Depending on where you live, you may have the right to access, correct, delete, or restrict use of your personal data by submitting a request through OpenAI's privacy portal.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The availability of these rights is conditional on the user's location, meaning not all users globally have the same set of enforceable rights under this policy.
The policy states that rights such as data access, deletion, correction, portability, and objection to processing are available depending on the user's location; users in the EU, UK, California, and other covered jurisdictions may have legally enforceable versions of these rights, while users elsewhere depend on OpenAI's voluntary provision of them.
Cross-platform context
See how other platforms handle User Rights and Data Controls and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Depending on your location, you may have certain rights regarding your Personal Data, including: Access, portability, and correction of your Personal Data; Deletion of your Personal Data; Restriction of or objecting to our processing of your Personal Data; The right to not be discriminated against for exercising your privacy rights; The right to lodge a complaint with your local data protection authority. To exercise any of these rights, please visit our Privacy Portal at privacy.openai.com.— Excerpt from OpenAI's Privacy Policy (ROW)
REGULATORY LANDSCAPE: GDPR Articles 15 through 22 establish access, rectification, erasure, restriction, portability, and objection rights for EEA users, enforced by national data protection authorities; EEA users are directed to a separate policy. CCPA and CPRA establish analogous rights for California residents enforced by the California Privacy Protection Agency (CPPA) and state AG. Multiple other U.S. states have enacted similar rights statutes. The policy's use of 'depending on your location' appropriately conditions right availability on applicable law. GOVERNANCE EXPOSURE: Low to Medium. The privacy portal mechanism for rights requests is a standard operational approach. Compliance exposure arises from response time and completeness obligations under applicable statutes: GDPR requires response within one month (extendable), and CCPA requires response within 45 days (extendable by an additional 45 days). JURISDICTION FLAGS: EEA, UK, California, Texas, Virginia, Colorado, Connecticut, and other U.S. state residents have legally defined rights. Organizations processing data of individuals in these jurisdictions through OpenAI should confirm that the privacy portal mechanism satisfies applicable response and verification requirements. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers acting as data controllers must ensure they can fulfill data subject rights requests that may require corresponding requests to OpenAI as a processor. DPAs should specify cooperation obligations for rights fulfillment. COMPLIANCE CONSIDERATIONS: Compliance teams should test the privacy portal to confirm response times and completeness of rights fulfillment meet statutory requirements. Internal processes for routing data subject rights requests to OpenAI where OpenAI holds the relevant data should be documented.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The availability of these rights is conditional on the user's location, meaning not all users globally have the same set of enforceable rights under this policy.
The policy states that rights such as data access, deletion, correction, portability, and objection to processing are available depending on the user's location; users in the EU, UK, California, and other covered jurisdictions may have legally enforceable versions of these rights, while users elsewhere depend on OpenAI's voluntary provision of them.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.