Europe privacy policy
For individuals outside the European Economic Area, United Kingdom, and Switzerland, you can read this version of our Privacy Policy.
For individuals in the Republic of Korea, please refer to the Korea Addendum.
At OpenAI, our mission is to ensure that artificial general intelligence benefits everyone. We build tools like ChatGPT and Sora to help people learn, create, and solve problems. We at OpenAI (together with our affiliates, “OpenAI”, “we”, “our” or “us”) are committed to respecting your privacy and are strongly committed to keeping secure any information we obtain from you or about you. This Privacy Policy describes our practices with respect to personal data that we collect from or about you, and how we use it when you use our website, applications, and services (collectively, “Services”).
This Privacy Policy does not apply to content that we process on behalf of customers of our business offerings, such as our API. Our use of that data is governed by our customer agreements covering access to and use of those offerings.
For information about how we collect and use training information to develop our language models that power ChatGPT and other Services, and your choices with respect to that information, please see this policy as well as this help center article(opens in a new window).
We collect personal data relating to you (“Personal Data”) as follows:
Personal Data You Provide: We collect Personal Data if you create an account to use our Services or communicate with us as follows:
- Account Information: When you create an account with us, we will collect information associated with your account, including your name, contact information, account credentials, date of birth, payment information, and transaction history, (collectively, “Account Information”). Some of our Services may also allow you to upload a profile picture, a username, or other information as part of your Account Information.
- User Content: We collect Personal Data that you provide in the input to our Services (“Content”), including your prompts and other content you upload, such as files(opens in a new window), images(opens in a new window), audio and video(opens in a new window), Sora characters(opens in a new window), and data from connected services(opens in a new window), depending on the features you use. Some of our Services allow you to interact with other users, such as post, comment, or send messages, and we treat those interactions as Content, too.
- Communication Information: If you communicate with us, such as via email or our pages on social media sites, we may collect Personal Data like your name, contact information, and the contents of the messages you send (“Communication Information”).
- Contact Data: If you choose to connect your device contacts, we upload information from your device address books and check which of your contacts also use our Services. If any of your contacts aren’t yet using our Services, we’ll update you if they sign up for our Services later. Learn more(opens in a new window) about connecting your contacts and how we use uploaded contact information(opens in a new window) of people who don’t use our Services.
- Other Information You Provide: We collect other information that you provide to us, such as when you participate in our events or surveys, or when you provide us or a vendor operating on our behalf with information to establish your identity or age (collectively, “Other Information You Provide”).
Personal Data We Receive from Your Use of the Services: When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions:
- Log Data: We collect information that your browser or device automatically sends when you use our Services. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our Services.
- Usage Data: We collect information about your use and activity across the Services, such as the types of content that you view or engage with, the features you use and the actions you take, when you submit feedback to a model response, the people with whom you interact, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, and your computer connection. If you use the Atlas browser we may also collect your browser data according to your controls(opens in a new window) and use of the service.
- Device Information: We collect information about the device you use to access the Services, such as the name of the device, operating system, device identifiers, and browser you are using. Information collected depends on the type of device you use and its settings.
- Location Information: We determine the general area from which your device accesses our Services based on information like its IP address for security reasons and to make your product experience better, for example to protect your account by detecting unusual login activity or to provide more accurate responses. In addition, some of our Services allow you to choose to provide more precise location information from your device, such as location information from your device’s GPS.
- Cookies and Similar Technologies: We use cookies and similar technologies to operate and administer our Services, and improve your experience. We store some of the information described in this Policy with cookies, for example to help maintain your preferences across sessions if you’re not logged in, or to assist with authentication and customer support. For details about our use of cookies, please read our Cookie Notice.
Information We Receive from Other Sources: We receive information from other sources, such as our trusted security and safety partners to protect safety and prevent fraud, abuse, and other threats to our Services, and from marketing vendors who provide us with information about potential customers of our business services.
We also collect information from other sources, like information that is publicly available on the internet, to develop the models that power our Services. For more information on the sources of information used to develop the models that power ChatGPT and other Services, please see this help center article(opens in a new window).
