# AI Stack GRC Compliance Report — 2 platforms - Generated: 2026-06-14T10:29:58.255Z - Source: AIRIN verified findings (gate-verified, verbatim-cited, SHA-256-anchored) > Automated assessment against a published rubric — not legal advice. ## Stack summary | Platform | Headline risk | Verified findings | Dealbreakers | |---|---|---|---| | ChatGPT | HIGH | 139 | none detected | | Microsoft Copilot | HIGH | 96 | none detected | --- # GRC Risk Assessment — ChatGPT - Platform: **ChatGPT** (openai-chatgpt) - Headline risk rating: **HIGH** - Website: https://chat.openai.com - Generated: 2026-06-14T10:29:58.255Z - Findings (verified, published): **139** > Every assertion is anchored to a verbatim quote with a SHA-256 snapshot hash and a Wayback archive URL for independent verification. Informational only; not legal advice. ## Control crosswalk (NIST AI RMF 1.0 + ISO/IEC 42001) | Surface | Risk | Confidence | NIST AI RMF | ISO/IEC 42001 | |---|---|---|---|---| | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | prompt ownership | unknown | high | MAP-2.3 (input data rights) | ISO 42001 A.7.2 (data acquisition) | | prompt ownership | unknown | high | MAP-2.3 (input data rights) | ISO 42001 A.7.2 (data acquisition) | | prompt ownership | unknown | high | MAP-2.3 (input data rights) | ISO 42001 A.7.2 (data acquisition) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | commercial use | unknown | high | MANAGE-1.3 (use limitations) | ISO 42001 A.9.2 (intended use) | | commercial use | unknown | medium | MANAGE-1.3 (use limitations) | ISO 42001 A.9.2 (intended use) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | medium | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | ## Evidence (verbatim, with provenance) ### training use — risk unknown > For information about how we collect and use training information to develop our language models that power ChatGPT and other Services, and your choices with respect to that information, please see this policy as well as this help center article ⁠ (opens in a new window) . - Interpretation (disclaimed): This segment directs users to the policy and a help center article for information about how training data is collected and used for language model development, incorporating those references as part of the governing framework for training data rights and choices. - Tier: All - Location: Privacy Policy › “US privacy policy” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20For%20information%20about,new%20window)%20.%20 ### training use — risk unknown > We also collect information from other sources, like information that is publicly available on the internet, to develop the models that power our Services. For more information on the sources of information used to develop the models that power ChatGPT and other Services, please see this help center article ⁠ (opens in a new window) . - Interpretation (disclaimed): This segment discloses that OpenAI collects publicly available internet data to develop the models powering its Services, establishing the scope of data collection for AI training purposes and incorporating a help center article for further detail. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20also%20collect,new%20window)%20.%20 ### training use — risk unknown > As noted above, we may use Content you provide us to improve our Services, for example to train the models that power ChatGPT. Read our instructions ⁠ (opens in a new window) on how you can opt out of our use of your Content to train our models. - Interpretation (disclaimed): This segment states that OpenAI may use user-provided content to train its models and directs users to instructions for opting out, establishing a conditional permission for training use of content subject to user opt-out rights. - Tier: All - Location: § 2 (How we use Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20As%20noted%20above%2C,train%20our%20models.%20 ### training use — risk unknown > You can easily choose whether your Content can be used to improve and train our models ⁠ (opens in a new window) . You can decide whether we will remember details between chats to make Content more personalized and relevant. You can export your ChatGPT history and data in your account’s data controls. You can delete or archive chats in ChatGPT, or delete your account entirely. If you enable Temporary Chat ⁠ (opens in a new window) in ChatGPT, those conversations with ChatGPT will not appear in your history or be used to improve OpenAI’s models. Depending on applicable law, you may be able to choose which cookies are used when you use our Services, and you can make choices about the use of your information for purposes of promoting our products and services to you on third-party properties (l earn more ⁠ (opens in a new window) ). For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services. If you use the Atlas browser, you can delete your browsing history or choose to browse the web in incognito mode, which helps keep your browsing private from other people who use your device. You can unsubscribe from marketing communications you receive from us by using the choices provided in those communications. - Interpretation (disclaimed): Grants users the right to control whether their Content is used to train and improve OpenAI's models, and describes opt-out mechanisms including Temporary Chat which prevents content from being used for model improvement. - Tier: All - Location: § 5 (Data controls) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20You%20can%20easily,in%20those%20communications.%20 ### training use — risk unknown > For information on how to exercise your rights with respect to data we have collected from the internet to train our models, please see this help center article ⁠ (opens in a new window) . - Interpretation (disclaimed): Incorporates by reference a help center article explaining how users can exercise rights with respect to Personal Data collected from the internet for model training purposes. - Tier: All - Location: Privacy Policy › “Rectify or update your Personal Data” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20For%20information%20on,new%20window)%20.%20 ### training use — risk unknown > How your data is used to improve model performance ⁠ (opens in a new window) - Interpretation (disclaimed): Incorporates by reference an external resource specifically addressing how user data is used to improve model performance, a material training-use disclosure relevant to AI platform data practices. - Tier: All - Location: § 13 (Useful resources) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20How%20your%20data,a%20new%20window)%20 ### training use — risk unknown > Our use of content. We may use Content to provide, maintain, develop, and improve our Services, comply with applicable law, enforce our terms and policies, and keep our Services safe. If you're using ChatGPT through Apple's integrations, see this Help Center article⁠ ⁠ (opens in a new window) for how we handle your Content. - Interpretation (disclaimed): This segment grants OpenAI permission to use Content for providing, maintaining, developing, and improving Services (including model training), as well as for legal compliance, policy enforcement, and safety purposes, and incorporates a Help Center article for Apple integration by reference. - Tier: All - Location: Terms of Service › “Content” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Our%20use%20of,handle%20your%20Content.%20 ### training use — risk unknown > Opt out. If you do not want us to use your Content to train our models, you can opt out by following the instructions in this article ⁠ . Please note that in some cases this may limit the ability of our Services to better address your specific use case. - Interpretation (disclaimed): This segment provides users with the right to opt out of having their Content used for model training by following specified instructions, and notes that opting out may limit service personalization, establishing both a user right and a procedural mechanism for exercising it. - Tier: All - Location: Terms of Service › “Content” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Opt%20out.%20If,specific%20use%20case.%20 ### prompt ownership — risk unknown > Feedback. We appreciate your feedback, and you agree that we may use it without restriction or compensation to you. - Interpretation (disclaimed): This segment grants OpenAI a perpetual, unrestricted, royalty-free right to use user feedback without restriction or compensation, effectively waiving any ownership or compensation rights the user might otherwise have in submitted feedback. - Tier: All - Location: Terms of Service › “Using our Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Feedback.%20We%20appreciate,compensation%20to%20you.%20 ### prompt ownership — risk unknown > Your content. You may provide input to the Services (“Input”), and receive output from the Services based on the Input (“Output”). Input and Output are collectively “Content.” You are responsible for Content, including ensuring that it does not violate any applicable law or these Terms. You represent and warrant that you have all rights, licenses, and permissions needed to provide Input to our Services. - Interpretation (disclaimed): This segment defines 'Input,' 'Output,' and 'Content,' assigns responsibility to users for Content compliance with law and Terms, and requires users to warrant they hold all rights needed to provide Input, establishing the foundational ownership and liability framework for user-submitted material. - Tier: All - Location: Terms of Service › “Content” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Your%20content.%20You,to%20our%20Services.%20 ### prompt ownership — risk unknown > We and our affiliates own all rights, title, and interest in and to the Services. You may only use our name and logo in accordance with our Brand Guidelines⁠ ⁠ . - Interpretation (disclaimed): This segment asserts that OpenAI and its affiliates own all rights, title, and interest in the Services, and restricts users to using OpenAI's name and logo only in accordance with Brand Guidelines, protecting OpenAI's IP and limiting permissible use of its marks. - Tier: All - Location: Terms of Service › “Our IP rights” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20We%20and%20our,Guidelines%E2%81%A0%20%E2%81%A0%20.%20 ### output ownership — risk unknown > A note about accuracy: Services like ChatGPT generate responses by reading a user’s request and, in response, predicting the words most likely to appear next. In some cases, the words most likely to appear next may not be the most factually accurate. For this reason, you should not rely on the factual accuracy of output from our models. If you notice that ChatGPT output contains factually inaccurate information about you and you would like to request a correction or removal of the information, you can submit these requests through privacy.openai.com ⁠ (opens in a new window) or to dsar@openai.com ⁠ , and we will consider your request based on applicable law and the technical capabilities of our models. - Interpretation (disclaimed): Disclaims reliance on the factual accuracy of AI-generated output by explaining that ChatGPT predicts likely words rather than guaranteed facts, and provides a procedure for requesting correction or removal of inaccurate personal information in outputs. - Tier: All - Location: Privacy Policy › “Rectify or update your Personal Data” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20A%20note%20about,of%20our%20models.