What are OpenAI's data retention policies for backups, logs, and billing records?
Executive summary
OpenAI’s public materials and reporting show a mix of default retention policies, special enterprise controls (including Zero Data Retention), and an exceptional court-ordered preservation period that altered practice through mid‑2025; OpenAI said the court order forcing indefinite retention ended on September 26, 2025 and that it has returned to "standard" practices [1]. For enterprise customers OpenAI advertises configurable retention — including zero‑retention and minimum retention windows for workspaces — while consumer defaults and earlier statements often referenced 30‑day deletion windows or indefinite retention unless users delete chats [2] [3] [4] [5].
1. What OpenAI publicly says about backups, logs and deletion windows
OpenAI’s enterprise-facing pages state that deleted conversations “are removed from our systems within 30 days, unless we are legally required to retain them,” and that qualifying business customers can configure retention and opt for zero data retention arrangements [3] [2]. OpenAI’s general privacy page discusses retention and security practices but does not list a single universal retention timeframe that applies to every product and dataset [6]. Available sources do not provide a single, explicit retention schedule for all backup snapshots, low‑level logs, or billing records.
2. Consumer defaults vs. enterprise controls
Multiple sources draw a sharp distinction: consumer ChatGPT accounts historically had conversations saved by default (with user-deletion controls), while enterprise and API customers have stronger contractual controls, including data isolation and ZDR (Zero Data Retention) options that remove default provider‑side retention [5] [2]. OpenAI’s Academy guidance says user chats are saved indefinitely by default but that Enterprise Owners can set custom retention policies with a minimum of 90 days for workspace retention, underlining that “default” consumer behavior can differ from enterprise configurations [4] [5].
3. The court order that forced preservation and its aftermath
Press and OpenAI statements show litigation changed the practical retention landscape in 2025: a court order required OpenAI to preserve consumer ChatGPT and API content for a period, and OpenAI said those preservation obligations ended on September 26, 2025, after which it “returned to our standard data retention practices” [1]. Coverage and commentators noted the order required OpenAI to retain and segregate output log data that would otherwise have been deleted [7] [1]. This temporary judicial mandate complicated assurances about deletion and helped drive attention to enterprise ZDR offerings [7] [1].
4. Zero Data Retention (ZDR) and its limits
OpenAI and third‑party reporting indicate ZDR is offered to qualifying enterprise/API customers as a contractual configuration that prevents provider‑side retention of inputs/outputs and disallows using that data for training; examples show organizations secured ZDR approvals in late 2025 [2] [8]. Independent writeups and community reporting frame ZDR as a distinct product feature rather than the universal default: standard API usage historically retained inputs/outputs for up to 30 days for abuse monitoring unless a customer had ZDR [9] [10].
5. What the sources say about billing records and low‑level logs
The available sources discuss conversation history, API inputs/outputs, and administrative retention controls, but they do not provide granular detail on billing‑record retention periods or the retention policy for low‑level infrastructure backups and telemetry logs. OpenAI’s privacy documentation addresses categories of personal data and "Security and Retention" generally, but the specific retention timelines for billing records and system backups are not spelled out in the excerpts provided [6]. Therefore: available sources do not mention explicit retention durations for billing records or technical backup snapshots.
6. Conflicting or uncertain claims in reporting
Independent posts and consultancy pieces sometimes state different defaults — e.g., some outlets assert consumer chats were retained indefinitely unless deleted, others cite a 30‑day abuse‑monitoring window for API data — reflecting either product evolution or differing scopes (consumer ChatGPT vs. API vs. enterprise) [5] [10] [9]. Commentary that OpenAI "retains indefinitely even deleted data" largely stems from the court preservation order and is context‑dependent; OpenAI itself described returning to standard practices after the court obligations ended [1] [7].
7. Practical takeaways and what to ask OpenAI or your vendor
If you care about retention for backups, logs, or billing records: (a) ask whether your deployment is consumer, API standard, or enterprise/ZDR-qualified; (b) request contractual retention limits and whether billing records are retained separately and for how long; and (c) confirm whether any legal‑hold or preservation obligations apply to your region or account. OpenAI’s enterprise pages and the ZDR approvals show contractual paths to stronger retention guarantees [2] [8], while the company’s statement about the court order’s end explains why posted practices changed in late‑2025 [1].
Limitations: this analysis relies solely on the set of public pages and reports supplied; those sources do not provide a comprehensive, product‑level table listing retention for backups, logs, and billing records, so some specific claims about those categories are "not found in current reporting" [6] [3] [2].