ChatGPT and its developer, OpenAI, have received heavy criticism from governments, privacy experts, and users who are concerned about its data retention policies. So, what does the AI chatbot really know about you, and what is it using this information for?

Let’s take a look at its privacy policy and terms of service to find out what it knows and how much of a privacy risk it poses to you.

What Information Does ChatGPT Store?

A conversation with ChatGPT in which it says OpenAI keeps some personal data.

ChatGPT’s privacy policy tells us almost everything we need to know about its data retention habits. It gathers its information from three sources:

  • Account information that you enter when you sign up or pay for a premium plan.
  • Information that you type into the chatbot itself.
  • Identifying data it pulls from your device or browser, like your IP address and location.

Most of the data that it keeps isn’t particularly alarming. In fact, it’s pretty standard—you could expect almost any site you have an account with to know these things about you.

The real risk is that it collects data from your conversations with ChatGPT. When you’re using the AI, it’s extremely easy to feed it your private information by mistake. All you need to do is forget to censor a document that you ask it to proofread, and you could be in real trouble.

Your Account and Billing Information

OpenAI stores your name, contact details, login credentials, payment information, and transaction records. It only keeps the latter if you sign up for a premium account. This information is basic, and you can expect almost any website with which you have an account to collect it from you.

If you email the company or reach out to its customer support, it records your name, email address, and the content of your message. Similarly, it records your social media contact details and any personal information you share if you leave a comment on its social pages.

Your Device Information

ChatGPT's service garners some personal information automatically from your device and browser. This includes your IP address, location, browser type, and the date and time that you start using ChatGPT as well as the length of your session. ChatGPT also retrieves your device’s name and operating system.

OpenAI uses cookies to track your browsing activity both in the chat window and on its site. It claims to use this information for analytics and to find out exactly how you interact with ChatGPT.

Information That You Put Into the Chat

A conversation with ChatGPT in which it says OpenAI stores the text of conversations.

ChatGPT records and stores transcripts of your conversations. This means any information you put into the chat, including personal information, is logged. It’s easy to fall into the trap of accidentally giving ChatGPT your private details without realizing it until it’s too late, especially if you use it to proofread personal or professional documents.

Using ChatGPT for your work gets a little more dangerous because it will store confidential information that you type in about the company you work for, your employees, and your clients. For example, if you use it to collate feedback and organize it into a report, you might unknowingly give it your customers’ contact details.

The privacy policy states that if you intend to enter personal data into the chat, you need to provide the people involved with adequate privacy notices. You also need to obtain their consent, and be able to show OpenAI that you are processing this data within the law. Further, if you’re entering information defined as private according to GDPR, you must contact OpenAI to execute its Data Processing Addendum.

Does ChatGPT Record Your Conversations?

Yes, ChatGPT records everything you type into it. Its privacy policy states that when you use ChatGPT, it may collect personal information from your messages, any files you upload, and any feedback you provide. That makes ChatGPT a cybersecurity risk too.

It also states that your conversations may be reviewed by its AI trainers to improve the chat and train the system further. So, your personal data is not only compromised, but used for the advantage of OpenAI.

It should be noted, however, that OpenAI allows users to retain a degree of control over their privacy. This is mostly due to the changes the company made in April 2023, when it introduced a new feature to ChatGPT. This feature allows users to disable chat history easily, via the settings menu (Settings > Data controls > Chat history & training).

In an OpenAI announcement made at the time, it was stated that, when chat history is disabled, the company only retains conversations for 30 days. After 30 days, the conversations are deleted permanently. Conversations are only reviewed when they need to be monitored for abuse and inappropriate behavior.

Who Can See My ChatGPT Data?

A conversation with ChatGPT in which it admits AI trainers can see our logs.

Your personal information is available to a surprising number of people and entities. In its privacy policy, OpenAI states that it shares this data with:

  • Vendors and service providers.
  • Other businesses.
  • Affiliates.
  • Legal entities.
  • AI trainers who review your conversations.

OpenAI gives very vague information about who it shares your data with, and for what reason. It says it may provide your personal information to vendors and service providers to assist in meeting business needs and performing certain functions. These providers include web hosting services, cloud services, other IT providers, event managers, email services, and analytics services.

Other parts are more straightforward. OpenAI will share your data with other businesses that it is involved with during transactions, reorganization, bankruptcy, or receivership. It may further share your data with law enforcement agencies in order to protect other users, the public, or itself against legal liability.

OpenAI claims it may disclose your information to companies with which it is affiliated too. It doesn’t say much more about this, other than that its affiliates must obey its privacy policy when handling your data.

And finally, OpenAI’s training staff will review your conversations and use them to improve the AI. They also ensure that what you’re saying in your chats complies with the company’s policies. If you enter personal information into the chatbot, the trainers can see it.

Will Regulatory Pressure Force OpenAI to Take Privacy More Seriously?

In May 2023, Italy banned ChatGPT for allegedly violating the GDPR. The ban has since been lifted, but regulatory bodies around the world have put pressure on OpenAI, demanding more transparency and accountability.

In May that same year, the privacy authorities for Canada, Quebec, British Columbia and Alberta agreed to investigate OpenAI to determine whether its flagship product gathers data in accordance with the law. In a joint OPC statement, the agencies explained that they aim to investigate how and why ChatGPT gathers data, whether it respects its "obligations" in regard to transparency, and if it obtains "meaningful consent" from users.

And in July 2023, news broke that the United States was investigating OpenAI as well. Per The Washington Post, the Federal Trade Commission (FTC) launched a probe to determine if OpenAI violated existing consumer protection laws by gathering information from the internet, and also to investigate the claims that ChatGPT spreads "false, misleading, disparaging or harmful" information.

The FTC also asked OpenAI to explain the security incident that took place in March 2023, when a bug in the system allowed some users to see others' chat history and payment information. In response, OpenAI CEO Sam Altman said in a social media post that his company would work with the agency, but stressed that ChatGPT follows the law.

It's more than likely that governments across the globe will launch similar investigations into ChatGPT in the future, and it remains to be seen if this will have an impact on OpenAI's approach to user privacy.

ChatGPT: Friend or Foe?

ChatGPT and OpenAI collect a lot of information about you. Some of the data it collects, like your account details and device information, is pretty normal. Most sites do this.

However, it also collects any personal information you enter into the chatbot. This is a real privacy risk. To make things worse, it makes this information available to its AI trainers.

You don’t need to give up using ChatGPT entirely, but you must take steps to protect yourself. Most importantly, you need to remove any private information from your prompts before you hit submit.