%20 ### output ownership — risk unknown > Ownership of content. As between you and OpenAI, and to the extent permitted by applicable law, you (a) retain your ownership rights in Input and (b) own the Output. We hereby assign to you all our right, title, and interest, if any, in and to Output. - Interpretation (disclaimed): This segment establishes that as between the user and OpenAI, the user retains ownership of Input and owns Output, and OpenAI assigns all its right, title, and interest in Output to the user to the extent permitted by applicable law, creating a formal IP assignment of output rights. - Tier: All - Location: Terms of Service › “Content” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Ownership%20of%20content.,and%20to%20Output.%20 ### output ownership — risk unknown > Similarity of content. Due to the nature of our Services and artificial intelligence generally, output may not be unique and other users may receive similar output from our Services. Our assignment above does not extend to other users’ output or any Third Party Output. - Interpretation (disclaimed): This segment limits the scope of the IP assignment in segment 26 by clarifying that it does not extend to other users' similar output or Third Party Output, restricting the breadth of the ownership right granted to any individual user. - Tier: All - Location: Terms of Service › “Content” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Similarity%20of%20content.,Third%20Party%20Output.%20 ### output ownership — risk unknown > YOU ACCEPT AND AGREE THAT ANY USE OF OUTPUTS FROM OUR SERVICE IS AT YOUR SOLE RISK AND YOU WILL NOT RELY ON OUTPUT AS A SOLE SOURCE OF TRUTH OR FACTUAL INFORMATION, OR AS A SUBSTITUTE FOR PROFESSIONAL ADVICE. - Interpretation (disclaimed): Disclaims reliance on service outputs as authoritative or as a substitute for professional advice, placing sole risk of output use on the user and restricting OpenAI's liability for output-related harm. - Tier: All - Location: Terms of Service › “Disclaimer of warranties” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20YOU%20ACCEPT%20AND,FOR%20PROFESSIONAL%20ADVICE.%20 ### commercial use — risk unknown > What you can do. Subject to your compliance with these Terms, you may access and use our Services. In using our Services, you must comply with all applicable laws as well as our Sharing & Publication Policy⁠ ⁠ , Usage Policies⁠ ⁠ , and any other documentation, guidelines, or policies we make available to you. - Interpretation (disclaimed): This segment grants a conditional permission to access and use the Services subject to compliance with these Terms and incorporates Usage Policies, the Sharing & Publication Policy, and other guidelines by reference, creating the scope of permitted use. - Tier: All - Location: Terms of Service › “Using our Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20What%20you%20can,available%20to%20you.%20 ### commercial use — risk unknown > Software. Our Services may allow you to download software, such as mobile applications, which may update automatically to ensure you’re using the latest version. Our software may include open source software that is governed by its own licenses that we’ve made available to you. - Interpretation (disclaimed): This segment defines the nature of downloadable software (including auto-updating mobile applications and open source components governed by their own licenses), establishing the legal framework applicable to software elements of the Services. - Tier: All - Location: Terms of Service › “Using our Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Software.%20Our%20Services,available%20to%20you.%20 ### privacy data use — risk unknown > Account Information: When you create an account with us, we will collect information associated with your account, including your name, contact information, account credentials, date of birth, payment information, and transaction history, (collectively, “Account Information”). Some of our Services may also allow you to upload a profile picture, a username, or other information as part of your Account Information. User Content: We collect Personal Data that you provide in the input to our Services (“Content”), including your prompts and other content you upload, such as files ⁠ (opens in a new window) , images ⁠ (opens in a new window) , audio and video ⁠ (opens in a new window) , Sora characters ⁠ (opens in a new window) , and data from connected services ⁠ (opens in a new window) , depending on the features you use. Some of our Services allow you to interact with other users, such as post, comment, or send messages, and we treat those interactions as Content, too. Communication Information : If you communicate with us, such as via email or our pages on social media sites, we may collect Personal Data like your name, contact information, and the contents of the messages you send (“Communication Information”). Contact Data: If you choose to connect your device contacts, we upload information from your device address books and check which of your contacts also use our Services. If any of your contacts aren’t yet using our Services, we’ll update you if they sign up for our Services later. - Interpretation (disclaimed): This segment obligates OpenAI to collect specific categories of personal data including account information, credentials, payment data, transaction history, and user content (prompts and uploaded files), defining the scope of OpenAI's data collection practices. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Account%20Information%3A%20When,our%20Services%20later.%20 ### privacy data use — risk unknown > Access your Personal Data and information relating to how it is processed. - Interpretation (disclaimed): Grants users the right to access their Personal Data and information about how it is processed, which is a core data subject right under various privacy frameworks. - Tier: All - Location: § 6 (Your rights) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Access%20your%20Personal,it%20is%20processed.%20 ### privacy data use — risk unknown > Respect privacy . People are entitled to privacy. So, we don’t allow attempts to compromise the privacy of others, including to aggregate, monitor, profile, or distribute individuals’ private or sensitive information without their authorization. And, you may never use our services for: facial recognition databases without data subject consent real-time remote biometric identification in public spaces use of someone’s likeness, including their photorealistic image or voice, without their consent in ways that could confuse authenticity evaluation or classification of individuals based on their social behavior, personal traits, or biometric data (including social scoring, profiling, or inferring sensitive attributes) inference regarding an individual’s emotions in the workplace and educational settings, except when necessary for medical or safety reasons assessment or prediction of the risk of an individual committing a criminal offense based solely on their personal traits or on profiling - Interpretation (disclaimed): This segment prohibits uses of OpenAI services that compromise others' privacy, including aggregating, monitoring, profiling, or distributing private information without authorization, and specifically bans facial recognition databases without consent, real-time biometric identification in public spaces, and non-consensual use of individuals' likenesses — imposing enforceable privacy-based use restrictions. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20Respect%20privacy%20.,or%20on%20profiling%20 ### privacy data use — risk unknown > Websites and apps use cookies and other identifiers to store and retrieve information on your device. Some of this information may be shared with third parties for different purposes. Use the tool below to manage your preferences. You can change them anytime. Learn more - Interpretation (disclaimed): This segment describes how websites and apps use cookies and identifiers to store and retrieve information on devices, notes that information may be shared with third parties, and directs users to the preference management tool — establishing a procedural framework for data use and third-party sharing relevant to privacy and subprocessor disclosure. - Tier: All - Location: Usage Policy › “Cookie Preferences” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20Websites%20and%20apps,anytime.%20Learn%20more%20 ### privacy data use — risk unknown > These cookies are required for the site to work and can’t be turned off. They support essential functions like security, user authentication, and customer support. - Interpretation (disclaimed): This segment defines 'strictly necessary' cookies as required for site functionality including security, authentication, and customer support, and states they cannot be turned off — defining a category of data processing that is non-optional for users. - Tier: All - Location: Usage Policy › “Strictly necessary” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20These%20cookies%20are,and%20customer%20support.%20 ### privacy data use — risk unknown > These cookies help us understand how visitors interact with our site. They allow us to measure traffic and improve site performance. - Interpretation (disclaimed): This segment defines analytics cookies as those measuring visitor interactions, traffic, and site performance, establishing the scope of data collected under this category and the purpose for which it is processed. - Tier: All - Location: Usage Policy › “Analytics Cookies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20These%20cookies%20help,improve%20site%20performance.%20 ### privacy data use — risk unknown > These cookies help us measure the effectiveness of our marketing campaigns. - Interpretation (disclaimed): This segment defines marketing measurement cookies as those measuring the effectiveness of marketing campaigns, establishing the purpose and scope of data collected under this category. - Tier: All - Location: Usage Policy › “Marketing measurement” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20These%20cookies%20help,our%20marketing%20campaigns.%20 ### privacy data use — risk unknown > This helps us personalize and measure OpenAI’s own marketing on third-party platforms. - Interpretation (disclaimed): This segment defines personalized marketing tracking as data used to personalize and measure OpenAI's own marketing on third-party platforms, establishing the purpose of data processing and its disclosure to third-party platforms. - Tier: All - Location: Usage Policy › “Personalized marketing” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20This%20helps%20us,on%20third-party%20platforms.