When using OpenRouter through an employer's or organization's account, your prompts, chats, and data may be logged or used for model training if your organization's administrator has enabled those settings, potentially without you receiving separate notice.
This analysis describes what OpenRouter's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The terms establish that Admin Users can enable prompt logging, chat logging, and model training for all Authorized Users in their organization; individual Authorized Users may not have independent visibility into or control over these configurations.
Interpretive note: The document does not specify what disclosures OpenRouter provides directly to Authorized Users about active logging or training configurations, creating uncertainty about whether platform-level notice satisfies applicable transparency obligations.
Authorized Users in organizational accounts may have their prompts and conversations logged and potentially used for model training based on configurations set by their organization's Admin User, without necessarily receiving separate consent requests from OpenRouter directly.
Cross-platform context
See how other platforms handle Organizational Account Admin Control Over Logging and Training and similar clauses.
Compare across platforms →Monitoring
OpenRouter has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"The Service allows creation of two account types: organizational accounts and individual accounts. An organizational account is managed by an administrative user ("Admin User") who can invite individuals from the Admin User's organization ("Authorized Users") to the organizational account. Authorized Users may only use the Service as configured by the Admin User, with such configurations which may include, without limitation, enabling prompt logging, chat logging, zero data retention, model training, and other settings.— Excerpt from OpenRouter's OpenRouter Terms of Service
(1) REGULATORY LANDSCAPE: This provision creates a layered data processing relationship that may engage GDPR Articles 13 and 14 (transparency obligations toward data subjects), CCPA disclosure requirements, and applicable employment privacy laws in EU member states. Where Authorized Users are employees, the employer-as-Admin-User relationship may require a separate legal basis for processing employee data, including prompt content. (2) GOVERNANCE EXPOSURE: High. The ability for Admin Users to enable model training on employee or organizational user data without individual Authorized User consent mechanisms being mandated by the platform creates potential compliance gaps under GDPR and CCPA. The document does not specify what disclosures, if any, OpenRouter provides directly to Authorized Users regarding active logging or training configurations. (3) JURISDICTION FLAGS: EU/EEA deployments create heightened exposure under GDPR, particularly where prompt logging and model training involve personal data of employees or end users. Illinois, New York, and other US states with biometric or employee privacy statutes may impose additional requirements depending on the nature of content logged. Healthcare and financial services contexts raise additional regulatory considerations if prompt content includes regulated data. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers acting as Admin Users should ensure their own privacy notices and employee agreements disclose the logging and training configurations they enable. Data processing agreements between OpenRouter and enterprise customers should address the scope of data processing authorized under organizational account settings. B2B contract review should confirm whether OpenRouter's DPA terms align with GDPR processor requirements. (5) COMPLIANCE CONSIDERATIONS: Organizations deploying OpenRouter for employees should conduct a data protection impact assessment if enabling prompt logging or model training, particularly in EU/EEA jurisdictions. Internal privacy notices should be updated to reflect any logging configurations enabled in organizational accounts. Legal teams should confirm that the model training opt-in (or opt-out) mechanism for organizational accounts is clearly documented and auditable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The terms establish that Admin Users can enable prompt logging, chat logging, and model training for all Authorized Users in their organization; individual Authorized Users may not have independent visibility into or control over these configurations.
Authorized Users in organizational accounts may have their prompts and conversations logged and potentially used for model training based on configurations set by their organization's Admin User, without necessarily receiving separate consent requests from OpenRouter directly.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenRouter.