What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: The policy engages GDPR (directing EEA, UK, and Swiss users to a separate policy), CCPA and multiple U.S. state privacy statutes including Texas, Virginia, Colorado, Connecticut, and others (addressed in Section 9), and COPPA through the stated minimum age of 13. The primary enforcement authorities include the FTC for U.S. consumer protection and unfair or deceptive practices, state attorneys general for state privacy law violations, and the relevant EU data protection aut…

How does OpenAI's Privacy Policy (ROW) affect users?

Users operating under this policy grant OpenAI rights to collect and process all submitted content types for AI model training by default, with an opt-out mechanism available through the ChatGPT account settings Data Controls section. Data sharing provisions establish that user information may be transferred to third-party operators, vendors, and acquiring entities whose privacy practices may differ from OpenAI's, particularly in the context of business combinations or asset sales.

How often is OpenAI's Privacy Policy (ROW) updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when OpenAI updates this document?

Yes. Watcher subscribers ($9.99/month) can add OpenAI to their watchlist and receive same-day email alerts whenever this document or any other OpenAI document changes.

CA-D-000006

Privacy Policy (ROW)

OpenAI

Last change detected March 10, 2026 Privacy policy

SHA-256: 3b160fe944be24fac66… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at OpenAI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

7 Medium severity

3 Low severity

Summary

OpenAI's Privacy Policy (ROW) establishes the data collection, processing, and sharing practices applicable to users of ChatGPT, the OpenAI API, DALL-E, and Sora. The policy authorizes OpenAI to collect and use submitted content—including conversations, uploaded files, images, audio, and video—for model training and improvement, with users able to disable the 'Improve the model for everyone' setting in Data Controls to opt out of training use. The policy permits OpenAI to share user data with third-party API operators, vendors, affiliates, and acquiring entities in connection with business transactions or asset transfers.

Technical / Legal Breakdown

This document is OpenAI's global Privacy Policy (updated February 6, 2026), governing the collection, use, and disclosure of personal data by OpenAI's consumer and API services, including ChatGPT, DALL-E, Sora, and related products, with separate versions for EEA/UK/Switzerland and U.S. users. The policy states that OpenAI collects account information (name, email, payment details), content users provide (text, files, images, audio, video), usage data (log data, device identifiers, IP addresses, browsing activity), and location information; the terms authorize use of this data for service delivery, safety monitoring, research and development, and to train AI models, with users able to opt out of training use in certain contexts. The policy authorizes disclosure of personal data to vendors, service providers, affiliates, business partners, law enforcement, and in connection with mergers or asset sales; it also permits sharing with third-party operators who deploy OpenAI's API, which means user data may flow to entities whose own privacy terms govern further processing. The policy engages GDPR for EEA/UK/Switzerland residents (directing those users to a separate policy), CCPA and multiple U.S. state privacy laws for residents of California, Texas, Virginia, Colorado, and others (addressed in a dedicated section), and COPPA with respect to the stated minimum age of 13. Material compliance considerations include the lawful basis assertions for AI training under GDPR, the adequacy of consent and opt-out mechanisms for U.S. state law purposes, and the scope of data retention tied to legal obligations and business necessity rather than fixed deletion timelines.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

Medium — 7 provisions

AI Model Training Use of User Content Compare →

OpenAI states it may use conversations and content you submit on free tiers to train its AI models, but you can turn this off in account settings. Paid tiers and API usage are excluded from training use by default.

Added May 12, 2026 Common Seen across 104 platforms
Personal Data Collected

OpenAI collects your name, email, payment card details, and transaction history when you register, plus the actual content of your conversations and uploads, plus device and browser information collected automatically.

Added May 12, 2026 Rare
Disclosure to Third-Party API Operators Compare →

When you use an app built on OpenAI's technology by another company, that company has its own privacy rules and OpenAI is not responsible for how they handle your data.

Added May 12, 2026 Uncommon Seen across 22 platforms
Data Retention Compare →

OpenAI keeps your personal data for as long as it determines necessary for providing services, resolving disputes, safety, or legal compliance, without specifying a fixed retention period.

Added May 12, 2026 Standard Seen across 223 platforms
Children and Minimum Age Compare →

OpenAI's services are not intended for children under 13, and parents can request deletion of a child's data through OpenAI's privacy portal if they believe their child has submitted personal information.

Added May 12, 2026 Standard Seen across 262 platforms
Law Enforcement and Legal Disclosure Compare →

OpenAI states it may disclose your personal data to government authorities or others to comply with law, protect rights and safety, or enforce its agreements.

Added May 12, 2026 Standard Seen across 246 platforms
Additional U.S. State Privacy Rights Compare →

Residents of certain U.S. states, including California, Texas, Virginia, and others, have specific rights under state privacy laws including the right to access, delete, correct, and opt out of sale or sharing of their personal data.

Added May 12, 2026 Standard Seen across 262 platforms

Low — 3 provisions

User Rights and Data Controls

Depending on where you live, you may have the right to access, correct, delete, or restrict use of your personal data by submitting a request through OpenAI's privacy portal.

Added May 10, 2026 Rare
Business Transaction Data Transfer Compare →

If OpenAI is sold, merges with another company, or goes through bankruptcy, your personal data may be transferred to the new owner as a business asset.

Added May 12, 2026 Standard Seen across 246 platforms
Use of Aggregated or De-identified Data Compare →

OpenAI states it may use and share data that has been stripped of direct identifiers or combined across users for any purpose, including with third parties, without restriction.

Added May 12, 2026 Standard Seen across 189 platforms