%20 ### privacy data use — risk unknown > At OpenAI, our mission is to ensure that artificial general intelligence benefits everyone. We build tools like ChatGPT and Sora to help people learn, create, and solve problems. We at OpenAI (together with our affiliates, “OpenAI”, “we”, “our” or “us”) are committed to respecting your privacy and are strongly committed to keeping secure any information we obtain from you or about you. This Privacy Policy describes our practices with respect to personal data that we collect from or about you, and how we use it when you use our website, applications, and services (collectively, “Services”). - Interpretation (disclaimed): This segment introduces OpenAI's identity, mission, affiliated entities, and the defined scope of 'Services' and 'Personal Data,' establishing the definitional framework that governs all subsequent obligations and rights in the policy. - Tier: All - Location: Privacy Policy › “US privacy policy” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20At%20OpenAI%2C%20our,services%20(collectively%2C%20%E2%80%9CServices%E2%80%9D).%20 ### privacy data use — risk unknown > This Privacy Policy does not apply to content that we process on behalf of customers of our business offerings, such as our API. Our use of that data is governed by our customer agreements covering access to and use of those offerings. - Interpretation (disclaimed): This segment carves out business API customers' data from the scope of this Privacy Policy, stating that such processing is governed by separate customer agreements, thereby creating a legal exception to the policy's applicability. - Tier: All - Location: Privacy Policy › “US privacy policy” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20This%20Privacy%20Policy,of%20those%20offerings.%20 ### privacy data use — risk unknown > We collect personal data relating to you (“Personal Data”) as follows: - Interpretation (disclaimed): This segment introduces the defined term 'Personal Data' and signals that the following sub-sections enumerate the categories collected, establishing a definitional framework for the data collection obligations described below. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20collect%20personal,Data%E2%80%9D)%20as%20follows%3A%20 ### privacy data use — risk unknown > Personal Data You Provide: We collect Personal Data if you create an account to use our Services or communicate with us as follows: - Interpretation (disclaimed): This segment defines the category of 'Personal Data You Provide' and introduces the sub-categories collected when users create accounts or communicate with OpenAI, establishing the scope of user-provided data collection. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Personal%20Data%20You,us%20as%20follows%3A%20 ### privacy data use — risk unknown > Learn more ⁠ (opens in a new window) about connecting your contacts and how we use uploaded contact information ⁠ (opens in a new window) of people who don’t use our Services. Other Information You Provide : We collect other information that you provide to us, such as when you participate in our events or surveys, or when you provide us or a vendor operating on our behalf with information to establish your identity or age (collectively, “Other Information You Provide”). - Interpretation (disclaimed): This segment describes OpenAI's collection of contact information uploaded by users (including data about non-users) and other information provided through events, surveys, or identity verification, establishing obligations regarding the scope of data collected from and about individuals. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=Learn%20more%20%E2%81%A0%20(opens,Information%20You%20Provide%E2%80%9D).%20 ### privacy data use — risk unknown > Personal Data We Receive from Your Use of the Services: When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions: - Interpretation (disclaimed): This segment introduces the category 'Personal Data We Receive from Your Use of the Services,' defining the scope of automatically collected data and setting the definitional framework for the sub-categories described below. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Personal%20Data%20We,use%2C%20or%20interactions%3A%20 ### privacy data use — risk unknown > Log Data : We collect information that your browser or device automatically sends when you use our Services. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our Services. Usage Data : We collect information about your use and activity across the Services, such as the types of content that you view or engage with, the features you use and the actions you take, when you submit feedback to a model response, the people with whom you interact, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, and your computer connection. If you use the Atlas browser we may also collect your browser data according to your controls ⁠ (opens in a new window) and use of the service. Device Information : We collect information about the device you use to access the Services, such as the name of the device, operating system, device identifiers, and browser you are using. Information collected depends on the type of device you use and its settings. Location Information: We determine the general area from which your device accesses our Services based on information like its IP address for security reasons and to make your product experience better, for example to protect your account by detecting unusual login activity or to provide more accurate responses. In addition, some of our Services allow you to choose to provide more precise location information from your device, such as location information from your device’s GPS. - Interpretation (disclaimed): This segment describes OpenAI's automatic collection of log data (IP address, browser type, request timestamps) and usage data (content interactions, feature use, feedback submissions, time zone, access times), establishing the scope of passive data collection obligations. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Log%20Data%20%3A,your%20device%E2%80%99s%20GPS.%20 ### privacy data use — risk unknown > Cookies and Similar Technologies : We use cookies and similar technologies to operate and administer our Services, and improve your experience. We store some of the information described in this Policy with cookies, for example to help maintain your preferences across sessions if you’re not logged in, or to assist with authentication and customer support. For details about our use of cookies, please read our Cookie Notice ⁠ . - Interpretation (disclaimed): This segment describes OpenAI's use of cookies and similar technologies to operate services, maintain preferences, and support authentication, and incorporates the Cookie Notice by reference as governing the detailed use of such technologies. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Cookies%20and%20Similar,Notice%20%E2%81%A0%20.%20 ### privacy data use — risk unknown > You can find more information on data controls here ⁠ (opens in a new window) and by visiting privacy.openai.com ⁠ (opens in a new window) . - Interpretation (disclaimed): Incorporates by reference additional data control information at an external URL and privacy.openai.com, directing users to supplementary policy documentation governing their personal data rights. - Tier: All - Location: § 5 (Data controls) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20You%20can%20find,new%20window)%20.%20 ### privacy data use — risk unknown > We may receive information from advertisers and other data partners, which we use for purposes including to help us measure and improve the effectiveness of ads shown to Free and Go users on our Services. For example, we could receive information about purchases you make from these advertisers. - Interpretation (disclaimed): This segment discloses that OpenAI receives data from advertisers and data partners for ad measurement and improvement purposes for Free and Go users, establishing the scope of commercial data partnerships and their use for targeted advertising. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20may%20receive,from%20these%20advertisers.%20 ### privacy data use — risk unknown > We use Personal Data for the following purposes: - Interpretation (disclaimed): This segment introduces the enumerated purposes for which personal data is used, framing the subsequent list as the exhaustive or representative set of use purposes under the policy. - Tier: All - Location: § 2 (How we use Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20use%20Personal,the%20following%20purposes%3A%20 ### privacy data use — risk unknown > To provide, analyse, and maintain our Services, for example to respond to your questions for ChatGPT; To improve and develop our Services and conduct research, for example to develop new features; To personalize and customize your experience across our Services, for example to provide you with more relevant Content; For Free and Go users, to personalize the ads you see on our Services (subject to your settings), and to measure the effectiveness of ads shown on our Services. Learn more ⁠ (opens in a new window) about ads on our services; To communicate with you, including to respond to your questions, and send you information about our Services and events, for example about changes or improvements to the Services; To promote our products and services to you through direct marketing and on third-party properties, and to assess the effectiveness of those efforts, subject to your choices and controls ( learn more ⁠ (opens in a new window) ); Identify your contacts who use our Services when you choose to connect your contacts and update you if they join our Services later; To prevent fraud, illegal activity, or misuses of our Services, and to protect the security of our systems and Services, including by monitoring any Content submitted or exchanged on our platforms (learn more here ⁠ ); and To comply with legal obligations and to protect the rights, privacy, safety, or property of our users, OpenAI, or third parties, for instance to prevent harm to you or others, or to estimate your age to give you an age-appropriate experience. - Interpretation (disclaimed): This segment enumerates the purposes for which OpenAI is permitted to use personal data, including service provision, research, personalization, advertising for Free/Go users, and communications, establishing the legal basis and scope of OpenAI's data processing permissions. - Tier: All - Location: § 2 (How we use Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20To%20provide%2C%20analyse%2C,an%20age-appropriate%20experience.%20 ### privacy data use — risk unknown > We also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law. - Interpretation (disclaimed): This segment describes OpenAI's practice of aggregating or de-identifying personal data and commits to maintaining such data in de-identified form without re-identification except as required by law, creating a legal obligation regarding de-identification standards. - Tier: All - Location: § 2 (How we use Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20also%20aggregate,required%20by%20law.