Skip to main content
OpenAI

Published: July 9, 2026

ChatGPT Sites Data Processing Addendum

This DPA applies to users of ChatGPT Plus, Pro, and other services for individuals, where your published ChatGPT Site collects Personal Data.

If you are using ChatGPT Enterprise, Business, or other services for businesses and developers, you can review this DPA, or the DPA signed between your organization and OpenAI, for information about how OpenAI processes personal data on your behalf to provide the Services, including ChatGPT Sites.


This ChatGPT Sites Data Processing Addendum ("DPA") supplements, and is incorporated into, the ChatGPT Sites Terms and the other terms, policies and service terms that together govern your use of the Services (the “Agreement”). It applies where OpenAI processes Personal Data collected by your published ChatGPT Site to host, maintain and support your ChatGPT Site. To be clear, this DPA does not apply to your use of ChatGPT in creating or editing a ChatGPT Site, including to your prompts, files, or other content you provide in your conversations with ChatGPT. This DPA is entered into between you and OpenAI OpCo, LLC, unless you are based within a European Economic Area country or Switzerland, in which case it is entered into with OpenAI Ireland Ltd ("OpenAI"). Capitalized terms are defined in Section 6, or elsewhere in this DPA In this DPA, OpenAI and you are each referred to as a "Party" and collectively as the "Parties." You represent that you are lawfully able to enter into this DPA and, if you are entering into the DPA for an entity, that you have legal authority to bind that entity. By using the Services to publish and host a ChatGPT Site that collects Personal Data from end-users of your ChatGPT Site, you agree to this DPA.

1. Details

  • 1.1 Scope and Roles. As part of providing the Services to you under the Agreement, OpenAI may Process Personal Data on your behalf. This will be the case if your published ChatGPT Site collects any Personal Data, for example by allowing end-users to log into or create an account, or post or upload content, or if your ChatGPT Site collects Personal Data using cookies or similar technologies. In this DPA, this Personal Data is referred to as “Hosted Data”, because OpenAI hosts this Personal Data on your behalf. OpenAI processes Hosted Data as a Data Processor on your behalf, and this DPA governs such Processing. 
  • 1.2 Details of Processing. OpenAI will only Process Hosted Data for the purposes of delivering the Services to you under the Agreement and this DPA. Details regarding the nature, duration, as well as the types of Hosted Data and categories of Data Subjects involved, are set out in Schedule 1 (Details of Processing) to this DPA. OpenAI and you each agree to comply with their respective obligations under Data Protection Laws in connection with the Services.