We use Personal Data for the following purposes:
- To provide, analyse, and maintain our Services, for example to respond to your questions for ChatGPT;
- To improve and develop our Services and conduct research, for example to develop new features;
- To personalize and customize your experience across our Services, for example to provide you with more relevant Content;
- To communicate with you, including to respond to your questions, and send you information about our Services and events, for example about changes or improvements to the Services;
- Identify your contacts who use our Services when you choose to connect your contacts and update you if they join our Services later;
- To prevent fraud, illegal activity, or misuses of our Services, and to protect the security of our systems and Services, including by monitoring any Content submitted or exchanged on our platforms (learn more here); and
- To comply with legal obligations and to protect the rights, privacy, safety, or property of our users, OpenAI, or third parties, for instance to prevent harm to you or others, or to estimate your age to give you an age-appropriate experience.
We also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law.
As noted above, we may use Content you provide us to improve our Services, for example to train the models that power ChatGPT. Read our instructions(opens in a new window) on how you can opt out of our use of your Content to train our models.
We disclose your Personal Data in the following circumstances:
- Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions, we disclose Personal Data to vendors and service providers, including providers of hosting services, customer service vendors, cloud services, content delivery services, support and safety services, email communication software, web analytics services, payment and transaction processors, search and shopping providers, and information technology providers. We also work with service providers who help us with age and identity verification, and you can learn more here(opens in a new window). Based on our instructions, these parties will access, process, or store Personal Data only in the course of performing their duties to us.
- Business Transfers: If we are involved in strategic transactions, reorganization, bankruptcy, receivership, or transition of service to another provider (collectively, a “Transaction”), your Personal Data may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.
- Government Authorities or Other Third Parties: We may share your Personal Data, including information about your interaction with our Services, with government authorities, industry peers, or other third parties in compliance with the law (i) if required to do so to comply with a legal obligation, or in the good faith belief that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) if we determine, in our sole discretion, that there is a violation of our terms, policies, or the law; (iv) to detect or prevent fraud or other illegal activity; (v) to protect the safety, security, and integrity of our products, employees, users, or the public, or (vi) to protect against legal liability.
- Affiliates: We disclose Personal Data to our affiliates, meaning an entity that controls, is controlled by, or is under common control with OpenAI. Our affiliates may use this Personal Data in a manner consistent with this policy.
- Business Account Administrators: When you join a ChatGPT Enterprise or business account, the administrators of that account may access and control your OpenAI account, including being able to access your Content. In addition, if you create an account using an email address belonging to your employer or another organization, we may share the fact that you have an account and certain account information, such as your email address, with your employer or organization to, for example, enable you to be added to their business account.
- Parent or Guardian of a Teen: Teen users and their parents or guardians can choose to link their accounts, allowing the parent or guardian to manage certain settings, and receive alerts if we detect a serious safety concern. These accounts can be unlinked at any time. Learn more(opens in a new window) about account linking.
- Other Users and Third Parties You Interact or Share Information With: Certain Services allow you to interact or share information with other users or third parties. For example, you can share content like ChatGPT conversations(opens in a new window) or Sora videos(opens in a new window) and characters(opens in a new window), or share information with third-party search(opens in a new window) and shopping(opens in a new window) partners. Information you share with third-party partners is governed by their own terms and privacy policies, and you should make sure you understand those terms and policies before sharing information with them.
We also aggregate or de-identify Personal Data so that it no longer identifies you and share it with third parties for the purposes described above, such as to help improve our Services.
We’ll retain your Personal Data for only as long as we need in order to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data depends on the type of data, how we use it, and in many cases your settings:
- Information we retain until you delete it: Some of our Services allow you to delete Personal Data stored in your account. For example, you can delete specific, or all, of your ChatGPT conversations, delete specific Saved Memories(opens in a new window), or delete your account. Once you choose to delete Personal Data, we will remove it from our systems within 30 days unless we need to retain it for longer as described below, or it has already been de-identified and disassociated from your account when you allow us to use your Content to improve our models(opens in a new window).
- Information we delete automatically: In some cases, Personal Data will be deleted automatically. For example, Temporary Chats(opens in a new window) will be automatically deleted within 30 days (unless we have to retain them for safety or legal reasons, as described further below), and your Atlas incognito browsing history(opens in a new window) won’t be saved after you end your session.