%20 ### privacy data use — risk unknown > Depending on where you live, you may have certain statutory rights in relation to your Personal Data. For example, you may have the right to: - Interpretation (disclaimed): Establishes that users may have statutory rights regarding their Personal Data depending on jurisdiction, framing the conditional legal basis for the rights enumerated below. - Tier: All - Location: § 6 (Your rights) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Depending%20on%20where,the%20right%20to%3A%20 ### privacy data use — risk unknown > Our Services provide you with a number of controls over your Personal Data and how it is used and retained. You can always change these settings in your account. These include the following controls: - Interpretation (disclaimed): This segment describes user rights to control their personal data through account settings, establishing that users have actionable controls over how their data is used and retained, and that these controls can be exercised at any time. - Tier: All - Location: § 5 (Data controls) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Our%20Services%20provide,the%20following%20controls%3A%20 ### privacy data use — risk unknown > Delete your Personal Data from our records. Restrict how we process your Personal Data. Transfer your Personal Data to a third party (right to data portability). Withdraw your consent—where we rely on consent as the legal basis for processing. Lodge a complaint with your local data protection authority. - Interpretation (disclaimed): Enumerates multiple data subject rights including deletion, restriction of processing, data portability, withdrawal of consent, and the right to lodge complaints with supervisory authorities. - Tier: All - Location: Privacy Policy › “Rectify or update your Personal Data” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Delete%20your%20Personal,data%20protection%20authority.%20 ### privacy data use — risk unknown > You can exercise some of these rights through your OpenAI account using the tools described in the Data controls ⁠ section, or you can submit your request through privacy.openai.com ⁠ (opens in a new window) or to dsar@openai.com ⁠ . You can contact our data protection officer at dpo@openai.com ⁠ . - Interpretation (disclaimed): Describes the procedure by which users can exercise their data subject rights, specifying the tools, web portal, email address, and DPO contact available for submitting requests. - Tier: All - Location: Privacy Policy › “Rectify or update your Personal Data” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20You%20can%20exercise,dpo%40openai.com%20%E2%81%A0%20.%20 ### privacy data use — risk unknown > We collect the following information, as described above: Identifiers, such as your name, contact details, IP address, and other device identifiers - Interpretation (disclaimed): Defines 'Commercial information' as a category of Personal Data collected, specifically transaction history, for purposes of U.S. state privacy law disclosure. - Tier: All - Location: Privacy Policy › “Disclosure of Personal Data” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20collect%20the,and%20other%20device%20identifiers ### privacy data use — risk unknown > Our Services are not directed to, or intended for, children under 13. We do not knowingly collect Personal Data from children under 13. If you have reason to believe that a child under 13 has provided Personal Data to OpenAI through the Services, please email us at privacy@openai.com. We will investigate any notification and, if appropriate, delete the Personal Data from our systems. Users under 18 must have permission from their parent or guardian to use our Services. Learn more ⁠ (opens in a new window) about how teens and parents or guardians can choose to link their accounts. - Interpretation (disclaimed): Restricts Services from being directed to children under 13, prohibits knowing collection of Personal Data from such children, imposes a parental permission requirement for users under 18, and establishes a procedure for reporting and deleting children's data. - Tier: All - Location: § 7 (Children) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Our%20Services%20are,link%20their%20accounts.%20 ### privacy data use — risk unknown > We implement commercially reasonable technical, administrative, and organizational measures designed to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error free. Therefore, you should take special care in deciding what information you provide to the Services. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites. - Interpretation (disclaimed): Section header defining the scope of U.S. state-specific privacy disclosures, structuring the obligations and rights that follow under applicable state privacy laws. - Tier: All - Location: § 8 (Security) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20implement%20commercially,or%20third-party%20websites.%20 ### privacy data use — risk unknown > Some U.S. state privacy laws ⁠ (opens in a new window) require specific disclosures. The following table provides additional information about the categories of Personal Data we collect and how we use and disclose that information. You can read more about the Personal Data we collect and where we collect it from in “ Personal Data we collect ⁠ ” above, how we use Personal Data in “ How we use Personal Data ⁠ ” above, when we disclose Personal Data in “ Disclosure of Personal Data ⁠ ” above and how we retain Personal Data in “ Retention ⁠ ” above. We don’t process sensitive data for the purpose of inferring characteristics about you. - Interpretation (disclaimed): Defines the column header 'Category of Personal Data' for the U.S. state disclosure table, structuring the legal classification of data types subject to state privacy law requirements. - Tier: All - Location: § 9 (Additional U.S. state disclosures) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Some%20U.S.%20state,characteristics%20about%20you.%20 ### privacy data use — risk unknown > Network activity information, such as how you interact with our Services, including Log Data, Usage Data, and information about the device you use to access the Services Content, including your prompts and content you upload to the Services and interactions and messages with other users Communication Information, such as your contact information when you send us email - Interpretation (disclaimed): Defines 'Contact Data' as a category of Personal Data optionally collected when users connect device contacts, scoping the conditions and data types involved. - Tier: All - Location: Privacy Policy › “Commercial information, such as your transaction history” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Network%20activity%20information%2C,you%20send%20us%20email ### privacy data use — risk unknown > Geolocation data, such as the general area from which your device accesses our Services based on information like its IP address, or precise location information you choose to provide Other Account Information, such as your account credentials, and payment information, date of birth, and profile picture Other Information You Provide, such as if you choose to participate in our events or surveys or when you provide us or a vendor operating on our behalf with information to establish your identity or age. We use this information for the following purposes, as described above: - Interpretation (disclaimed): Establishes that OpenAI uses collected Personal Data to provide, analyze, and maintain its Services, constituting a statement of processing purpose that creates an obligation to limit use to those stated purposes. - Tier: All - Location: Privacy Policy › “Contact Data if you choose to connect your device contacts” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Geolocation%20data%2C%20such,purposes%2C%20as%20described%20above%3A ### privacy data use — risk unknown > Improve and develop our Services and conduct research, including using your Content to train our models (subject to your control) - Interpretation (disclaimed): Permits OpenAI to use Personal Data to personalize and customize the user experience across its Services. - Tier: All - Location: Privacy Policy › “Provide, analyze, and maintain our Services” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Improve%20and%20develop,to%20your%20control)%20 ### privacy data use — risk unknown > Parents or guardians of teen users for account linking purposes described above Other users and third parties you interact or share information with - Interpretation (disclaimed): States that OpenAI does not sell Personal Data and describes conditions under which limited data may be shared with marketing partners for targeted advertising, establishing the boundary of permissible data sharing and users' opt-out rights. - Tier: All - Location: Privacy Policy › “Business account administrators for the reasons described above” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Parents%20or%20guardians,or%20share%20information%20with ### privacy data use — risk unknown > Your Opt-Out Rights. We don’t “sell” Personal Data. Depending upon your choices, we may share limited data with select marketing partners for purposes of promoting our products and services to you on third-party properties. - Interpretation (disclaimed): Grants users the right to opt out of targeted advertising and cross-context behavioral advertising data sharing, and describes multiple mechanisms for exercising that opt-out including account settings, Global Privacy Control, and in-platform controls. - Tier: All - Location: Privacy Policy › “Business account administrators for the reasons described above” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Your%20Opt-Out%20Rights.,on%20third-party%20properties.%20 ### privacy data use — risk unknown > This is known as “targeted advertising” or sharing for “cross-context behavioral advertising” under certain state privacy laws. You can opt out using the marketing privacy control in your account settings. If you’re not logged in, you can opt out within Settings > Data Controls on ChatGPT or using the Your Privacy Choices link ⁠ on our website. You can also opt out using a legally recognized opt-out mechanism, like Global Privacy Control. You can learn more about the types of data we use and share for these purposes and controls we offer you here ⁠ (opens in a new window) . We don’t engage in these activities for users we know to be under 18 years of age. - Interpretation (disclaimed): Enumerates additional privacy rights for users under applicable U.S. state laws, including rights to know, access in portable format, deletion, correction, and freedom from retaliation for exercising those rights. - Tier: All - Location: Privacy Policy › “Business account administrators for the reasons described above” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20This%20is%20known,years%20of%20age.