How long does OpenAI take to fully purge backups and third-party copies after an account is closed?
Executive summary
OpenAI’s public materials and reporting indicate a standard “up to 30 days” retention window for many API and ChatGPT deleted conversations, though there are notable exceptions (e.g., Operator data up to 90 days and judicial/legal holds that can force indefinite retention) [1] [2] [3]. Enterprise contracts and the Data Processing Addendum allow customers to instruct deletion or isolation of data after termination, but also note that copies may be retained when required by law [4].
1. “Thirty days” is the baseline—but it’s not universal
OpenAI’s public guidance and multiple summaries describe a default retention period of up to 30 days for API inputs/outputs and deleted ChatGPT conversations: the enterprise privacy page explicitly states API inputs and outputs may be retained for up to 30 days and deleted after that unless legal reasons apply [1]. Journalistic reporting repeated that deleted chats are generally removed within 30 days absent legal or security reasons [3]. That 30‑day figure appears repeatedly in documentation, community discussion and third‑party summaries [5] [6].
2. Product quirks and longer windows: Operator and other exceptions
Not all OpenAI products follow the 30‑day baseline. TechCrunch reported that Operator — OpenAI’s agent tool — may keep deleted Operator data for up to 90 days, explicitly longer than ChatGPT’s typical 30‑day window [2]. Expert and community posts also note product-by-product differences [7] [8]. The practical takeaway: retention timing depends on which service and endpoint you used [1] [5].
3. Legal holds and litigation can override deletion timelines
OpenAI has been subject to court orders that required indefinite preservation of some consumer ChatGPT and API data; OpenAI said it returned to standard practices after the specific order ended but confirmed limited historical data from April–September 2025 would be stored securely [9]. Reporting on appeals and legal fights also describes an active dispute around retention requirements and how they interact with OpenAI’s policies [3]. The point: legal obligations can and do supersede normal deletion processes [9] [3].
4. Enterprise contracts and Zero Data Retention change the rules
For business customers, OpenAI’s enterprise documentation and DPA allow different arrangements: customers can request zero data retention (ZDR) eligible endpoints or otherwise instruct deletion after agreement termination, and the DPA says OpenAI will return or delete Customer Data and existing copies unless laws require retention [1] [4]. Community posts note ZDR is available but requires explicit arrangements and is not the default [10] [11]. In short: contractual terms materially affect whether backups and third‑party copies are purged.
5. “Fully purge backups and third‑party copies” — where the record is thin
Available sources document stated retention windows, legal‑hold exceptions, and contractual paths to deletion, but they do not provide a granular, auditable timetable for purging every conceivable backup or third‑party copy after account closure. The DPA commits to return or delete data and “existing copies” unless law requires otherwise, but it does not publish a step‑by‑step clock for removing backups or copies held by sub‑processors in every jurisdiction [4]. Therefore: precise timing for “fully purge all backups and third‑party copies” is not spelled out in the cited materials.
6. What a user should do if they need guaranteed deletion
The documents advise different levers: choose ZDR or negotiate contractual terms in an enterprise agreement; follow the DPA process and provide instructions at termination; and be aware legal holds may prevent deletion [4] [1] [10]. Community reporting suggests engaging sales or legal teams to secure Zero Data Retention and Business Associate Agreements where required [10] [8]. These are the practical steps tied to the sources.
7. Competing perspectives and hidden incentives
OpenAI’s public posture emphasizes privacy and a short default retention period while preserving flexibility for abuse monitoring, security and compliance; critics and analysts point out that litigation and specific product designs can extend retention materially [3] [2] [8]. Enterprise marketing highlights contractual controls [1], while community threads warn that ZDR is not trivially obtainable [10]. Readers should note the implicit incentive for providers to retain data for abuse detection and product development, balanced against customer demand for strong deletion guarantees.
Limitations: this analysis relies solely on the supplied sources and does not claim to represent internal OpenAI operational logs or undisclosed retention procedures; where sources do not provide explicit procedures or exact timelines for every form of backup and third‑party copy, those specifics are “not found in current reporting” [4] [9].