OpenAI · OpenAI Privacy Policy · View original document ↗

User Content and Account Data Collection

High severity High confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity OpenAI recorded 16 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

OpenAI collects your name, email, payment details, and everything you type, upload, or provide as feedback when using its services.

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The provision defines the scope of data collection practices that OpenAI implements as a condition of service operation. This establishes the informational basis for account management, billing operations, and model training or improvement activities.

Recent Activity

This document changed recently

Medium Jun 12, 2026

The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.

View change record →
Medium Jun 9, 2026

The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.

View change record →
Medium May 27, 2026

The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.

View change record →

Clause Stability Stable

0
Changes
3
Months Monitored
May 10, 2026
First Seen
May 11, 2026
Last Seen
This clause type exists across 967 other provisions on other platforms.

Consumer impact (what this means for users)

Any information you include in a ChatGPT prompt or file upload, including health details, financial information, or personal communications, is collected by OpenAI and may be used for service improvement and, unless you opt out, model training.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Export Your Data
    Visit privacy.openai.com to request a copy of all personal data OpenAI holds about you, including account information and any retained conversation content.

How other platforms handle this

Paramount+ Medium

"By clicking 'Next', you are indicating that you have read and agree to the TERMS OF USE AND PRIVACY POLICY"

Minecraft Medium

We collect data from you, through our interactions with you and through our products. You provide some of this data directly, and we get some of it by collecting data about your interactions, use, and experiences with our products.

Microsoft Azure Medium

Location data. Data about your device's location, which can be either precise or imprecise. For example, we collect location data using Global Navigation Satellite System (GNSS) (e.g., GPS) and data about nearby cell towers and Wi-Fi hotspots. Location can also be inferred from a device's IP address...

See all platforms with this clause type →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Account Information: When you create an account with us, we collect information associated with your account, including your name, contact information, account credentials, payment card information, and transaction history. Content: We collect Personal Data that is included in the input, file uploads, or feedback that you provide to our models.

— Excerpt from OpenAI's OpenAI Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Collection of payment card information engages PCI DSS compliance obligations, though these are vendor-side and not directly a GDPR or FTC issue for users. Collection of user-submitted content that may include health, financial, or other sensitive data implicates GDPR special category processing provisions and CCPA sensitive personal information categories under CPRA. The FTC Act applies to representations about how collected content is used. (2) GOVERNANCE EXPOSURE: High for enterprise use cases where employees or customers submit regulated or confidential data through OpenAI services. The policy's content collection scope is broad and does not carve out categories of sensitive data that are handled differently, which is a meaningful operational distinction from policies that explicitly exclude health or financial data from AI training pipelines. (3) JURISDICTION FLAGS: GDPR special category data provisions apply if health, political, religious, or biometric data is submitted by EEA users. HIPAA does not directly apply to OpenAI unless a Business Associate Agreement is in place with a covered entity. Illinois BIPA may apply if users submit voice data or images. (4) CONTRACT AND VENDOR IMPLICATIONS: Healthcare, legal, and financial services organizations should conduct thorough data classification assessments before allowing employees to submit regulated data through OpenAI services. Business Associate Agreements with OpenAI should be evaluated for any healthcare data use cases. (5) COMPLIANCE CONSIDERATIONS: Organizations should implement acceptable use policies restricting submission of regulated or confidential data to OpenAI; confirm that OpenAI's payment processing arrangements are PCI DSS compliant; and assess whether employee training covers the risks of submitting sensitive information in AI prompts.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has authority over the collection and use of consumer data under Section 5 of the FTC Act, including whether the breadth of content collection is adequately disclosed and whether practices are unfair.
    File a complaint →

Applicable regulations

EU AI Act
European Union
BIPA
Illinois, USA
California AB 2013 AI Training Data Transparency
US-CA
CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
ePrivacy Directive
European Union
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
OpenAI Privacy Policy
Entity
OpenAI
Document last updated
May 5, 2026
Tracking information
First tracked
May 10, 2026
Last verified
May 10, 2026
Record ID
CA-P-009770
Document ID
CA-D-00010
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
9fedd919cc6d99e951ea6b8c198d3ded6d0673342d8c265778e44a35720b9b49
Analysis generated
May 10, 2026 22:24 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: OpenAI
Document: OpenAI Privacy Policy
Record ID: CA-P-009770
Captured: 2026-05-10 22:24:41 UTC
SHA-256: 9fedd919cc6d99e9…
URL: https://conductatlas.com/platform/openai/openai-privacy-policy/user-content-and-account-data-collection/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's User Content and Account Data Collection clause do?

The provision defines the scope of data collection practices that OpenAI implements as a condition of service operation. This establishes the informational basis for account management, billing operations, and model training or improvement activities.

How does this clause affect you?

Any information you include in a ChatGPT prompt or file upload, including health details, financial information, or personal communications, is collected by OpenAI and may be used for service improvement and, unless you opt out, model training.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.