%20 ### privacy data use — risk unknown > Your Other Rights. Depending on where you live and subject to applicable exceptions, you may have the following privacy rights in relation to your Personal Data: - Interpretation (disclaimed): Grants users the right to correct their Personal Data held by OpenAI, as provided under applicable U.S. state privacy laws. - Tier: All - Location: Privacy Policy › “Business account administrators for the reasons described above” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Your%20Other%20Rights.,your%20Personal%20Data%3A%20 ### privacy data use — risk unknown > The right to know information about our processing of your Personal Data, including the right to access your Personal Data, often in a portable format; The right to request deletion of your Personal Data; - Interpretation (disclaimed): Grants the right to be free from retaliation for exercising privacy rights and incorporates by reference California privacy rights reporting, establishing a non-retaliation obligation on OpenAI. - Tier: All - Location: Privacy Policy › “Business account administrators for the reasons described above” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20The%20right%20to,your%20Personal%20Data%3B%20 ### privacy data use — risk unknown > The right to be free from retaliation relating to the exercise of any of your privacy rights. Review our California privacy rights reporting here ⁠ . - Interpretation (disclaimed): Establishes the procedure for submitting privacy rights requests through authorized agents, specifying the authority documentation required, the user's independent verification obligations, and the submission email address. - Tier: All - Location: Privacy Policy › “The right to correct your Personal Data; and” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20The%20right%20to,here%20%E2%81%A0%20.%20 ### privacy data use — risk unknown > We may update this policy from time to time. When we do, we will publish an updated version and effective date on this page, unless another type of notice is required by applicable law. - Interpretation (disclaimed): Establishes OpenAI's procedure and obligation for notifying users of material changes to the privacy policy, including publication of an updated version and effective date, subject to any legally required alternative notice method. - Tier: All - Location: § 10 (Changes to the privacy policy) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20may%20update,by%20applicable%20law.%20 ### privacy data use — risk unknown > Please contact support ⁠ (opens in a new window) if you have any questions or concerns not already addressed in this policy. - Interpretation (disclaimed): Directs users to a support channel for questions or concerns not addressed in the policy, providing a mechanism for exercising privacy-related inquiries and complaints. - Tier: All - Location: § 12 (How to contact us) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Please%20contact%20support,in%20this%20policy.%20 ### privacy data use — risk unknown > These cookies are required for the site to work and can’t be turned off. They support essential functions like security, user authentication, and customer support. - Interpretation (disclaimed): Defines strictly necessary cookies as non-optional and restricts users from disabling them, specifying their essential functions (security, authentication, customer support) and establishing that consent controls do not apply to this category. - Tier: All - Location: Privacy Policy › “Strictly necessary” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20These%20cookies%20are,and%20customer%20support.%20 ### privacy data use — risk unknown > These cookies help us understand how visitors interact with our site. They allow us to measure traffic and improve site performance. - Interpretation (disclaimed): Discloses OpenAI's permission to use analytics cookies to collect data on user interactions with the site for traffic measurement and performance improvement purposes, subject to user consent preferences. - Tier: All - Location: Privacy Policy › “Analytics Cookies” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20These%20cookies%20help,improve%20site%20performance.%20 ### privacy data use — risk unknown > These cookies help us measure the effectiveness of our marketing campaigns. - Interpretation (disclaimed): This segment defines marketing measurement cookies by describing their function in measuring campaign effectiveness, providing definitional context for user consent decisions regarding this data-use category. - Tier: All - Location: Terms of Service › “Marketing measurement” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20These%20cookies%20help,our%20marketing%20campaigns.%20 ### privacy data use — risk unknown > Our Privacy Policy⁠ ⁠ explains how we collect and use personal information. Although it does not form part of these Terms, it is an important document that you should read. - Interpretation (disclaimed): This segment incorporates the Privacy Policy by reference, noting it explains how personal information is collected and used, and clarifies that while it does not form part of these Terms it is a material document users should read. - Tier: All - Location: Terms of Service › “Effective: January 1, 2026 ( Previous version ⁠ )” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Our%20Privacy%20Policy%E2%81%A0,you%20should%20read.%20 ### privacy data use — risk unknown > Corporate domains. If you create an account using an email address owned by an organization (for example, your employer), that account may be added to the organization's business account with us, in which case we will provide notice to you so that you can help facilitate the transfer of your account (unless your organization has already provided notice to you that it may monitor and control your account). Once your account is transferred, the organization’s administrator will be able to control your account, including being able to access Content (defined below) and restrict or remove your access to the account. - Interpretation (disclaimed): This segment describes the procedure by which accounts created with organizational email addresses may be transferred to a business account, specifies the notice requirement to the user, and defines the resulting control rights of the organization's administrator over the account and its Content, affecting data access and account governance. - Tier: All - Location: Terms of Service › “Using our Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Corporate%20domains.%20If,to%20the%20account.%20 ### privacy data use — risk unknown > Websites and apps use cookies and other identifiers to store and retrieve information on your device. Some of this information may be shared with third parties for different purposes. Use the tool below to manage your preferences. You can change them anytime. Learn more - Interpretation (disclaimed): This segment describes how websites and apps use cookies and other identifiers to store and retrieve information, notes that some information may be shared with third parties, and informs users of a preference-management tool, establishing a procedural framework for user consent and data-sharing disclosure. - Tier: All - Location: Terms of Service › “Cookie Preferences” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Websites%20and%20apps,anytime.%20Learn%20more%20 ### privacy data use — risk unknown > These cookies are required for the site to work and can’t be turned off. They support essential functions like security, user authentication, and customer support. - Interpretation (disclaimed): This segment defines strictly necessary cookies and their essential functions (security, user authentication, customer support), explaining why they are non-optional, serving a definitional purpose for the cookie preference framework. - Tier: All - Location: Terms of Service › “Strictly necessary” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20These%20cookies%20are,and%20customer%20support.%20 ### privacy data use — risk unknown > These cookies help us understand how visitors interact with our site. They allow us to measure traffic and improve site performance. - Interpretation (disclaimed): This segment elaborates on analytics cookies' purposes (measuring traffic and improving performance), functioning as a definitional description that informs user consent for this cookie category. - Tier: All - Location: Terms of Service › “Analytics Cookies” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20These%20cookies%20help,improve%20site%20performance.%20 ### data retention — risk unknown > We’ll retain your Personal Data for only as long as we need in order to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data depends on the type of data, how we use it, and in many cases your settings: - Interpretation (disclaimed): This segment establishes OpenAI's obligation to retain personal data only as long as necessary for service provision or legitimate business purposes such as dispute resolution, safety, and legal compliance, and defines factors that determine retention duration. - Tier: All - Location: § 4 (Retention) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%E2%80%99ll%20retain%20your,cases%20your%20settings%3A%20 ### data retention — risk unknown > Information we retain until you delete it: Some of our Services allow you to delete Personal Data stored in your account. For example, you can delete specific, or all, of your ChatGPT conversations, delete specific Saved Memories ⁠ (opens in a new window) , or delete your account. Once you choose to delete Personal Data, we will remove it from our systems within 30 days unless we need to retain it for longer as described below, or it has already been de-identified and disassociated from your account when you allow us to use your Content to improve our models ⁠ (opens in a new window) . Information we delete automatically: In some cases, Personal Data will be deleted automatically. For example, Temporary Chats ⁠ (opens in a new window) will be automatically deleted within 30 days (unless we have to retain them for safety or legal reasons, as described further below), and your Atlas incognito browsing history ⁠ (opens in a new window) won’t be saved after you end your session. Information we retain for longer for legitimate security, safety, or legal reasons: In some cases, we need to retain Personal Data for longer even after you delete it, for example because we are legally required to, to address fraud and abuse, for security reasons, or for financial record-keeping purposes. For instance: If specific Content, or your account, is banned because of violations of our usage policies ⁠ , we may retain that data for to protect our services from fraud, abuse, or other violations of our policies; If we are legally required to retain your data (for instance, we receive a lawful subpoena) then we may retain it for the duration of the relevant legal or regulatory obligation; When we are a party to a financial transaction (for instance, when we process your payment for a - Interpretation (disclaimed): This segment describes the procedure for user-initiated deletion of personal data, specifying that deletion occurs within 30 days unless retention is otherwise required, and creates an exception for de-identified data already dissociated from the user's account. - Tier: All - Location: § 4 (Retention) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Information%20we%20retain,your%20payment%20for%20a ### data retention — risk unknown > ChatGPT Plus or Pro account, or facilitate a purchase on ChatGPT), we may retain payment and transaction related information to meet our accounting, dispute resolution, and regulatory compliance purposes; When you ask us to delete your Personal Data, we retain the audit record of the erasure request to be able to verify that we have complied with the request. - Interpretation (disclaimed): This segment establishes OpenAI's obligation to retain payment and transaction data for accounting, dispute resolution, and regulatory compliance, and to retain audit records of erasure requests to demonstrate compliance with deletion obligations. - Tier: All - Location: § 4 (Retention) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20ChatGPT%20Plus%20or,with%20the%20request.