This is OpenAI's privacy policy explaining what data they collect when you use ChatGPT and other OpenAI products, and how they use it. The single most important thing to know is that OpenAI may use the content of your conversations, prompts, and uploaded files to train its AI models unless you actively opt out — this means what you type to ChatGPT could influence future AI behavior. You can opt out of having your conversations used for AI training by going to Settings > Data Controls in your ChatGPT account and turning off 'Improve the model for everyone'.
This document is OpenAI's global Privacy Policy (updated February 6, 2026), governing the collection, use, and disclosure of personal data across OpenAI's services including ChatGPT, the API, and related products, with legal bases varying by jurisdiction (consent, legitimate interests, contractual necessity, and legal obligation). The policy creates obligations for OpenAI to provide data subject rights (access, deletion, correction, portability, and objection) and imposes on users implicit consent to broad data collection including conversation content, device identifiers, usage logs, location data, and — notably — audio, images, and biometric-adjacent data when users interact with voice and vision features. A particularly notable provision permits OpenAI to use user-submitted content (including conversations) to train and improve its AI models, which deviates from industry norms in scope and creates reidentification risk when model outputs reflect training data. The policy engages GDPR (for EEA/UK/Switzerland users via a separate policy version), CCPA and multiple U.S. state privacy statutes (California, Virginia, Colorado, Connecticut, Texas, Montana, Oregon, Nevada), COPPA (children under 13 excluded), and the FTC Act Section 5; material compliance considerations include the adequacy of consent mechanisms for training data use, the lawfulness of cross-context behavioral tracking, and the sufficiency of data retention disclosures for enterprise API consumers.
(1) REGULATORY EXPOSURE: This policy engages GDPR Arts. 6, 9, 13, 17, 20, and 22 (for EEA/UK/CH users addressed under a separate policy version), CCPA §§1798.100–1798.199 and equivalent statutes in V…
(1) REGULATORY EXPOSURE: This policy engages GDPR Arts. 6, 9, 13, 17, 20, and 22 (for EEA/UK/CH users addressed under a separate policy version), CCPA §§1798.100–1798.199 and equivalent statutes in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA),…
Compliance intelligence locked
Regulatory exposure, material risk, and due diligence action items.