OpenAI ChatGPT privacy policy: requirements for business services
ChatGPT has quickly become a household name, with the platform’s weekly active users surging past 400 million in February 2025.
While individuals use the large language model (LLM) for everything from drafting emails to planning dinner menus, businesses are also integrating the technology into their workflows.
Many companies use ChatGPT Team or ChatGPT Enterprise plans, which connect them to business data to help teams work more efficiently. Others use the OpenAI API (application programming interface) to build AI-powered features like search or chatbots directly into their own products.
In August 2025, OpenAI, the company behind ChatGPT, announced it had more than 5 million paying business users.
If your business uses these services, you could be sharing employees’ or customers’ personal data with the platform. In those cases, ChatGPT’s privacy policy would not apply; that document applies only to personal data collected by ChatGPT from individual users.
Instead, any personal data shared by a business is covered by the OpenAI Services Agreement and its Data Processing Addendum (DPA).
In this guide, we look at what personal data OpenAI may collect from your business, how this data may be used, and your potential obligations under various data protection regulations.
What personal data does OpenAI collect?
OpenAI’s services agreement and DPA don’t provide a definitive list of what personal data is collected. Exhibit A of the DPA — which is used to describe categories of data that may be transferred internationally — gives the clearest indication of what OpenAI might collect.
Read more about Data Processing Agreements (DPA).
These categories include:
- Name
- Contact information
- Demographic information
- Any other information a user provides in unstructured form
There are two types of data that may contain this information:
- Customer data refers to personal data that your business provides to OpenAI, and that OpenAI processes on your behalf to deliver services.
- Business data includes the inputs and outputs from ChatGPT Team, ChatGPT Enterprise, and the API Platform (as well as ChatGPT Edu).
This data is collected from several sources.
Account setup for Team and Enterprise users
If your business uses ChatGPT Team or Enterprise, OpenAI may collect employee information necessary to register and manage their accounts under your organization’s workspace. For example, when your company purchases Enterprise licenses, each employee is provided with their own account. OpenAI collects data such as employees’ names and email addresses.
Chats and integrations
Employees using ChatGPT Team or Enterprise might share personal data with OpenAI. This data can come directly from messages they write or from third-party software integrations.
For example, if you connect your account to customer relationship management (CRM) software and it sends customer data into a chat, OpenAI will receive and temporarily collect that information.
API calls
Whether OpenAI collects personal data through the API depends entirely on what your product sends and receives. If users’ API inputs or the resulting outputs include personal data, OpenAI will receive and temporarily process that information. If neither the API inputs nor outputs contain personal data, OpenAI will not receive any.
How does OpenAI use personal data?
OpenAI acts as a data processor under its DPA, which means it processes customer data under your instructions and on your behalf. The DPA outlines that this processing must be handled:
- Only for the purpose of delivering and supporting its services, including analytics, reporting, trust and safety monitoring, and abuse detection
- In compliance with your documented instructions
- In a manner that provides at least the level of privacy protection required by applicable data protection laws
- If legally required beyond these purposes, after OpenAI notifies you of this requirement, unless prohibited by law
Importantly, OpenAI states that it does not use business data for model training or improvement unless you explicitly opt in.
OpenAI may process de-identified or aggregated data to improve service functionality, provided that this data cannot be linked back to individuals or used to reidentify customers. Businesses may permit or instruct OpenAI to process customer data in de-identified, anonymized, or aggregated form, subject to US privacy laws.
Organizational data, company name, industry type, or internal policies are not by themselves ordinarily considered personal data under many global data protection regulations.
However, business data, which is defined as inputs and outputs, may include employees’ or customers’ personal data, in which case it is protected.
OpenAI may run business data through automated content classifiers and safety tools. These tools generate metadata about the content but do not contain the original business data itself.
Business data is subject to human review only under certain conditions. Access to business data is limited and depends on the service being used:
- For ChatGPT Enterprise, authorized OpenAI employees may access conversations only to resolve incidents, help recover user conversations with your explicit permission, or where required by law
- For ChatGPT Team and OpenAI API, access is restricted to specific scenarios:
- OpenAI employees may access stored data for engineering support, to investigate potential abuse, or for legal compliance
- In some cases, third-party contractors — who are subject to confidentiality and security obligations — may review conversations to identify misuse or abuse
Does ChatGPT save user data?
Yes, OpenAI saves user data, but for how long and under what conditions depends on the specific service being used and whether it is customer data or business data.