%20 ### data retention — risk unknown > In determining these retention periods, we consider a number of factors, such as: - Interpretation (disclaimed): This segment introduces the factors OpenAI considers when determining retention periods, establishing the procedural framework for retention decision-making. - Tier: All - Location: § 4 (Retention) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20In%20determining%20these,factors%2C%20such%20as%3A%20 ### data retention — risk unknown > Our purpose for processing the Personal Data (such as whether we need to retain it to provide our Services); The amount, nature, and sensitivity of the information; The potential risk of harm from unauthorized use or disclosure; Any legal requirements that we are subject to. - Interpretation (disclaimed): This segment enumerates the specific factors — processing purpose, data nature and sensitivity, risk of harm, and legal requirements — that govern retention period determinations, creating substantive criteria for OpenAI's retention obligations. - Tier: All - Location: § 4 (Retention) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Our%20purpose%20for,are%20subject%20to.%20 ### data retention — risk unknown > We also may terminate your account if it has been inactive for over a year and you do not have a paid account. If we do, we will provide you with advance notice. - Interpretation (disclaimed): Establishes that inactive accounts without a paid subscription may be terminated after one year of inactivity, with advance notice required before deletion, creating a data/account retention policy. - Tier: All - Location: Terms of Service › “Termination and suspension” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20We%20also%20may,with%20advance%20notice.%20 ### subprocessors data sharing — risk unknown > This helps us personalize and measure OpenAI’s own marketing on third-party platforms. - Interpretation (disclaimed): Discloses OpenAI's permission to use personalized marketing cookies to share user data with third-party platforms for targeted advertising and marketing measurement purposes, subject to user consent. - Tier: All - Location: Privacy Policy › “Personalized marketing” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20This%20helps%20us,on%20third-party%20platforms.%20 ### subprocessors data sharing — risk unknown > Information We Receive from Other Sources: We receive information from other sources, such as our trusted security and safety partners to protect safety and prevent fraud, abuse, and other threats to our Services, and from marketing vendors who provide us with information about potential customers of our business services. - Interpretation (disclaimed): This segment discloses that OpenAI receives personal data from third-party security/safety partners and marketing vendors, establishing the scope of third-party data flows into OpenAI's systems and the purposes for which such data is received. - Tier: All - Location: § 1 (Personal Data we collect) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Information%20We%20Receive,our%20business%20services.%20 ### subprocessors data sharing — risk unknown > We disclose your Personal Data in the following circumstances: - Interpretation (disclaimed): This segment introduces the enumerated circumstances of personal data disclosure, framing the subsequent list as the operative scope of OpenAI's data sharing practices. - Tier: All - Location: § 3 (Disclosure of Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20disclose%20your,the%20following%20circumstances%3A%20 ### subprocessors data sharing — risk unknown > Vendors, Service Providers, and Marketing Partners : To assist us in meeting business operations needs and to perform certain services and functions, we disclose Personal Data to vendors, service providers, and marketing partners, including providers of hosting services, customer service vendors, cloud services, content delivery services, support and safety services, email communication software, web analytics services, payment and transaction processors, search and shopping providers, and information technology providers. We also work with service providers who help us with age and identity verification, and you can learn more here⁠ ⁠ (opens in a new window) . When we work with Service Providers, these parties will access, process, or store Personal Data based on our instructions and only in the course of performing their duties to us. We also share limited information with select marketing partners who are not service providers in order to promote our products and services on third-party properties and help us assess the effectiveness of those efforts. Some of these partners may receive information through cookies and similar technologies. Learn more about these practices and the choices available to you here ⁠ (opens in a new window) . Business Transfers : If we are involved in strategic transactions, reorganization, bankruptcy, receivership, or transition of service to another provider (collectively, a “Transaction”), your Personal Data may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets. - Interpretation (disclaimed): This segment discloses that OpenAI shares personal data with vendors, service providers, and marketing partners for business operations, naming categories of subprocessors and the functions they perform, establishing the scope of third-party data sharing obligations. - Tier: All - Location: § 3 (Disclosure of Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Vendors%2C%20Service%20Providers%2C,with%20other%20assets.%20 ### subprocessors data sharing — risk unknown > Government Authorities or Other Third Parties : We may share your Personal Data, including information about your interaction with our Services, with government authorities, industry peers, or other third parties in compliance with the law (i) if required to do so to comply with a legal obligation, or in the good faith belief that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) if we determine, in our sole discretion, that there is a violation of our terms, policies, or the law; (iv) to detect or prevent fraud or other illegal activity; (v) to protect the safety, security, and integrity of our products, employees, users, or the public, or (vi) to protect against legal liability. Affiliates : We disclose Personal Data to our affiliates, meaning an entity that controls, is controlled by, or is under common control with OpenAI. Our affiliates may use this Personal Data in a manner consistent with this policy. Business Account Administrators : When you join a ChatGPT Enterprise or business account, the administrators of that account may access and control your OpenAI account, including being able to access your Content. In addition, if you create an account using an email address belonging to your employer or another organization, we may share the fact that you have an account and certain account information, such as your email address, with your employer or organization to, for example, enable you to be added to their business account. - Interpretation (disclaimed): This segment permits OpenAI to share personal data with government authorities and third parties for legal compliance, rights protection, policy enforcement, fraud prevention, and safety purposes, establishing the legal bases for non-consensual disclosure of personal data. - Tier: All - Location: § 3 (Disclosure of Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Government%20Authorities%20or,their%20business%20account.%20 ### subprocessors data sharing — risk unknown > Parent or Guardian of a Teen : Teen users and their parents or guardians can choose to link their accounts, allowing the parent or guardian to manage certain settings, and receive alerts if we detect a serious safety concern. These accounts can be unlinked at any time. Learn more ⁠ (opens in a new window) about account linking. Other Users and Third Parties You Interact or Share Information With : Certain Services allow you to interact or share information with other users or third parties. For example, you can share content like ChatGPT conversations ⁠ (opens in a new window) or Sora videos ⁠ (opens in a new window) and characters ⁠ (opens in a new window) , or share information with third-party search ⁠ (opens in a new window) and shopping ⁠ (opens in a new window) partners. Information you share with third-party partners is governed by their own terms and privacy policies, and you should make sure you understand those terms and policies before sharing information with them. - Interpretation (disclaimed): This segment describes data sharing with parents/guardians of teen users for account management and safety alerts, and with other users and third parties when users choose to share content, establishing user-directed and safety-based data sharing permissions. - Tier: All - Location: § 3 (Disclosure of Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Parent%20or%20Guardian,information%20with%20them.%20 ### subprocessors data sharing — risk unknown > We also aggregate or de-identify Personal Data so that it no longer identifies you and share it with third parties for the purposes described above, such as to help improve our Services. - Interpretation (disclaimed): This segment permits OpenAI to share aggregated or de-identified personal data with third parties to improve services, establishing a legal basis for sharing non-identifying derived data with external parties. - Tier: All - Location: § 3 (Disclosure of Personal Data) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20We%20also%20aggregate,improve%20our%20Services.