- Information we retain for longer for legitimate security, safety, or legal reasons: In some cases, we need to retain Personal Data for longer even after you delete it, for example because we are legally required to, to address fraud and abuse, for security reasons, or for financial record-keeping purposes. For instance:
- If specific Content, or your account, is banned because of violations of our usage policies, we may retain that data for to protect our services from fraud, abuse, or other violations of our policies;
- If we are legally required to retain your data (for instance, we receive a lawful subpoena) then we may retain it for the duration of the relevant legal or regulatory obligation;
- When we are a party to a financial transaction (for instance, when we process your payment for a ChatGPT Plus or Pro account, or facilitate a purchase on ChatGPT), we may retain payment and transaction related information to meet our accounting, dispute resolution, and regulatory compliance purposes;
- When you ask us to delete your Personal Data, we retain the audit record of the erasure request to be able to verify that we have complied with the request.
In determining these retention periods, we consider a number of factors, such as:
- Our purpose for processing the Personal Data (such as whether we need to retain it to provide our Services);
- The amount, nature, and sensitivity of the information;
- The potential risk of harm from unauthorized use or disclosure;
- Any legal requirements that we are subject to.
Our Services provide you with a number of controls over your Personal Data and how it is used and retained. You can always change these settings in your account. These include the following controls:
- You can easily choose whether your Content can be used to improve and train our models(opens in a new window).
- You can decide whether we will remember details between chats to make Content more personalized and relevant.
- You can export your ChatGPT history and data in your account’s data controls.
- You can delete or archive chats in ChatGPT, or delete your account entirely.
- If you enable Temporary Chat(opens in a new window) in ChatGPT, those conversations with ChatGPT will not appear in your history or be used to improve OpenAI’s models.
- Depending on applicable law, you may be able to choose which cookies are used when you use our Services.
- You can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.
- If you use the Atlas browser, you can delete your browsing history or choose to browse the web in incognito mode, which helps keep your browsing private from other people who use your device.
- You can unsubscribe from marketing communications you receive from us by using the choices provided in those communications.
You can find more information on data controls here(opens in a new window) and by visiting privacy.openai.com(opens in a new window).
You have the following statutory rights in relation to your Personal Data:
- Access your Personal Data and information relating to how it is processed.
- Delete your Personal Data from our records.
- Rectify or update your Personal Data.
- Transfer your Personal Data to a third party (right to data portability).
- Restrict how we process your Personal Data.
- Withdraw your consent—where we rely on consent as the legal basis for processing.
- Lodge a complaint with your local data protection authority (see below).
You have the following rights to object:
- Object to our processing of your Personal Data for direct marketing.
- Object to how we process your Personal Data when our processing is based on legitimate interests.
You can exercise some of these rights through your OpenAI account using the tools described in the Data controls section. If you are unable to exercise your rights through your account, please submit your request through privacy.openai.com(opens in a new window) or send it to dsar@openai.com.
We hope that we are able to address any questions or concerns you may have. If you have any unresolved complaints with us or our Data Protection Officer:
- If you reside in the European Economic Area, you can reach out to the Irish Data Protection Commission(opens in a new window) as our lead supervisory authority, or your local supervisory authority(opens in a new window);
- If you reside in the UK, you can reach out to the Information Commissioner's Office(opens in a new window);
- If you reside in Switzerland, you can reach out to the Federal Data Protection and Information Commissioner(opens in a new window).
A note about accuracy: Services like ChatGPT generate responses by reading a user’s request and, in response, predicting the words most likely to appear next. In some cases, the words most likely to appear next may not be the most factually accurate. For this reason, you should not rely on the factual accuracy of output from our models. If you notice that ChatGPT output contains factually inaccurate information about you and you would like to request a correction or removal of the information, you can submit these requests through privacy.openai.com or to dsar@openai.com, and we will consider your request based on applicable law and the technical capabilities of our models.
For information on how to exercise your rights with respect to data we have collected from the internet to train our models, please see this notice(opens in a new window).
Our Services are not directed to, or intended for, children under 13. We do not knowingly collect Personal Data from children under 13. If you have reason to believe that a child under 13 has provided Personal Data to OpenAI through the Services, please email us at privacy@openai.com. We will investigate any notification and, if appropriate, delete the Personal Data from our systems. Users under 18 must have permission from their parent or guardian to use our Services. Learn more(opens in a new window) about how teens and parents or guardians can choose to link their accounts.
We implement commercially reasonable technical, administrative, and organizational measures designed to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error free. Therefore, you should take special care in deciding what information you provide to the Services. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites.