OpenAI API
Business data is retained for a maximum of 30 days for abuse monitoring before being deleted, unless legal obligations require more time. Businesses with a qualifying use case can also request zero data retention (ZDR) for eligible API endpoints.
Customer data is retained for the duration of your service agreement.
ChatGPT Enterprise
Your workspace administrators control how long business data or conversation history is retained. Any business data in deleted conversations will be removed from OpenAI’s systems within 30 days, unless retention is legally required.
Customer data is retained for the duration of your service agreement.
The DPA states that OpenAI may continue to process de‑identified, anonymized, or aggregated versions of customer data after it’s no longer considered personal data under applicable laws and if it cannot identify individuals.
ChatGPT Team
Individual end users control how long conversation history is retained by choosing whether or not to save their chats. Any business data in conversations that are deleted or unsaved will be removed from OpenAI’s systems within 30 days, unless retention is legally required.
Customer data is retained for the duration of your service agreement.
As with Enterprise, the DPA states that OpenAI may continue to process de‑identified, anonymized, or aggregated versions of customer data after it’s no longer considered personal data under applicable laws and cannot identify individuals.
Who does OpenAI share personal data with?
OpenAI may share personal data with third-party sub-processors to support the delivery and operation of its business services. According to the DPA, these sub-processors may carry out specific processing activities on OpenAI’s behalf or to help the company fulfill its contractual obligations to customers.
These sub-processors support several functions, including:
- Cloud infrastructure: Providers that supply the servers, storage, and computing resources OpenAI uses to host and operate its services
- Data warehousing: Services that store and manage large volumes of structured or unstructured data to support processing, retrieval, and analytics
- Customer support: Companies that help respond to user questions, resolve technical issues, and assist with account or service-related inquiries.
- Content moderation: Vendors that review and filter content to meet safety, legal, or policy standards
- User authentication: Services that verify user identities to manage secure access and protect accounts
According to the OpenAI Law Enforcement User Data Request Policy, OpenAI may also be required to disclose personal data to law enforcement authorities in response to a legally binding request. In those cases, OpenAI must notify the business unless it is legally prohibited from doing so. OpenAI states that it does not initiate such disclosures and shares data only when required in order to comply with legal obligations.
Additionally, certain OpenAI group entities may access customer data while providing technical or operational support. These affiliate companies are based in the United States, Ireland, the United Kingdom, and Japan.
Are you required to have a privacy policy when using ChatGPT Team, Enterprise, or OpenAI API?
While OpenAI’s terms do not directly state that you must have a privacy policy, you do need one to fulfill contractual requirements and legal obligations.
The OpenAI Service Agreement requires your business to obtain and maintain all necessary consents from your end users to allow OpenAI to provide services. Fulfilling this requirement means you are responsible for making the disclosures needed to obtain consent. That includes informing users how their personal data will be handled, both by your organization and by OpenAI.
Read more about the GDPR’s 7 conditions for valid consent.
Further, the DPA requires you to comply with applicable data protection laws, many of which mandate that businesses publish a privacy policy. Most also include an obligation of transparency, which requires you to inform users about your data practices in a way that is easy to understand. You can do this through a clear, accessible privacy policy that’s prominently linked, e.g. from your website footer or app menu.
How to align your privacy policy with data protection laws and OpenAI’s privacy practices
If your business uses ChatGPT Team, Enterprise, or the OpenAI API, your privacy policy must explain how those uses affect your employees’ or customers’ personal data.
Below is a non-exhaustive checklist of what to include in a privacy policy.
- Describe what personal data your business collects and uses, how it shares that data with OpenAI, and for what purposes. Note that OpenAI may use the data according to the DPA.
- Disclose that personal data sent to OpenAI may be shared with third parties, such as its sub-processors and affiliate companies.
- Summarize the rights users have under applicable data privacy laws and how they can exercise those rights.
- Explain OpenAI’s policies on data retention, including how long personal data is stored and the conditions under which it is deleted.
- Provide contact details for users who have questions or concerns about your data practices. If you have a Data Protection Officer (DPO) or another designated privacy contact, include their information.
Your privacy policy must be written in simple, clear language that is easy to understand. It should be easily accessible, such as through a link in your website’s footer or within your application’s menu.
Finally, keep your privacy policy up to date. You are responsible for keeping it current and reflective of any changes to your data practices, OpenAI’s terms, or applicable privacy laws.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.