%20 ### subprocessors data sharing — risk unknown > For Free and Go users, subject to your controls, to personalize the ads you see on our Services and measure the effectiveness of ads shown on our Services. Learn more. Communicate with you, including to respond to your questions, and send you information about our Services and events, for example about changes or improvements to the Services or offers or information that may interest you To identify your contacts who use our Services when you choose to connect your contacts and update you if they join our Services later. Prevent fraud, illegal activity, or misuses of our Services, and to protect the security of our systems and Services, including by monitoring any Content submitted or exchanged on our platforms (learn more here ) Comply with legal obligations and protect the rights, privacy, safety, or property of our users, OpenAI, or third parties, for instance to prevent harm to you or others, and to estimate your age to give you an age-appropriate experience We may disclose this information in the following circumstances, as described above: Vendors, service providers, and affiliates to assist us in meeting business operations needs and to perform certain services and functions described above Government authorities or other third parties for the legal reasons described above - Interpretation (disclaimed): Defines 'Parties involved in Transactions' as a category of recipients to whom Personal Data may be disclosed, forming part of the U.S. state law disclosure table. - Tier: All - Location: Privacy Policy › “To personalize and customize your experience across our Services” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20For%20Free%20and,legal%20reasons%20described%20above ### subprocessors data sharing — risk unknown > These cookies help us measure the effectiveness of our marketing campaigns. - Interpretation (disclaimed): Discloses that marketing measurement cookies are used to measure campaign effectiveness, implying data may be shared with or processed by marketing analytics third parties, subject to user consent. - Tier: All - Location: Privacy Policy › “Marketing measurement” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20These%20cookies%20help,our%20marketing%20campaigns.%20 ### subprocessors data sharing — risk unknown > Websites and apps use cookies and other identifiers to store and retrieve information on your device. Some of this information may be shared with third parties for different purposes. Use the tool below to manage your preferences. You can change them anytime. Learn more - Interpretation (disclaimed): Describes how cookies and device identifiers are used to store and retrieve information, discloses that some information may be shared with third parties for various purposes, and introduces a consent-management tool allowing users to manage and change their preferences. - Tier: All - Location: Privacy Policy › “Cookie Preferences” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Websites%20and%20apps,anytime.%20Learn%20more%20 ### subprocessors data sharing — risk unknown > This helps us personalize and measure OpenAI’s own marketing on third-party platforms. - Interpretation (disclaimed): This segment discloses that personalized marketing cookies enable OpenAI to share data with third-party platforms for the purpose of personalizing and measuring its own marketing, implicating third-party data sharing obligations relevant to subprocessor and data-sharing surfaces. - Tier: All - Location: Terms of Service › “Personalized marketing” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20This%20helps%20us,on%20third-party%20platforms.%20 ### audit rights dpa residency — risk unknown > OpenAI processes your Personal Data for the purposes described in this policy on servers located in various jurisdictions, including processing and storing your Personal Data in our facilities and servers in the United States, or in countries or territories where our affiliates and partners or our vendors and service providers are located. While data protection law varies by country, we apply the protections described in this policy to your Personal Data regardless of where it is processed, and only transfer that data pursuant to legally valid transfer mechanisms. - Interpretation (disclaimed): States that OpenAI processes Personal Data on servers in various jurisdictions including the United States, commits to applying the same protections regardless of processing location, and obligates use of legally valid transfer mechanisms for cross-border data transfers. - Tier: All - Location: Privacy Policy › “Rectify or update your Personal Data” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20OpenAI%20processes%20your,valid%20transfer%20mechanisms.%20 ### audit rights dpa residency — risk unknown > Appeals. Depending on where you live, you may have the right to appeal a decision we make relating to requests to exercise your rights. To appeal a decision, please send your request to dsar@openai.com . - Interpretation (disclaimed): Grants data subjects a procedural right to appeal decisions made by OpenAI regarding the exercise of privacy rights, and specifies the procedure (emailing dsar@openai.com) for doing so, contingent on jurisdiction. - Tier: All - Location: Privacy Policy › “The right to correct your Personal Data; and” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20Appeals.%20Depending%20on,to%20dsar%40openai.com%20.%20 ### audit rights dpa residency — risk unknown > If you live in the European Economic Area (EEA) or Switzerland, OpenAI Ireland Limited, with its registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, is the controller and is responsible for the processing of your Personal Data as described in this policy. - Interpretation (disclaimed): Identifies OpenAI Ireland Limited as the data controller responsible for processing Personal Data of EEA and Swiss residents, establishing the legal entity accountable under GDPR for the processing activities described in the policy. - Tier: All - Location: § 11 (Data controller) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20If%20you%20live,in%20this%20policy.%20 ### audit rights dpa residency — risk unknown > If you live anywhere else, OpenAI OpCo, LLC, with its registered office at 1455 Third Street, San Francisco, California 94158, United States, is the controller and is responsible for the processing of your Personal Data as described in this policy. - Interpretation (disclaimed): Identifies OpenAI OpCo, LLC as the data controller responsible for processing Personal Data of all users outside the EEA and Switzerland, establishing the legal entity accountable for processing under applicable non-GDPR data protection laws. - Tier: All - Location: § 11 (Data controller) - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=%20If%20you%20live,in%20this%20policy.%20 ### indemnity liability — risk unknown > Third party Services. Our services may include third party software, products, or services, (“Third Party Services”) and some parts of our Services, like our browse feature, may include output from those services (“Third Party Output”). Third Party Services and Third Party Output are subject to their own terms, and we are not responsible for them. - Interpretation (disclaimed): This segment identifies Third Party Services and Third Party Output as subject to their own terms and disclaims OpenAI's responsibility for them, limiting OpenAI's liability with respect to third-party integrations. - Tier: All - Location: Terms of Service › “Using our Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Third%20party%20Services.,responsible%20for%20them.%20 ### indemnity liability — risk unknown > Output may not always be accurate. You should not rely on Output from our Services as a sole source of truth or factual information, or as a substitute for professional advice. You must evaluate Output for accuracy and appropriateness for your use case, including using human review as appropriate, before using or sharing Output from the Services. You must not use any Output relating to a person for any purpose that could have a legal or material impact on that person, such as making credit, educational, employment, housing, insurance, legal, medical, or other important decisions about them. Our Services may provide incomplete, incorrect, or offensive Output that does not represent OpenAI’s views. If Output references any third party products or services, it doesn’t mean the third party endorses or is affiliated with OpenAI. - Interpretation (disclaimed): This segment contains multiple user-facing disclaimers and restrictions: that Output may be inaccurate and should not be solely relied upon, that users must evaluate Output before use, and that Output must not be used to make material decisions about persons, limiting OpenAI's liability for inaccurate outputs and placing verification obligations on users. - Tier: All - Location: Terms of Service › “Content” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Output%20may%20not,affiliated%20with%20OpenAI.%20 ### indemnity liability — risk unknown > We may decide to discontinue our Services, but if we do, we will give you advance notice and a refund for any prepaid, unused Services. - Interpretation (disclaimed): Obligates OpenAI to provide advance notice and refund prepaid unused services if it discontinues its services, creating a financial and procedural obligation toward users. - Tier: All - Location: Terms of Service › “Discontinuation of Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20We%20may%20decide,prepaid%2C%20unused%20Services.%20 ### indemnity liability — risk unknown > OUR SERVICES ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND LICENSORS MAKE NO WARRANTIES (EXPRESS, IMPLIED, STATUTORY OR OTHERWISE) WITH RESPECT TO THE SERVICES, AND DISCLAIM ALL WARRANTIES INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, NON-INFRINGEMENT, AND QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR TRADE USAGE. WE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ACCURATE OR ERROR FREE, OR THAT ANY CONTENT WILL BE SECURE OR NOT LOST OR ALTERED. - Interpretation (disclaimed): Disclaims all express, implied, statutory, and other warranties for the services on an 'as is' basis, including merchantability, fitness for purpose, non-infringement, and accuracy, limiting OpenAI's and its affiliates' and licensors' legal exposure for service quality. - Tier: All - Location: Terms of Service › “Disclaimer of warranties” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20OUR%20SERVICES%20ARE,LOST%20OR%20ALTERED.%20 ### indemnity liability — risk unknown > NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA OR OTHER LOSSES, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. OUR AGGREGATE LIABILITY UNDER THESE TERMS WILL NOT EXCEED ​​THE GREATER OF THE AMOUNT YOU PAID FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS BEFORE THE LIABILITY AROSE OR ONE HUNDRED DOLLARS ($100). THE LIMITATIONS IN THIS SECTION APPLY ONLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. - Interpretation (disclaimed): Caps OpenAI's aggregate liability at the greater of amounts paid in the prior 12 months or $100, and excludes indirect, incidental, special, consequential, and exemplary damages, limiting the financial remedies available to users. - Tier: All - Location: Terms of Service › “Limitation of liability” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20NEITHER%20WE%20NOR,BY%20APPLICABLE%20LAW.