2. OpenAI Obligations

  • 2.1 Your Instructions. The Parties agree that this DPA and the Agreement, as well as any instructions and prompts provided via the Services, the settings and configurations in the Services, and other tools made available by OpenAI within the Services, constitute your documented instructions regarding OpenAI's Processing of Hosted Data ("User Instructions"). OpenAI will process Hosted Data to host, maintain and support your published ChatGPT Site only in accordance with User Instructions, unless required to do so by applicable law to which OpenAI is subject, in which case OpenAI will inform you of this requirement prior to processing unless legally prohibited from doing so.
  • 2.2 Notices to you. OpenAI will promptly inform you in writing if, to OpenAI’s knowledge and opinion, a Customer Instruction violates Data Protection Laws. OpenAI will, to the extent legally permitted, inform you if OpenAI receives a legally binding request for disclosure of Hosted Data by a law enforcement authority.
  • 2.3 Confidentiality. OpenAI will ensure that all persons authorized by OpenAI to process Hosted Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • 2.4 Data Subject Requests. OpenAI will, to the extent legally permitted, inform you if OpenAI receives a request to exercise data subject rights pursuant to Data Protection Laws ("Data Subject Request") in respect of Hosted Data. OpenAI will not respond to any such request without your prior written authorization, except that you authorize OpenAI to redirect Data Subject Requests as necessary to allow you to respond directly. Taking into account the nature of the processing, OpenAI will assist you by implementing appropriate technical and organizational measures, in so far as this is possible, to allow you to respond to Data Subject Requests.
  • 2.5 Security. OpenAI will implement and maintain reasonable and appropriate organizational and technical security measures to protect Hosted Data, as set forth in the Agreement.
  • 2.6 Assistance to you. OpenAI will, taking into account the nature of the Processing and the information available to OpenAI, provide reasonable assistance to you to help you comply with your obligations under Data Protection Laws including, where appropriate, the preparation of data protection impact assessments with respect to OpenAI's Processing of Hosted Data and, where necessary, your consulting with a supervisory authority with jurisdiction over such Processing, if such consultation is required by Data Protection Laws.
  • 2.7 Personal Data Breaches. OpenAI will notify you without undue delay after becoming aware of any Personal Data Breach. OpenAI will provide reasonable assistance to you to help you comply with your obligations under Data Protection Laws in respect of such Personal Data Breach.
  • 2.8 Assessing Compliance. If you have reasonable grounds to suspect OpenAI has not complied with its obligations under this DPA and applicable Data Protection Laws grant you a right of audit, then you have the following rights to audit OpenAI: 
    • 2.8.1 On written request and and no more than once per year, we will provide you with a summary of the audit reports relevant to OpenAI's compliance with this DPA and other such information necessary to demonstrate compliance with OpenAI's obligations under this DPA. OpenAI will be entitled to charge a nominal fee for providing information under this Section 2.8.1; 
    • 2.8.2 If the information provided under Section 2.8.1 is not sufficient for you to demonstrate compliance with your own obligations under Data Protection Laws, you may request further information and/or an inspection by a suitable and qualified auditor bound by appropriate obligations of confidentiality, at your own expense. OpenAI will reasonably consider any such request and how we might accommodate you without jeopardizing the confidentiality of our other customers’ and users’ information. 

All results and documentation obtained from OpenAI under this Section 2.8, including the results of any audits or inspections, shall be the confidential information of OpenAI. 

  • 2.9 Engagement of Sub-processors. You hereby provide a general authorization to OpenAI to engage the Sub-Processors listed in the Sub-Processor List to process Hosted Data in connection with the Services. OpenAI will notify you of any changes to the Sub-Processor List via blog post, notification within the Services or other reasonable means, or via email if you subscribe to email notifications on the Sub-Processor List site. You may object to the use of such additional Sub-Processor within 30 days of receiving notice of the change by following the instructions set forth in the Sub-Processor List or by contacting privacy@openai.com. In such case, OpenAI will work with you to address your concerns. If the objections have not been resolved to the satisfaction of the Parties within 30 days of OpenAI's receipt of your objection notice, then either Party may terminate the Agreement or the affected Services that cannot be provided without the use of the new Sub-Processor. In such case, you will be refunded any applicable pre-paid fees to the extent they cover periods or terms following the date of such termination.
  • 2.10 Sub-Processor obligations. OpenAI shall enter into contractual arrangements with each Sub-Processor that impose on them obligations comparable to those imposed on OpenAI under this DPA. Subject to the limitations of liability included in the Agreement, OpenAI will remain liable for the acts and omissions of its Sub-Processors to the same extent OpenAI would be liable under this DPA if it performed such acts or omissions itself.
  • 2.11 Data Return or Deletion. Following expiry or termination of the Agreement, OpenAI will, at your instruction, return or delete Hosted Data and existing copies, unless retention of Hosted Data is required under applicable laws, in which case OpenAI will isolate and protect it from any further processing except to the extent required by applicable laws.

