timelines for distinct data categories may create tension with this disclosure requirement. Virginia, Colorado, and Connecticut privacy laws also require that data not be retained longer than necessary for its stated purpose. The FTC Act may apply where retention practices are inconsistent with representations made about data minimization. GOVERNANCE EXPOSURE: Medium. The policy's use of 'as long as necessary' without category-specific timelines is common in the industry but may not satisfy the granularity required by CPRA regulations. Compliance teams should assess whether supplementary retention schedules or help center documentation provides the specificity required. JURISDICTION FLAGS: California CPRA regulations impose a specific disclosure obligation regarding retention periods or the criteria for determining them, applied at the category level. Colorado and Virginia also impose purpose limitation requirements that interact with open-ended retention language. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should negotiate specific retention commitments for conversation content and uploaded files in their data processing agreements, rather than relying on the open-ended retention language in the consumer privacy policy. COMPLIANCE CONSIDERATIONS: Data mapping documentation should include estimated retention windows for each data category based on operational necessity assessments. Legal teams should confirm whether the policy's anonymization fallback ('if deletion is not possible, we will securely store and isolate') is operationally implemented and documented, particularly for conversation training data that may be embedded in model weights.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy does not specify fixed retention periods for individual data categories, which means the duration for which conversation content, uploaded files, and account data may be retained is not precisely defined for users.
The policy authorizes retention of personal data including conversation content and account information for an unspecified period described as 'as long as necessary,' without stating specific timelines for individual data categories such as conversation history or uploaded files.
ConductAtlas has identified this type of provision across 134 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.