This privacy policy describes how ChatGPT collects, uses, stores, and protects your personal information. It applies to all users of the ChatGPT platform, including the web interface, mobile applications, desktop applications, and API services. We are committed to transparency about our data practices and to protecting your rights under applicable data protection laws.
Last updated: April 2, 2026. Effective date: April 2, 2026.
ChatGPT collects account information, usage data, and conversation content to provide and improve the service. Data in transit is encrypted with TLS 1.3; data at rest with AES-256. The platform complies with GDPR, CCPA, and ISO 27001. Users can disable chat history to prevent conversations from being used for model training. You have the right to access, correct, delete, and export your data. Conversations with history disabled are retained for 30 days for abuse monitoring, then permanently deleted. Enterprise and Team plans offer additional data controls including retention policies and data processing agreements. ChatGPT does not sell personal information to third parties.
Three categories of data: account information, usage data, and conversation content.
When you create a ChatGPT account, we collect your name, email address, date of birth, and authentication credentials. If you use social sign-on (Google, Microsoft, or Apple), we receive a token confirming your identity from the provider but do not receive or store your third-party password. If you subscribe to a paid plan, we collect billing information including payment card details (processed by our payment provider, not stored on our servers), billing address, and transaction history.
We automatically collect technical information when you use ChatGPT, including IP address, browser type and version, operating system, device type, screen resolution, referring URL, pages visited, time spent on each page, feature usage patterns, error logs, and session identifiers. This data helps us maintain service reliability, identify and fix technical issues, and understand how users interact with the platform. Usage data is collected through server logs, cookies, and similar tracking technologies.
ChatGPT processes the text, images, files, and voice input you submit during conversations. When chat history is enabled, conversation content is stored on our servers and may be used to improve our models through training, subject to the controls described in this policy. When chat history is disabled, conversations are retained for 30 days solely for abuse and safety monitoring, then permanently deleted. Conversations are never used for model training when history is disabled.
We strongly recommend that you do not share sensitive personal information — such as government identification numbers, financial account details, medical records, or passwords — in ChatGPT conversations. While we implement strong security controls, conversations are processed by AI models and stored on cloud infrastructure. Treat ChatGPT as you would any cloud service when deciding what information to share.
If you access ChatGPT through an enterprise workspace, your organization's administrator may provide employment information and access permissions. If you use ChatGPT integrations (such as Zapier, Slack, or Microsoft 365 Copilot), those platforms may share data necessary to process your requests. We receive only the data needed to fulfill the specific integration function.
Each data type serves specific purposes. We do not use your data beyond what is described here.
To provide the service. We use your account information to authenticate your identity, manage your subscription, and deliver ChatGPT functionality. Conversation content is processed in real time to generate AI responses. Usage data enables us to route requests to appropriate servers and maintain service availability.
To improve the service. When chat history is enabled, anonymized and aggregated conversation data may be used to train and improve AI models. This training process helps ChatGPT generate more accurate, helpful, and safe responses over time. You can opt out of training use at any time by disabling chat history in Settings > Data Controls. Enterprise and Team plans default to training opt-out.
For safety and compliance. We monitor for usage policy violations, including attempts to generate illegal content, harassment, spam, and other prohibited activities. Conversations flagged for review may be examined by trained safety reviewers. We retain abuse monitoring data as required by law and to protect the safety of our users and the public.
For communication. We use your email address to send account-related notifications (password resets, billing receipts, security alerts) and, with your consent, product updates and educational content. You can unsubscribe from non-essential communications at any time using the unsubscribe link in any email.
For analytics. Aggregated, de-identified usage data helps us understand platform performance, identify popular features, and prioritize development work. This data is never re-identified or linked back to individual users.
How long we keep your data depends on the data type and your account settings.
Account information is retained for as long as your account is active plus 30 days after deletion to allow for account recovery. After the recovery period, account data is permanently deleted from primary systems within 90 days. Backup systems may retain encrypted copies for up to 180 days before complete purging.
Conversation content with history enabled is retained indefinitely unless you delete specific conversations or your entire account. You can delete individual conversations at any time through the sidebar interface.