3. Your Obligations

  • 3.1 Notices and authorizations. You represent, warrant and covenant that you have provided all necessary notices, and have and shall maintain throughout the Term all necessary rights, consents and authorizations, to the extent required under Data Protection Laws, to provide the Hosted Data to OpenAI and to authorize OpenAI to process Hosted Data in connection with the Agreement, including this DPA.
  • 3.2 Cooperation. You shall reasonably cooperate with OpenAI to assist OpenAI in performing any of its obligations under applicable Data Protection Laws.
  • 3.3 Configurations. Without prejudice to OpenAI's security obligations in Section 2.5 of this DPA, you acknowledge and agree that you are responsible for certain configurations and design decisions for the Services and for implementing such configurations and design decisions (e.g., retention periods, deletion, etc.) in a manner that complies with applicable Data Protection Laws.

4. International Data Transfers

  • 4.1 EEA and Swiss Data. Hosted Data processed by OpenAI under this DPA may fall within the scope of the Data Protection Laws of the European Economic Area or Switzerland ("EEA and Swiss Data"). Regardless of the OpenAI applicable contracting Party under this DPA, you hereby instruct OpenAI Ireland Limited to process any EEA and Swiss Data in compliance with this DPA. To the extent OpenAI Ireland Limited transfers EEA and Swiss Data to other OpenAI affiliates or third parties outside the European Economic Area or Switzerland to provide the Services, it will do so on the basis of agreements containing SCCs that ensure appropriate safeguards for the protection of Hosted Data are in place or an adequacy decision issued by the European Commission under Article 45 GDPR.
  • 4.2 UK Data. Hosted Data processed by OpenAI under this DPA may fall within the scope of the Data Protection Laws of the United Kingdom ("UK Data"). Regardless of the OpenAI applicable contracting Party under this DPA, you hereby instruct OpenAI OpCo, LLC to process any UK Data in compliance with this DPA and with the SCCs as amended by the UK Addendum, which are deemed entered into (and incorporated into this DPA by this reference) and completed as described in Schedule 1.

5. Further Requirements

To the extent U.S. Privacy Laws apply:

  • 5.1 OpenAI agrees to (a) not provide you with monetary or other valuable consideration in exchange for Hosted Data from you, and, for the avoidance of doubt, the Parties acknowledge and agree that you have not "sold" (as such term is defined by U.S. Privacy Laws) Hosted Data to OpenAI; (b) not "sell" (as such term is defined by U.S. Privacy Laws) or "share" (as such term is defined by the CCPA) Personal Data; (c) to the extent that you permit or instruct OpenAI to process Hosted Data subject to U.S. Privacy Laws in a deidentified form as part of the Services, OpenAI shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such deidentified data in that form and not attempt to re-identify the information, except as may be permitted by U.S. Privacy Laws; and (iii) before sharing de-identified data with any other party, including Sub-Processors, contractually obligate any such recipients to comply with the requirements of this provision (c)(i)-(iii); and (d) where the Hosted Data is subject to the CCPA (i) not retain, use, disclose, or otherwise process Hosted Data except as necessary for the business purposes specified in the Agreement, including without limitation as set out in Schedule 1 of this DPA; (ii) not retain, use, disclose, or otherwise process Hosted Data in any manner outside of the direct business relationship between OpenAI and you; (iii) not combine any Hosted Data with Personal Data that OpenAI receives from or on behalf of any other third party or collects from OpenAI's own interactions with individuals, provided that OpenAI may so combine Hosted Data for a purpose permitted under the CCPA if directed to do so by you or as otherwise permitted by the CCPA; (iv) notify you without undue delay if OpenAI determines that it can no longer meet its obligations under the CCPA; and (v) if you reasonably believe that OpenAI's Processing of Hosted Data is not consistent with the requirements of the CCPA and upon your reasonable notification of the same to OpenAI, the Parties will work together in good faith to remedy the issue, or, if after working together you reasonably determine that the issue cannot be remedied, OpenAI will stop Processing the affected Hosted Data upon written instruction from you.
  • 5.2 You agree to not take any action that would (a) render the provision of Hosted Data to OpenAI a "sale" under U.S. Privacy Laws or a "share" under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (b) render OpenAI not a "service provider" under the CCPA or "processor" under U.S. Privacy Laws.

