OpenAI

ChatGPT Sites: How to Prepare a Privacy Policy

Learn what to include in a Privacy Policy for your ChatGPT Site.

Updated: 4 hours ago

How to prepare a Privacy Policy for your Site

This article offers some guidance on preparing a Privacy Policy for your ChatGPT Site (“Site”) to meet the requirements of data protection laws, such as those in the EU, the United Kingdom, Brazil, and certain U.S. states. Please read this article for more information on complying with data protection laws in general.

Why do you need a Privacy Policy on your Site?

If you are collecting personal data on your Site, either directly from the individuals themselves or from other sources, data protection laws require you to give those individuals certain information about your use of their personal data. The easiest and most common way to comply with this requirement is by posting a Privacy Policy on your Site. A Privacy Policy sets out key information about the data controller, the personal data collected on the Site, how that personal data will be used, and explains what rights individuals have in respect of their personal data under data protection law.

You can use this guidance to help you prepare a Privacy Policy to meet these requirements. However, you don’t have to use our wording. You could also take a look at OpenAI’s Privacy Policy to see our approach.

Please note that this article isn’t legal advice and is provided for informational purposes only. We recommend that you seek your own legal advice to understand your obligations under any laws that may apply to you, depending on where you and your Sites’ visitors are located.

The examples below are starting points only. Adapt them to the information your Site actually collects, the way you use it, the countries where you and your visitors are located, and the agreement that applies to your use of ChatGPT Sites.

Also, remember that it’s not always enough to include information in a Privacy Policy. If you are using personal data in a way that your users wouldn’t necessarily expect or that could be surprising, you may need to do more to clearly inform them, such as by including additional notices on your Site.

Updating and making your Privacy Policy available

Once you have created your Privacy Policy, you should make it available to anyone who visits your Site. The best practice would typically include adding a link to the Privacy Policy on each page of your Site, on a cookie banner (if you have one), and on any sign-up pages (including in marketing emails).

You should review and update your Privacy Policy whenever your personal data collection or processing activities change - for example, if you start collecting a new type of personal data on the Site, or start using the personal data you collect for a new purpose.

Drafting the Policy

Introduce the Site and who you are

Start with a very short introduction to the Privacy Policy and your Site. You should identify the “data controller” (i.e. the person or organisation who decides how and why the personal data is used). If you are running the Site on behalf of a group or organization, you should identify the group or organization. If you are running the Site as an individual, you will need to include your own name.

EXAMPLE: Please read the Privacy Policy for [SITE]. It explains what information is collected about you when you use [SITE] and how it is used. This Site is operated by [INSERT NAME/ORGANIZATION].

Explain what personal data you collect

Provide a short list or overview of the types of information that may be collected on the Site. You do not necessarily need to list out every category of data, but you should make sure individuals understand the types of data that could be collected from them. You should also make it clear when this information is collected - for example, if they have to provide it when they register for an account with you.

EXAMPLE: We collect information which you provide to us directly, and we also collect information related to your use of [SITE]. The categories of information we may collect include:

  • Your name, username, and email address if you create or use an account to log in to [SITE].

  • Optional profile information you provide, such as your photo or birthday.

  • Comments or other information you post on [SITE].

  • Your name, contact details, and query if you use the “Contact Us” form.

  • Information about your use of the [SITE], if you are logged into your account.

  • Information collected automatically using cookies and other tracking technologies, such as details of the web pages you have visited on [SITE] and the content that you access.

Using Sign In with ChatGPT

If your Site uses Sign in with ChatGPT, OpenAI may share the visitor’s name, email address, and profile photo, if available, with the Site after the visitor approves the sign-in. Explain this in your Privacy Policy and describe how your Site uses that information.

EXAMPLE: [SITE] uses Sign in with ChatGPT to let you sign in with your ChatGPT account. If you choose this option, OpenAI shares your name, email address, and profile photo, if available, with [SITE] after you approve the sign-in.

Cookies and similar technologies

Tell users about cookies or similar technologies used by the Site. If the Site uses non-essential cookies or similar tracking technologies, you may need to obtain consent before placing or reading them. Requirements vary by location.

In addition to including information about cookies in your Privacy Policy, there are other requirements for cookies such as having a separate cookie banner. The rules on cookies and similar technologies are complex, and vary depending on where you are based and what country your users are in. We recommend you seek legal advice, or consult the guidance from local data protection authorities.

