AI Privacy Basics

Does ChatGPT Use Your Data?

5 min read Updated April 2026 VetoShield
Key Takeaways
  • Free ChatGPT users are opted into training data use by default — their conversations can improve OpenAI's models
  • ChatGPT Plus users can opt out; ChatGPT Team and Enterprise exclude conversations from training by default
  • The OpenAI API has stricter defaults: inputs and outputs are not used for training without explicit opt-in
  • Anything typed into chatgpt.com — including client data, source code, or internal reports — may be retained and reviewed by OpenAI staff
  • For organizations, employee use of the consumer website is a GDPR and EU AI Act exposure — not the API
Definition

Yes — by default. When employees use chatgpt.com on a free account, their conversations can be used to train OpenAI's models and reviewed by staff. This default can be changed per user, but most employees haven't changed it. Business plans (Team, Enterprise) and the API have stricter defaults, but most employees aren't using those.

What data does ChatGPT collect?

When you use ChatGPT, OpenAI collects several categories of information. According to their privacy policy, this includes:

  • Conversation content — every message you send and every response ChatGPT returns
  • Account information — email address, name, and payment details if applicable
  • Usage data — which features you use, how often, browser and device information
  • Feedback signals — thumbs up/down ratings, regeneration requests, which responses you copy

The conversation content is the sensitive part. It’s not metadata or anonymized usage statistics — it’s the literal text you type, including any proprietary information, client details, or confidential business context you include in your prompts.

Does ChatGPT train on your conversations?

It depends on which product you’re using and whether you’ve changed your settings.

For free accounts, the answer is yes by default. OpenAI uses conversations to train and improve its models unless the user has explicitly opted out. The opt-out is available in Settings → Data Controls → “Improve the model for everyone” — but this setting is off by default for free users, meaning training is on.

This matters because training data use means your conversations may be reviewed by OpenAI trainers, incorporated into future model versions, or used to evaluate model quality. OpenAI says they take steps to remove personal information before using data for training, but this process is not guaranteed or verifiable from the outside.

Samsung’s ChatGPT leak (2023): Engineers pasted proprietary semiconductor code and internal meeting notes into ChatGPT to debug and summarize. The data was ingested by OpenAI’s systems. Samsung subsequently banned ChatGPT for internal use. The incident was a landmark case in corporate AI data exposure — and the tool they used was the same free website millions of employees still use today.

How privacy defaults differ by plan

OpenAI offers meaningfully different privacy guarantees depending on which product you’re using. Understanding the difference is important for any organization where employees use ChatGPT.

Product Used for training? Conversation retention DPA available?
ChatGPT Free Yes, by default Stored, 30-day safety hold after deletion No
ChatGPT Plus Yes, opt-out available Stored, 30-day safety hold after deletion No
ChatGPT Team No, by default Stored, admin controls available Yes
ChatGPT Enterprise No, by default Zero data retention option available Yes
OpenAI API No, by default 30 days by default, configurable Yes

The gap between ChatGPT Free/Plus and the business products is significant. The consumer website has no Data Processing Agreement, no organizational controls, and no admin oversight. That’s the version most employees access when they open a browser tab and go to chatgpt.com.

What this means when employees use ChatGPT for work

The practical risk for organizations is not that OpenAI is malicious — it’s that employees on personal or free accounts are using a consumer product with consumer-grade privacy defaults to handle business data.

Three scenarios create the most exposure:

  • Client and customer data. Pasting client names, emails, project details, or personal information into ChatGPT may constitute a GDPR data breach — sending personal data to a third party without a legal basis or DPA.
  • Confidential business information. Product roadmaps, financial projections, M&A discussions, or HR matters typed into a free account can be retained and reviewed by OpenAI staff.
  • Source code and IP. Developers using ChatGPT to debug proprietary code on the consumer site are sharing that code with OpenAI under terms that allow retention and review.

