How long does OpenAI keep backups and logs containing deleted user data?
Executive summary
OpenAI’s standard practice for most consumer and API data has been to remove deleted conversations and API inputs/outputs from its systems within 30 days unless there is a legal requirement to keep them [1]. That default was altered temporarily by a U.S. court preservation order that forced indefinite retention for certain consumer ChatGPT and API data until that obligation ended on September 26, 2025; OpenAI says it has returned to standard retention practices after that date while keeping limited April–September 2025 historical data [2].
1. What OpenAI publicly says is the baseline: “30 days” for deleted chats
OpenAI’s enterprise and platform pages state that deleted conversations are removed from their systems within 30 days unless legal requirements apply; similarly, OpenAI may retain API inputs and outputs for up to 30 days to provide services and detect abuse, after which they are removed unless the company is legally required to retain them [1]. Community and developer discussions echo that /v1/chat/completions and other common endpoints have default retention around 30 days [3].
2. Court orders temporarily overrode that baseline — and then changed again
Reporting and OpenAI’s own blog posts show that a federal court preservation order required OpenAI to retain consumer ChatGPT and API content indefinitely for the purposes of a copyright lawsuit, creating a conflict with the 30‑day standard; OpenAI appealed and later said those obligations ended on September 26, 2025, allowing it to “return to our standard data retention practices” while securely storing limited historical April–September 2025 user data [4] [2]. Coverage describing the dispute notes the preservation began with broad requests (millions of conversations) and was narrowed in the litigation [5] [2].
3. Exceptions: Zero Data Retention (ZDR) and enterprise controls
OpenAI and partners provide routes to avoid standard retention in specific business contexts. For qualifying enterprise customers or approved endpoints, Zero Data Retention (ZDR) configurations mean the provider does not retain inputs or outputs and the provider does not use that API data to train models — and OpenAI has approved ZDR for some customers (example: Unified Patents’ approval) [6]. OpenAI’s blog and reporting also say ZDR business endpoints were not impacted by the court order, per OpenAI’s statements [4].
4. Practical effect: what “deleted” means in different situations
Under normal (non‑legal‑hold) operations, “deleted conversations are removed from our systems within 30 days,” a policy OpenAI links to product features like conversation history and enterprise admin controls [1]. But when a legal hold is imposed — as happened in the New York Times–related litigation — deleted items that would otherwise be purged are instead preserved in a secure, legally‑held storage and accessed only as required for legal obligations [4] [2].
5. Independent and secondary coverage — agreement and differences
Industry and technical commentary generally reflect the 30‑day baseline but note the court-ordered exception and the complexity that introduces [7] [8]. Some reporting characterized the court requirement as “indefinite retention” and highlighted the engineering and privacy tensions this created; OpenAI framed its public response around contesting the order and restoring standard practices [5] [2].
6. What available sources do not mention or do not settle
Available sources do not mention exact technical details for backups, low‑level log retention, or how long replicas and infrastructure backups might persist beyond the 30‑day policy for operational recovery — those finer operational timelines are not listed in the provided reporting or OpenAI product pages (not found in current reporting). Likewise, there’s no provided granular timeline for how quickly data subject to the September 2025 preservation was fully deleted after the court obligations ended — OpenAI says it “returned to our standard data retention practices” but specific deletion schedules for preserved historical snapshots are not detailed in the cited material [2].
7. Takeaway for users and organizations
If you’re an individual using consumer ChatGPT or standard API endpoints, OpenAI’s stated default is that deleted conversations and standard API inputs/outputs are removed within 30 days unless a legal hold applies [1]. Organizations with sensitive data should pursue explicit contractual protections (e.g., ZDR or enterprise agreements) and verify whether their configuration is covered, because ZDR and enterprise data‑isolation options are available and were explicitly said not to be affected by the cited court order [6] [4].
Limitations: this analysis relies solely on the provided documents; operational backup practices, retention of infrastructure logs, and post‑preservation deletion timing are not specified in these sources (not found in current reporting).