EXAMPLE: [SITE] uses cookies and similar technologies, which are stored in your browser and automatically collect certain information when you use our [SITE]. Some of these cookies will only stay for the duration of the time you spend on [SITE], but others persist in the browser for [INSERT DURATION]. We use cookies for the following purposes:

  • To help [SITE] function, such as remembering preferences or supporting embedded media.

  • For analytics purposes, so we can understand how users use [SITE] and make improvements to it.

  • To display advertising on [SITE] and understand the impact of that advertising, if you consent to advertising cookies.

Explain why you collect personal data, and how you use it

You should explain why you collect the personal data, and how you will use it.

We would also suggest you use this section to identify your “lawful basis” for processing personal data under data protection laws like the GDPR. Your lawful basis might be that you have the user’s consent, that the processing is necessary to perform a contract with the user, or that the processing is necessary for the purposes of your legitimate interests. If you are relying on the “legitimate interests” basis, you must specifically identify those interests. This can be one of the more complicated aspects of data protection law, and so is an area where we particularly recommend you seek legal advice.

EXAMPLE: We collect and use personal data for the following purposes:

  • To provide the functionality of [SITE].

  • To communicate with you and respond to your queries.

  • To send you marketing.

  • To understand how [SITE] is used, so we can make improvements to [SITE].

We rely on the following lawful bases under GDPR:

  • Your consent, when we ask if we can send you marketing emails.

  • That the processing is necessary to perform a contract with you, when we need to process personal data to provide a service you requested.

  • That the processing is in our legitimate interests, when we are conducting research and analysis on how [SITE] is used. We have a legitimate interest in improving [SITE] for all of our users.

Explain who you share personal data with

List any third parties, or categories of third parties, with whom you share personal data. These may include organizations that help provide the Site or a service the visitor requested. Explain whether sharing is necessary, based on consent, or required by law.

OpenAI hosts and operates the Sites service and may process information collected through your Site as needed to provide it. Where applicable, that processing is governed by the OpenAI Data Processing Addendum or the Data Processing Addendum signed by your organization and OpenAI. Describe OpenAI’s role using the terms that apply to your account.

EXAMPLE: We share personal data in the following circumstances:

  • With service providers who help provide [SITE], including OpenAI who hosts [SITE] on our behalf.

  • If we are required or permitted to share the data under law.

  • If we have your consent.

Explain how long you will keep the personal data

You should be clear with users about how long you will keep their information for. If you can’t give an exact period, explain how you will decide when to delete their data.

EXAMPLE: We will keep personal data for as long as we need it, for the purposes set out above. The precise period will depend on how you use [SITE]. We periodically review the data we hold, to confirm that we still need it.

Explain where the personal data is stored

Explain where personal data is processed and any international-transfer safeguards that apply. Review the current Sites hosting and residency documentation and the agreement and Data Processing Addendum that apply to your account. ChatGPT Sites does not support data residency or inference residency at launch.

Do not copy a hosting country or transfer mechanism into your Privacy Policy unless it is accurate for your Site and agreement. Add an account-specific example only after confirming the applicable hosting and transfer terms.

Explain the user’s rights

Depending on where your visitors are located, privacy laws may give them rights to access, correct, delete, restrict, object to, or receive a copy of their personal data, withdraw consent, or complain to a regulator. Explain which rights apply and how visitors can exercise them.

EXAMPLE: Depending on the laws that apply to you, you may have rights in relation to personal data collected through [SITE], including the rights listed below.

  • Access your personal data.

  • Delete your personal data from our records.

  • Rectify or update your personal data.

  • Transfer your personal data to a third party (right to data portability).

  • Restrict how we process your personal data.

  • Withdraw your consent, where we rely on consent as the legal basis for processing.

  • Object to our processing your personal data for direct marketing, or other processing based on our legitimate interests.

  • Lodge a complaint with your local data protection authority.

Provide a contact point

You should provide a contact point for any inquiries, concerns, or complaints regarding personal data collected on your Site. You could provide an email or postal address.

EXAMPLE: If you have any questions or concerns about our handling of your personal data, you can contact us at [INSERT].

Was this article helpful?