Users in the European Union have additional rights under GDPR including the right to object to processing, restrict processing, and lodge complaints with a supervisory authority.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision creates an operational framework for OpenAI to comply with GDPR obligations applicable to EU residents. This establishes formal procedures and institutional responsibilities for data subject access requests and related regulatory requirements.
The updated policy now explicitly states four privacy rights that apply depending on your location and subject to applicable exceptions: the right to know about and access your personal data in portable format, the right to request deletion, the right to correct inaccurate data, and the right to be free from retaliation for exercising these rights. Previously, the policy referenced these rights only through procedural language about how to submit requests. The explicit enumeration establishes clearer notice of what protections the policy recognizes. You can exercise these rights by submitting a request through privacy.openai.com or dsar@openai.com.
View change record →The updated policy now explicitly discloses that OpenAI receives information from advertisers and data partners, including details about purchases you make, and uses this data to personalize ads shown to Free and Go users. Previously, the policy referenced ad effectiveness measurement without disclosing the specific source (advertiser data) or the personalization component. Under the revised terms, Free and Go users can use advertising controls in account settings to control what data OpenAI uses to personalize ads. You can access these controls through your OpenAI account settings to adjust ad personalization.
View change record →The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control what data is used to personalize ads shown on the service. The revised terms now establish a broader direct marketing authority, stating the company may promote products and services to users through direct marketing and on third-party properties to assess effectiveness, subject to user choices and controls. The policy adds a reference to a Korea Addendum for Korean users. You can review the linked resources to understand what choices and controls remain available.
View change record →If you are in the EU, you can object to certain data processing activities, request restriction of processing, and file a formal complaint with your country's data protection authority if you believe your rights have been violated.
How other platforms handle this
If you are located in the European Economic Area (EEA) or United Kingdom, the data controller for your personal information is Twitter International Unlimited Company. If you are located outside of the EEA, United Kingdom, and Switzerland, the data controller is X Corp. You have the right to access,...
If you are located in the European Economic Area, you have certain rights under the General Data Protection Regulation. These include the right to access personal information we hold about you, to rectify inaccurate data, to erase your data, to restrict processing, to object to processing, and to da...
Depending on your location, you may have certain rights regarding your personal data, including the right to access, correct, delete, or port your data, the right to restrict or object to processing, and where processing is based on consent, the right to withdraw consent at any time. California resi...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
The EU privacy addendum engages GDPR Articles 15-22 (data subject rights), Article 6 (lawful bases), and Article 77 (supervisory authority complaints); legal teams must ensure data subject request processes meet GDPR's 30-day response requirement.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Search "[your state] attorney general consumer complaint" to find your state's direct complaint form
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision creates an operational framework for OpenAI to comply with GDPR obligations applicable to EU residents. This establishes formal procedures and institutional responsibilities for data subject access requests and related regulatory requirements.
If you are in the EU, you can object to certain data processing activities, request restriction of processing, and file a formal complaint with your country's data protection authority if you believe your rights have been violated.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.