6. Definitions

Data Controller” has the meaning assigned to the term "controller" (or another analogous term) under Data Protection Laws.

Data Processor” has the meaning assigned to the term "processor" (or another analogous term) under Data Protection Laws.

Data Protection Laws” means data privacy and data protection laws applicable to OpenAI's processing of Hosted Data in connection with the Services.

Data Subject” has the meaning assigned to the term "data subject" (or another analogous term) under Data Protection Laws.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

Hosted Data” means any Personal Data which is collected by your ChatGPT Site after it is published.

Personal Data” has the meaning assigned to the term "personal data" or "personal information” (or another analogous term) under Data Protection Laws.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Hosted Data stored, transmitted or otherwise processed by OpenAI, its Sub-Processors, or any other third parties acting on OpenAI's behalf.

Processing” has the meaning assigned to the term "processing" (or another analogous term) under Data Protection Laws.

SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the EU Commission on June 4, 2021 (as may be amended, updated or replaced from time to time).

Sub-Processors” means the sub-processors engaged by OpenAI to process Hosted Data in connection with the Services, listed in the Sub-Processor List.

Sub-Processor List” means the list available at the following address https://platform.openai.com/subprocessors.(opens in a new window)

UK Addendum” means the UK addendum to the EU SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.

U.S. Privacy Laws” means the subset of Data Protection Laws applicable to residents of the United States, including without limitation the California Consumer Privacy Act ("CCPA").

Schedule 1

Details of Processing

  • 1. Nature and Purpose:
    • The hosting, maintenance and support of your published ChatGPT Site.
  • 2. Duration:
    • The Term and such time as is required thereafter for the Parties to perform their applicable obligations following the end of the Term, including data deletion.
  • 3. Categories of Hosted Data:
    • Personal Data provided by end-users of your ChatGPT Site (for example text, images, videos or other content posted or uploaded to your ChatGPT Site).
    • Personal Data generated through end-users’ use of your ChatGPT Site (for example log data, usage data, device information and data collected through cookies and similar technologies). 
  • 4. Categories of data subjects:
    • End-users of your ChatGPT Site; and
    • Third Parties whose personal data is provided by end-users in connection with their use of your ChatGPT Site.
  • 5. Sensitive data transferred (if applicable):
    • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
    • Sensitive data may be processed on your instructions, where this data is provided by an end-user. OpenAI will only process this sensitive data on your instructions.
  • 6. Frequency:
    • The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
    • Continuous basis depending on your use of the Services
  • 7. Transfers to Sub-Processors:
    • As per Article 2.9 of the DPA, Sub-Processors will Process Hosted Data as necessary to perform the Services. Such Processing will be for the duration of the Agreement, unless otherwise agreed in writing.
  • 8. SCCs information for the transfer of UK Data under Section 4.2:
    • 8.1 Module Two (Controller to Processor) of the SCCs apply as follows: (i) The optional docking clause in Clause 7 does not apply; (ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 2.9 of the DPA; (iii) In Clause 11, the optional language does not apply; (iv) All square brackets in Clause 13 are hereby removed; (v) In Clause 17 (Option 1), the SCCs will be governed by the laws of England and Wales; (vi) In Clause 18(b), disputes will be resolved before the courts of England and Wales; (vii) This Schedule 1 contains the information required in Annex I and Annex III of the SCCs; (viii) Section 2.5 (Security) of the DPA contains the information required in Annex II of the SCCs; and, (ix) the competent supervisory authority is the Information Commissioner's Office ("ICO").
    • 8.2 Data exporter(s): you; Data importer(s): OpenAI OpCo, LLC, 1455 3rd Street, San Francisco, CA 94158, Data Protection Officer, privacy@openai.com.