Purpose of processing | Type of Personal Data processed, depending on the processing activity | Legal basis, depending on the process activity |
To provide, analyse, and maintain our Services For example,
|
| Where necessary to perform a contract with you, such as processing your prompts and other Content to provide a response. |
To personalise and customise your experience across our Services for you. For example,
|
| Where necessary to perform a contract with you, such as following your Custom Instructions to respond to your prompts. Where necessary for our legitimate interests and those of third parties to provide you with a better user experience. For example, to personalise features and content or make suggestions for topics that you may be interested in. Where necessary to comply with a legal obligation (or, where not under a specific legal obligation, where necessary for our legitimate interests and those of third parties), such as to provide you with an age-appropriate experience. |
To improve and develop our Services, and conduct research For example,
|
| Where necessary for our legitimate interests and those of third parties and broader society, including in developing and improving our Services, such as when we train and improve our models for everyone. See here(opens in a new window) for more information. |
To communicate with you, including to send you information about our Services and events, and to promote our Services to you.
|
| Where necessary to perform a contract with you, such as processing your contact information to send you a technical announcement about the Services. Your consent when we ask for it to process your Personal Data for a specific purpose that we communicate to you, such as processing your contact information to send you certain forms of marketing communications. Where necessary for our legitimate interests and those of third parties, for example when sending surveys to ask for feedback. |
To identify your contacts who use our Services when you choose to connect your contacts, and to update you if they join our Services later. |
| Where necessary to perform a contract with you when you choose to connect your contacts on our Services. Where necessary for our legitimate interests and those of third parties, to enable you to connect your contacts and collaborate with people you may know on our Services. |
To prevent fraud, illegal activity, or misuses of our Services, and to protect the security of our systems and Services For example,
|
| Where necessary to comply with a legal obligation. Where we are not under a specific legal obligation, where necessary for our legitimate interests and those of third parties, including in protecting our Services from abuse, fraud, or security risks, such as processing data from trusted partners to protect against fraud, abuse and security threats in our Services. |
To comply with legal obligations and to protect the rights, privacy, safety, or property of our users, OpenAI, or third parties For example,
|
| Where necessary to comply with a legal obligation, such as retaining billing information to comply with financial requirements. Where we are not under a specific legal obligation, where necessary for our legitimate interests and those of third parties and broader society, including in protecting our or our affiliates’, users’, or third parties’ rights, safety, and property, such as analyzing log data to identify fraud and abuse in our Services. When necessary to protect the vital interests of you or another person, for example when teen safety alerts are triggered. |
OpenAI processes your Personal Data on servers located outside of the EEA, Switzerland and the UK for the purposes described in this policy. This includes processing and storing your Personal Data in our facilities and servers in the United States or in countries or territories where our affiliates and partners or our vendors and service providers are located. While data protection law varies by country and these countries may not offer the same level of data protection as your home country, we apply the protections described in this policy to your Personal Data regardless of where it is processed. When transferring Personal Data outside of the EEA, Switzerland or the UK, we rely on valid transfer mechanisms to comply with applicable data protection law, such as:
- We rely on the European Commission’s adequacy decisions(opens in a new window) and the UK Secretary of State’s adequacy regulations pursuant to Article 45(1) EU and UK GDPR (“GDPR”) when transferring your Personal Data to any country that has been considered to provide an adequate level of protection.
- For other jurisdictions, we rely on the Standard Contractual Clauses as approved by the European Commission pursuant to Article 46(2)(c) GDPR (“SCCs”) and on the UK International Data Transfer Addendum to the SCCs.
For more information or to obtain a copy of the appropriate safeguards we have in place when transferring Personal Data, please contact us at privacy@openai.com.
We may update this policy from time to time. When we do, we will publish an updated version and effective date on this page, unless another type of notice is required by applicable law.
If you live in the European Economic Area (EEA) or Switzerland, OpenAI Ireland Limited, with its registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, is the controller and is responsible for the processing of your Personal Data as described in this policy.
If you live anywhere else, OpenAI OpCo, LLC, with its registered office at 1455 Third Street, San Francisco, California 94158, United States, is the controller and is responsible for the processing of your Personal Data as described in this policy.
Please contact support(opens in a new window) if you have any questions or concerns not already addressed in this policy. Alternatively, you can write to us at privacy@openai.com or the address above under Section # (Data Controller).
You can contact our Data Protection Officer at dpo@openai.com in matters related to Personal Data processing.