If you live in the EU or UK, you have formal legal rights to see, correct, delete, and export your OpenAI personal data, and to object to how it is processed.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause operationalizes statutory obligations under GDPR and UK data protection law by explicitly enumerating the mechanisms through which EEA and UK users may exercise their rights against the controller, thereby establishing OpenAI's procedural framework for handling data subject requests.
The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.
View change record →The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.
View change record →The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.
View change record →EEA and UK users can submit requests to access or delete their OpenAI data by contacting dsar@openai.com, with OpenAI obligated under GDPR to respond within one month of the request.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the EEA or UK, you have the following rights under applicable data protection law: Access: You can request a copy of the personal data we hold about you. Correction: You can ask us to correct inaccurate data. Deletion: You can ask us to delete your personal data. Portability: You can request a machine-readable copy of your personal data. Restriction: You can ask us to restrict how we process your personal data. Objection: You can object to our processing of your personal data. Withdrawing consent: You can withdraw your consent at any time where we rely on consent as our legal basis.— Excerpt from OpenAI's OpenAI Privacy Policy
(1) REGULATORY LANDSCAPE: This provision reflects obligations under GDPR Articles 15-22 and the UK GDPR. Enforcement authorities include national Data Protection Authorities in each EU member state and the UK Information Commissioner's Office (ICO). OpenAI's lead supervisory authority in the EU is the Irish Data Protection Commission (DPC). Failure to honor data subject rights requests within statutory timeframes (one month, extendable by two months) constitutes a violation subject to regulatory action. (2) GOVERNANCE EXPOSURE: Medium. The policy discloses the rights but does not specify response timeframes or detail the process for verifying requester identity, which are operationally significant. Incomplete or delayed responses to data subject requests are a leading source of DPA complaints and regulatory investigations. (3) JURISDICTION FLAGS: All EEA member states and the UK are within scope. The Irish DPC is the lead supervisory authority for GDPR purposes given OpenAI's EU establishment. UK ICO jurisdiction applies separately post-Brexit. Non-EEA users (including US users) are not guaranteed these rights under the policy, though CCPA provides analogous rights for California residents. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers who route their users' data through OpenAI must ensure their own privacy notices accurately describe OpenAI's data subject rights mechanisms, and their data processing agreements with OpenAI should address how user data subject requests are handled at the sub-processor level. (5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm that OpenAI's DSAR intake and response process is operationally compliant, including identity verification procedures, response tracking, and escalation paths to the Irish DPC; they should also verify that deletion requests result in removal from training data pipelines to the extent technically feasible.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause operationalizes statutory obligations under GDPR and UK data protection law by explicitly enumerating the mechanisms through which EEA and UK users may exercise their rights against the controller, thereby establishing OpenAI's procedural framework for handling data subject requests.
EEA and UK users can submit requests to access or delete their OpenAI data by contacting dsar@openai.com, with OpenAI obligated under GDPR to respond within one month of the request.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.