The agreement establishes that organizational accounts are controlled by an Admin User who configures service settings for all Authorized Users within the organization, including enabling or disabling prompt logging, chat logging, zero data retention, and model training at the organizational level.
This analysis describes what OpenRouter's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision delegates data handling configuration, including prompt logging and model training enablement, to organizational Admin Users rather than to individual Authorized Users. The data handling posture of Authorized Users, including whether their prompts are logged or used for model training, is determined by Admin User settings rather than individual consent.
Interpretive note: The terms do not specify whether OpenRouter acts as a data processor or controller for organizational prompt data, and the legal obligations flowing from Admin User configuration choices depend on applicable jurisdiction and data protection framework.
Under this clause, Authorized Users operating under an organizational account have their prompt logging, chat logging, and model training settings determined by the Admin User's configuration rather than their own preferences. Individual Authorized Users may also create separate individual accounts to access the service with independent settings.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
OpenRouter has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"The Service allows creation of two account types: organizational accounts and individual accounts. An organizational account is managed by an administrative user ("Admin User") who can invite individuals from the Admin User's organization ("Authorized Users") to the organizational account. Authorized Users may only use the Service as configured by the Admin User, with such configurations which may include, without limitation, enabling prompt logging, chat logging, zero data retention, model training, and other settings.— Excerpt from OpenRouter's OpenRouter Terms of Service
1) REGULATORY LANDSCAPE: The delegation of prompt logging and model training configuration to Admin Users may engage GDPR Article 28 (processor obligations) and Article 29 (processing under the authority of the controller) for EU-resident users, as well as CCPA obligations for California residents whose prompts may be logged and used for model training. Employers enabling prompt logging for employee accounts may have additional obligations under applicable employment privacy laws. The EU AI Act may impose obligations on how training data is handled depending on model classification. 2) GOVERNANCE EXPOSURE: High for enterprise deployments. Organizations that deploy OpenRouter under organizational accounts and enable prompt logging or model training for Authorized Users bear responsibility for ensuring that this data handling is consistent with their privacy policies, employee agreements, and applicable data protection law. The broad configuration authority granted to Admin Users without described individual consent mechanisms creates compliance exposure for organizations in privacy-regulated jurisdictions. 3) JURISDICTION FLAGS: EU and EEA organizations face the highest exposure given GDPR requirements for lawful basis of processing and data subject rights. Illinois BIPA may be relevant if biometric data is processed, though this is unlikely in a text-based AI context. California CCPA creates disclosure and opt-out obligations if personal information in prompts is used for model training. 4) CONTRACT AND VENDOR IMPLICATIONS: Organizations should obtain a Data Processing Agreement from OpenRouter before enabling prompt logging or model training in organizational accounts, particularly for EU deployments. The terms do not describe whether OpenRouter acts as a processor or controller for organizational prompt data, which is a material gap for GDPR compliance assessments. Vendor due diligence should clarify OpenRouter's data processing role and sub-processor disclosures. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit which Admin User configurations are active for their organizational accounts, particularly prompt logging and model training. Data protection impact assessments may be required for EU deployments where these features are enabled. Employee privacy notices should be reviewed to ensure they cover AI prompt data processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision delegates data handling configuration, including prompt logging and model training enablement, to organizational Admin Users rather than to individual Authorized Users. The data handling posture of Authorized Users, including whether their prompts are logged or used for model training, is determined by Admin User settings rather than individual consent.
Under this clause, Authorized Users operating under an organizational account have their prompt logging, chat logging, and model training settings determined by the Admin User's configuration rather than their own preferences. Individual Authorized Users may also create separate individual accounts to access the service with independent settings.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenRouter.