OpenAI may share your personal data with a range of third parties including technology vendors, affiliated companies, and any buyer in a corporate sale or merger.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause establishes the operational scope of data sharing beyond OpenAI's direct control, defining circumstances under which user data flows to external parties involved in service delivery, corporate operations, and organizational changes. It structures the authorization framework for data transfers that may occur during normal business operations or material corporate events.
The updated policy now explicitly states four privacy rights that apply depending on your location and subject to applicable exceptions: the right to know about and access your personal data in portable format, the right to request deletion, the right to correct inaccurate data, and the right to be free from retaliation for exercising these rights. Previously, the policy referenced these rights only through procedural language about how to submit requests. The explicit enumeration establishes clearer notice of what protections the policy recognizes. You can exercise these rights by submitting a request through privacy.openai.com or dsar@openai.com.
View change record →The updated policy now explicitly discloses that OpenAI receives information from advertisers and data partners, including details about purchases you make, and uses this data to personalize ads shown to Free and Go users. Previously, the policy referenced ad effectiveness measurement without disclosing the specific source (advertiser data) or the personalization component. Under the revised terms, Free and Go users can use advertising controls in account settings to control what data OpenAI uses to personalize ads. You can access these controls through your OpenAI account settings to adjust ad personalization.
View change record →The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control what data is used to personalize ads shown on the service. The revised terms now establish a broader direct marketing authority, stating the company may promote products and services to users through direct marketing and on third-party properties to assess effectiveness, subject to user choices and controls. The policy adds a reference to a Korea Addendum for Korean users. You can review the linked resources to understand what choices and controls remain available.
View change record →Your personal data including account information, conversation content, and usage data may be disclosed to vendors, affiliates, and acquirers, potentially reducing your practical control over who holds your information.
How other platforms handle this
We may share personal information with third-party service providers and partners who support our business operations, including identity verification providers, payment processors, analytics providers, marketing partners, and blockchain analytics companies.
You may elect to use or integrate platforms, add-ons, services, or products not provided by Exafunction ("Third-Party Platforms") (e.g. User IDE's, Web Search, MCP Servers) subject to your agreement with the relevant provider and not this Agreement. We do not control nor shall we have liability for ...
We receive some of the data mentioned above from third parties... If you connect your Spotify account to a third party application, service or device, we may collect and use information from them. This collection is to make the integration possible... We work with technical service partners that giv...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may share your Personal Data with third parties in the following circumstances: Vendors and Service Providers: We share your Personal Data with vendors and service providers who perform services for us, such as hosting, infrastructure, analytics, payment processing, and customer support. Affiliates: We share your Personal Data with our affiliates for purposes consistent with this Privacy Policy. Business Transfers: If we are involved in a merger, acquisition, bankruptcy, or other transaction, your Personal Data may be transferred as part of that transaction.— Excerpt from OpenAI's OpenAI Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 13 and 14 (transparency obligations), Article 28 (processor agreements), and Article 46 (transfer mechanisms) for cross-border sharing. CCPA requires disclosure of categories of third parties with whom data is shared, which this provision partially satisfies. FTC Act Section 5 applies to representations about data sharing that are materially incomplete or misleading. (2) GOVERNANCE EXPOSURE: Medium. The policy discloses categories of recipients but does not name specific vendors or affiliates, which limits transparency and may create challenges for users seeking to exercise deletion or portability rights against downstream holders. Business transfer language is standard but creates successor liability questions regarding whether acquirers would be bound by this policy's commitments. (3) JURISDICTION FLAGS: EEA and UK users are entitled under GDPR to know the identity of recipients or categories of recipients; the categorical approach may require supplementation for full compliance. California users have CCPA rights to know and opt out of sale, though OpenAI does not characterize sharing as a 'sale.' (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise buyers should request a list of OpenAI's sub-processors and confirm that data processing agreements contain adequate representations, audit rights, and breach notification obligations consistent with GDPR Article 28. Business transfer provisions should be evaluated for whether they allow OpenAI to assign data processing obligations without user or customer notice. (5) COMPLIANCE CONSIDERATIONS: Legal teams should ensure that vendor contracts with OpenAI include appropriate data processing addenda, that sub-processor lists are monitored for changes, and that any corporate transaction notification obligations to data subjects are addressed in the event OpenAI undergoes a material ownership change.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause establishes the operational scope of data sharing beyond OpenAI's direct control, defining circumstances under which user data flows to external parties involved in service delivery, corporate operations, and organizational changes. It structures the authorization framework for data transfers that may occur during normal business operations or material corporate events.
Your personal data including account information, conversation content, and usage data may be disclosed to vendors, affiliates, and acquirers, potentially reducing your practical control over who holds your information.
ConductAtlas has identified this type of provision across 4 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.