Conversation content with history disabled is retained for 30 days for abuse monitoring, then permanently deleted. This data is never used for model training.
Usage data is retained in identifiable form for 90 days, after which it is aggregated and de-identified. Aggregated analytics data may be retained indefinitely for trend analysis and service improvement.
Billing information is retained for the duration required by applicable tax and financial reporting regulations (typically 7 years in the United States). Payment card numbers are stored by our payment processor, not on our servers.
Safety review data — conversations flagged for policy violations — may be retained for up to 2 years to support ongoing safety research and legal compliance.
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation.
Right of access. You can request a copy of all personal data we hold about you. We will provide this data in a structured, commonly used, machine-readable format within 30 days of receiving your verified request.
Right to rectification. You can request correction of inaccurate personal data. Account information can be updated directly in your profile settings. For data corrections that cannot be made through the interface, contact our support team.
Right to erasure. You can request deletion of your personal data. This right is subject to legal retention requirements and legitimate interests (such as abuse prevention). Account deletion removes your profile, conversation history, and associated data according to the retention schedule described above.
Right to restriction of processing. You can request that we limit how we process your data while a dispute is resolved or while we verify an erasure request.
Right to data portability. You can request your data in a portable format to transfer to another service. We provide data exports in JSON format.
Right to object. You can object to processing based on legitimate interests, including processing for model training. Disabling chat history effectively exercises this right for conversation content.
Right to withdraw consent. Where processing is based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
To exercise any of these rights, contact us through the contact page or email our Data Protection Officer. We will respond to verified requests within 30 days. The legal basis for processing varies by data type: contract performance (account and service data), legitimate interest (analytics and safety), and consent (training and marketing). Supervisory authority for GDPR matters can be contacted through the relevant national data protection authority. The FTC COPPA page provides additional information on children's privacy protections applicable in the United States.
California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act.
Right to know. You can request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share data.
Right to delete. You can request deletion of personal information we have collected, subject to exceptions for legal compliance, security, and completing transactions you initiated.
Right to opt out of sale. ChatGPT does not sell personal information as defined by CCPA. We do not exchange personal data for monetary consideration. If our practices change, we will update this policy and provide an opt-out mechanism.
Right to non-discrimination. We will not discriminate against you for exercising your CCPA rights. You will receive the same service quality, pricing, and access regardless of your privacy choices.
Right to correct. You can request correction of inaccurate personal information held about you.
Right to limit use of sensitive information. Where applicable, you can request that we limit use and disclosure of sensitive personal information to purposes necessary for providing the service.
California residents can submit CCPA requests through our contact page. We verify requests using your account email address and may ask for additional verification for sensitive requests. Authorized agents may submit requests on your behalf with proper documentation.
What we use, why we use it, and how you control it.
Essential cookies are required for ChatGPT to function. They manage authentication sessions, remember your login state, and route requests to appropriate servers. These cookies cannot be disabled without breaking core functionality.
Analytics cookies help us understand how users interact with the platform — which features are used most, where users encounter errors, and how navigation flows work. These cookies collect aggregated, de-identified data. You can disable analytics cookies through your browser settings or through the cookie consent banner displayed on first visit.
Preference cookies remember your settings — theme (light/dark), language preference, and interface customizations. Disabling these cookies means your preferences will not persist between sessions.
ChatGPT does not use advertising cookies or tracking pixels. We do not serve ads on the platform and do not share cookie data with advertising networks. Local storage and session storage are used for temporary application state (conversation drafts, UI state) and are cleared when you close your browser or manually clear site data.
Limited sharing with specific categories of service providers, never for advertising.
Infrastructure providers. ChatGPT runs on cloud infrastructure provided by Microsoft Azure. Your data is processed on Azure servers in data centers located in the United States, with additional regional processing as needed. Microsoft's role is limited to infrastructure provision — they do not access conversation content for their own purposes under the terms of our data processing agreement.
Payment processors. Subscription payments are processed by third-party payment providers who receive billing information necessary to complete transactions. Payment processors are PCI DSS compliant and do not receive conversation content or usage data.
Authentication providers. If you use Google, Microsoft, or Apple SSO, the respective provider confirms your identity through OAuth tokens. We do not share conversation data with authentication providers.
