OpenAI collects your name, email, payment details, and everything you type, upload, or provide as feedback when using its services.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision defines the scope of data collection practices that OpenAI implements as a condition of service operation. This establishes the informational basis for account management, billing operations, and model training or improvement activities.
The updated policy now explicitly states four privacy rights that apply depending on your location and subject to applicable exceptions: the right to know about and access your personal data in portable format, the right to request deletion, the right to correct inaccurate data, and the right to be free from retaliation for exercising these rights. Previously, the policy referenced these rights only through procedural language about how to submit requests. The explicit enumeration establishes clearer notice of what protections the policy recognizes. You can exercise these rights by submitting a request through privacy.openai.com or dsar@openai.com.
View change record →The updated policy now explicitly discloses that OpenAI receives information from advertisers and data partners, including details about purchases you make, and uses this data to personalize ads shown to Free and Go users. Previously, the policy referenced ad effectiveness measurement without disclosing the specific source (advertiser data) or the personalization component. Under the revised terms, Free and Go users can use advertising controls in account settings to control what data OpenAI uses to personalize ads. You can access these controls through your OpenAI account settings to adjust ad personalization.
View change record →The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control what data is used to personalize ads shown on the service. The revised terms now establish a broader direct marketing authority, stating the company may promote products and services to users through direct marketing and on third-party properties to assess effectiveness, subject to user choices and controls. The policy adds a reference to a Korea Addendum for Korean users. You can review the linked resources to understand what choices and controls remain available.
View change record →Any information you include in a ChatGPT prompt or file upload, including health details, financial information, or personal communications, is collected by OpenAI and may be used for service improvement and, unless you opt out, model training.
How other platforms handle this
Real-time Personalization: Even without a trigger such as a keystroke or user prompt input, requests are made in the background to build context, understand developer intent, or scan for potential next steps. Ahead-of-time Personalization: To build state on the existing codebases and other data sour...
User content, such as prompts, photos, images, music, videos, audio, screen sharing, comments, questions, messages, works of authorship, and other content or information that you, or third parties acting on your behalf, input, generate, transmit, upload, or submit to us as part of a contest or live ...
"By clicking 'Next', you are indicating that you have read and agree to the TERMS OF USE AND PRIVACY POLICY"
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Account Information: When you create an account with us, we collect information associated with your account, including your name, contact information, account credentials, payment card information, and transaction history. Content: We collect Personal Data that is included in the input, file uploads, or feedback that you provide to our models.— Excerpt from OpenAI's OpenAI Privacy Policy
(1) REGULATORY LANDSCAPE: Collection of payment card information engages PCI DSS compliance obligations, though these are vendor-side and not directly a GDPR or FTC issue for users. Collection of user-submitted content that may include health, financial, or other sensitive data implicates GDPR special category processing provisions and CCPA sensitive personal information categories under CPRA. The FTC Act applies to representations about how collected content is used. (2) GOVERNANCE EXPOSURE: High for enterprise use cases where employees or customers submit regulated or confidential data through OpenAI services. The policy's content collection scope is broad and does not carve out categories of sensitive data that are handled differently, which is a meaningful operational distinction from policies that explicitly exclude health or financial data from AI training pipelines. (3) JURISDICTION FLAGS: GDPR special category data provisions apply if health, political, religious, or biometric data is submitted by EEA users. HIPAA does not directly apply to OpenAI unless a Business Associate Agreement is in place with a covered entity. Illinois BIPA may apply if users submit voice data or images. (4) CONTRACT AND VENDOR IMPLICATIONS: Healthcare, legal, and financial services organizations should conduct thorough data classification assessments before allowing employees to submit regulated data through OpenAI services. Business Associate Agreements with OpenAI should be evaluated for any healthcare data use cases. (5) COMPLIANCE CONSIDERATIONS: Organizations should implement acceptable use policies restricting submission of regulated or confidential data to OpenAI; confirm that OpenAI's payment processing arrangements are PCI DSS compliant; and assess whether employee training covers the risks of submitting sensitive information in AI prompts.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision defines the scope of data collection practices that OpenAI implements as a condition of service operation. This establishes the informational basis for account management, billing operations, and model training or improvement activities.
Any information you include in a ChatGPT prompt or file upload, including health details, financial information, or personal communications, is collected by OpenAI and may be used for service improvement and, unless you opt out, model training.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.