The issue isn’t that employees are doing something obviously wrong — ChatGPT is extremely useful. The issue is that they’re using a consumer tool with consumer terms for tasks that require business-grade privacy protections.

EU AI Act obligation: Under the EU AI Act, organizations are considered deployers of AI systems used within their operations — including tools employees adopt individually. If employees use ChatGPT without organizational oversight, this constitutes unmanaged AI deployment, which may trigger transparency and documentation requirements from August 2026.

The API vs. the website: why they’re not the same

A common misunderstanding: because OpenAI’s API doesn’t train on data by default, some assume the same is true for chatgpt.com. It isn’t.

The OpenAI API is a developer product used to build applications. It has different terms: inputs and outputs are not used for training by default, customers can sign a Data Processing Agreement, and data retention can be configured. When a company builds an internal tool on the API, they have much stronger privacy guarantees.

Chatgpt.com is a consumer product. It has different — and looser — defaults. When an employee opens a browser and visits chatgpt.com, they are not using the API. They are using a consumer product with consumer defaults, regardless of what their organization has negotiated with OpenAI.

This distinction matters enormously for risk management. An IT team saying “we have an API agreement with OpenAI” does not protect against the risk of employees using the consumer website independently.

What organizations should do

There are three concrete actions organizations can take to manage ChatGPT data risk:

  1. Know who is using what. Before you can manage ChatGPT usage, you need to know it’s happening. Browser-level monitoring tools like VetoShield show which AI tools employees use — including whether they’re accessing chatgpt.com — without reading prompt content.
  2. Define an acceptable use policy. Clearly specify which tiers of ChatGPT are approved (e.g., only Team/Enterprise accounts through the organization’s billing), which data categories may not be entered into any AI tool, and what employees should do instead.
  3. Move approved use to business plans. If ChatGPT is valuable to your team — and it likely is — the answer isn’t to ban it. It’s to provision a Team or Enterprise account, sign the DPA, and ensure employees use the approved channel rather than personal accounts.

The goal is to keep getting the productivity benefit while eliminating the uncontrolled data exposure that comes from free-tier, unsanctioned use.

Frequently asked questions

Yes. By default, ChatGPT stores your conversation history. Free and Plus users can delete individual chats or turn off history entirely in Settings → Data Controls, but conversations are retained for up to 30 days even after deletion for safety monitoring purposes.
Yes, with the right plan and settings. ChatGPT Free and Plus users can opt out of training data use in Settings → Data Controls. ChatGPT Team and Enterprise plans exclude conversations from training by default. The OpenAI API also does not use inputs and outputs for training by default. However, most employees using chatgpt.com are on free or personal Plus plans — meaning their work data may be used for training unless they've explicitly opted out.
OpenAI has taken steps to comply with GDPR, including appointing an EU representative and offering a Data Processing Agreement (DPA). However, compliance depends on how ChatGPT is used. Using chatgpt.com for work without a DPA in place — which most employees do — is unlikely to satisfy GDPR requirements for processing personal data. Organizations relying on ChatGPT in workflows should ensure they have a signed DPA and are using a business plan (Team or Enterprise).
They are fundamentally different. The ChatGPT API (used by developers building applications) does not train on user data by default, and API customers can sign a Data Processing Agreement. Chatgpt.com is a consumer product with looser defaults — free users are opted into training data use unless they change their settings. When organizations build internal tools on the API, they have much stronger privacy guarantees than when employees use the website directly.

Related guides

AI Governance

What Is Shadow AI?

Shadow AI is employees using AI tools without IT or legal approval. Learn what qualifies, why it creates compliance risk under the EU AI Act, and how to detect and manage it.

Read guide

See every AI tool your team uses

VetoShield detects shadow AI, enforces your policies, and generates EU AI Act compliance evidence — automatically.

Talk to us
VetoShield
Home For Teams Learn EU AI Act Privacy Terms Contact
Made in the EU