Legal requirements. We may disclose personal information if required by law, subpoena, court order, or government regulation. We may also disclose data to protect the rights, safety, or property of our users, the public, or our organization. Where legally permissible, we will notify affected users of such disclosures.
ChatGPT does not sell personal information to third parties. We do not share data with data brokers, advertising networks, or marketing platforms. We do not provide conversation content to any third party for purposes unrelated to operating the ChatGPT service.
Age requirements and COPPA compliance for users under 18.
ChatGPT is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take immediate steps to delete that information from our systems.
Users between 13 and 18 years of age may use ChatGPT with parental or guardian consent. The platform includes content filtering and safety mechanisms designed to reduce exposure to inappropriate content, though no filtering system is perfectly effective. Parents and guardians are encouraged to supervise their children's use of AI tools.
We comply with the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent children's privacy regulations in other jurisdictions. If you believe a child under 13 has created an account or provided personal information, contact us immediately through the contact page for prompt deletion.
How we protect your data when it crosses borders.
ChatGPT primarily processes data in the United States. If you are located outside the United States, your data is transferred to and processed in the United States. We implement appropriate safeguards for international transfers in compliance with applicable law.
For transfers from the European Economic Area, United Kingdom, and Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures. These measures include encryption of data in transit and at rest, access controls limiting personnel who can access personal data, and regular security assessments.
Enterprise customers may request region-specific data processing arrangements. Data Processing Agreements (DPAs) are available for Enterprise and Team plan customers. DPAs specify the scope of data processing, technical and organizational security measures, sub-processor lists, and audit rights. Contact the sales team for DPA inquiries.
Technical and organizational measures protecting your information.
ChatGPT implements comprehensive security controls certified under SOC 2 Type II and ISO 27001 standards. Data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256. Access to production systems is restricted to authorized personnel using multi-factor authentication and role-based access controls.
We conduct regular security assessments including penetration testing, vulnerability scanning, and code review. Our incident response plan includes procedures for detecting, containing, investigating, and remediating security incidents. In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities within the timeframes required by law (72 hours under GDPR).
While we implement industry-standard security measures, no system is completely immune to security threats. We cannot guarantee absolute security of your data. We encourage users to enable two-factor authentication, use strong unique passwords, and review our security page for recommended account protection practices.
For organizations that require formal data processing commitments.
ChatGPT offers Data Processing Agreements (DPAs) to Enterprise and Team plan customers. Our DPA covers the scope and purpose of data processing, types of personal data processed, categories of data subjects, obligations and rights of the data controller, sub-processor management, data breach notification procedures, data deletion upon contract termination, audit rights, and international transfer mechanisms.
The DPA incorporates Standard Contractual Clauses for international transfers and specifies technical and organizational measures aligned with ISO 27001 and SOC 2 Type II requirements. To request a DPA, contact the sales team through the contact page or reach out to your account representative.
How we notify you of updates and your options when policies change.
We may update this privacy policy periodically to reflect changes in our data practices, legal requirements, or service features. When we make material changes, we will notify you through one or more of the following methods: an in-app notification, an email to your registered address, or a prominent notice on the ChatGPT platform.
We encourage you to review this policy periodically. Your continued use of ChatGPT after the effective date of a revised policy constitutes acceptance of the updated terms. If you do not agree with changes to the policy, you may delete your account at any time through Settings.
Previous versions of this policy are available upon request through the contact page.
How to reach us about privacy matters.
For privacy-related inquiries, data access requests, or questions about this policy, contact us through the following channels:
General privacy inquiries: Use the contact page and select "Privacy" as the topic.
Data protection officer: Available for GDPR-related matters. Contact through the contact page with "DPO" in the subject line.
Phone: (415) 735-9800 (Monday through Friday, 9 AM to 6 PM Pacific Time).
CCPA requests: California residents may submit verifiable consumer requests through the contact page.
We aim to respond to all privacy inquiries within 30 days. Complex requests may require additional time, in which case we will notify you of the extension and the reason for it.
Additional information about how ChatGPT protects your data and ensures safe AI use.
ChatGPT