%20 ### indemnity liability — risk unknown > Some countries and states do not allow the disclaimer of certain warranties or the limitation of certain damages, so some or all of the terms above may not apply to you, and you may have additional rights. In that case, these Terms only limit our responsibilities to the maximum extent permissible in your country of residence. - Interpretation (disclaimed): Creates a geographic/jurisdictional exception acknowledging that certain warranty disclaimers or damage limitations may not apply in some jurisdictions, preserving users' statutory rights where local law prohibits such limitations. - Tier: All - Location: Terms of Service › “Limitation of liability” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Some%20countries%20and,country%20of%20residence.%20 ### indemnity liability — risk unknown > OPENAI’S AFFILIATES, SUPPLIERS, LICENSORS, AND DISTRIBUTORS ARE INTENDED THIRD PARTY BENEFICIARIES OF THIS SECTION. - Interpretation (disclaimed): Designates OpenAI's affiliates, suppliers, licensors, and distributors as intended third-party beneficiaries of the limitation of liability section, granting them the right to enforce these protections. - Tier: All - Location: Terms of Service › “Limitation of liability” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20OPENAI%E2%80%99S%20AFFILIATES%2C%20SUPPLIERS%2C,OF%20THIS%20SECTION.%20 ### indemnity liability — risk unknown > If you are a business or organization, to the extent permitted by law, you will indemnify and hold harmless us, our affiliates, and our personnel, from and against any costs, losses, liabilities, and expenses (including attorneys’ fees) from third party claims arising out of or relating to your use of the Services and Content or any violation of these Terms. - Interpretation (disclaimed): Obligates business or organizational users to indemnify and hold harmless OpenAI, its affiliates, and personnel from third-party claims, costs, losses, liabilities, and attorney's fees arising from the user's use of services or violation of Terms. - Tier: All - Location: Terms of Service › “Indemnity” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20If%20you%20are,of%20these%20Terms.%20 ### indemnity liability — risk unknown > Trade controls. You must comply with all applicable trade laws, including sanctions and export control laws. Our Services may not be used in or for the benefit of, or exported or re-exported to (a) any U.S. embargoed country or territory or (b) any individual or entity with whom dealings are prohibited or restricted under applicable trade laws. Our Services may not be used for any end use prohibited by applicable trade laws, and your Input may not include material or information that requires a government license for release or export. - Interpretation (disclaimed): This segment imposes a compliance obligation on users to adhere to all applicable trade laws, sanctions, and export control laws, and restricts use of the Services in embargoed territories or for prohibited end uses, creating binding legal duties and restrictions with potential liability implications. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Trade%20controls.%20You,release%20or%20export.%20 ### governing law disputes — risk unknown > For individuals in the European Economic Area, United Kingdom, and Switzerland, you can read this version of our Privacy Policy. - Interpretation (disclaimed): This segment directs EEA, UK, and Switzerland individuals to a separate version of the Privacy Policy, incorporating by reference a distinct legal instrument applicable to those jurisdictions and establishing jurisdictional boundaries for the current document. - Tier: All - Location: Privacy Policy › “US privacy policy” - Source: https://openai.com/policies/privacy-policy - Snapshot SHA-256: `0795a8d53c4cef2768d2f362fcf3e5d5be423787696a3fcdfdf1a478105ea60f` - Wayback: — - Deep link: https://openai.com/policies/privacy-policy#:~:text=For%20individuals%20in%20the,our%20Privacy%20Policy.%20 ### governing law disputes — risk unknown > These Terms of Use apply to your use of ChatGPT, DALL·E, and OpenAI’s other services for individuals, along with any associated software applications and websites (all together, “Services”). These Terms form an agreement between you and OpenAI OpCo, LLC, a Delaware company, and they include our Service Terms⁠ ⁠ and important provisions for resolving disputes through arbitration. By using our Services, you agree to these Terms. - Interpretation (disclaimed): This segment defines the scope of the Terms of Use, identifies the contracting parties (user and OpenAI OpCo, LLC, a Delaware company), incorporates Service Terms by reference, and states that by using the Services the user agrees to these Terms including arbitration dispute resolution provisions, thereby establishing the contractual framework and consent mechanism. - Tier: All - Location: Terms of Service › “Effective: January 1, 2026 ( Previous version ⁠ )” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20These%20Terms%20of,to%20these%20Terms.%20 ### governing law disputes — risk unknown > If you reside in the European Economic Area, Switzerland, or the UK, your use of the Services is governed by these terms⁠ ⁠ . - Interpretation (disclaimed): This segment incorporates by reference a separate set of terms governing users in the EEA, Switzerland, or the UK, creating a jurisdictional carve-out and directing those users to different governing terms. - Tier: All - Location: Terms of Service › “Effective: January 1, 2026 ( Previous version ⁠ )” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20If%20you%20reside,terms%E2%81%A0%20%E2%81%A0%20.%20 ### governing law disputes — risk unknown > YOU AND OPENAI AGREE TO THE FOLLOWING MANDATORY ARBITRATION AND CLASS ACTION WAIVER PROVISIONS: - Interpretation (disclaimed): Incorporates and signals mandatory arbitration and class action waiver provisions applicable to both parties, establishing the dispute resolution framework as binding. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20YOU%20AND%20OPENAI,ACTION%20WAIVER%20PROVISIONS%3A%20 ### governing law disputes — risk unknown > MANDATORY ARBITRATION. You and OpenAI agree to resolve any claims arising out of or relating to these Terms or our Services, regardless of when the claim arose, even if it was before these Terms existed (a “Dispute”), through final and binding arbitration. You may opt out of arbitration within 30 days of account creation or of any updates to these arbitration terms within 30 days after the update has taken effect by filling out this form ⁠ . If you opt out of an update, the last set of agreed upon arbitration terms will apply. - Interpretation (disclaimed): Establishes mandatory binding arbitration as the exclusive dispute resolution mechanism for all claims, and creates a procedure allowing users to opt out within 30 days of account creation or updates to arbitration terms. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20MANDATORY%20ARBITRATION.%20You,terms%20will%20apply.%20 ### governing law disputes — risk unknown > Informal dispute resolution. We would like to understand and try to address your concerns prior to formal legal action. Before either of us files a claim against the other, we both agree to try to resolve the Dispute informally. You agree to do so by sending us notice through this form ⁠ . We will do so by sending you notice to the email address associated with your account. If we are unable to resolve a Dispute within 60 days, either of us has the right to initiate arbitration. We also both agree to attend an individual settlement conference if either party requests one during this time. Any statute of limitations will be tolled during this informal resolution process. - Interpretation (disclaimed): Establishes a mandatory informal dispute resolution process requiring both parties to attempt resolution for 60 days before initiating arbitration, including notice requirements and optional individual settlement conferences. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Informal%20dispute%20resolution.,informal%20resolution%20process.%20 ### governing law disputes — risk unknown > Arbitration forum. If we are unable to resolve the Dispute, either of us may commence arbitration with National Arbitration and Mediation (“NAM”) under its Comprehensive Dispute Resolution Rules and Procedures and/or Supplemental Rules for Mass Arbitration Filings, as applicable (available here⁠ ⁠ (opens in a new window) ). - Interpretation (disclaimed): Designates NAM as the arbitration forum and incorporates NAM's Comprehensive Dispute Resolution Rules and Supplemental Rules for Mass Arbitration Filings as the governing procedural rules for arbitration proceedings. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Arbitration%20forum.%20If,new%20window)%20).%20 ### governing law disputes — risk unknown > OpenAI will not seek attorneys’ fees and costs in arbitration unless the arbitrator determines that your claim is frivolous. The activities described in these Terms involve interstate commerce and the Federal Arbitration Act will govern the interpretation and enforcement of these arbitration terms and any arbitration. - Interpretation (disclaimed): Restricts OpenAI from seeking attorney's fees unless a claim is found frivolous, and designates the Federal Arbitration Act as the governing law for interpretation and enforcement of the arbitration provisions. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20OpenAI%20will%20not,and%20any%20arbitration.%20 ### governing law disputes — risk unknown > Arbitration procedures. The arbitration will be conducted by videoconference if possible, but if the arbitrator determines a hearing should be conducted in person, the location will be mutually agreed upon, in the county where you reside, or as determined by the arbitrator, unless the batch arbitration process applies. The arbitration will be conducted by a sole arbitrator. The arbitrator will be either a retired judge or an attorney licensed to practice law in the state of California. The arbitrator will have exclusive authority to resolve any Dispute, except the state or federal courts of San Francisco, California have the authority to determine any Dispute about enforceability, validity of the class action waiver, or requests for public injunctive relief, as set out below. Any settlement offer amounts will not be disclosed to the arbitrator by either party until after the arbitrator determines the final award, if any. The arbitrator has the authority to grant motions dispositive of all or part of any Dispute. - Interpretation (disclaimed): Specifies procedural rules for arbitration including venue (videoconference preferred or user's county), sole arbitrator qualification requirements (retired judge or California-licensed attorney), and the arbitrator's exclusive authority to resolve disputes. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Arbitration%20procedures.%20The,of%20any%20Dispute.%20 ### governing law disputes — risk unknown > Exceptions. This section does not require informal dispute resolution or arbitration of the following claims: (i) individual claims brought in small claims court; and (ii) injunctive or other equitable relief to stop unauthorized use or abuse of the Services or intellectual property infringement or misappropriation. - Interpretation (disclaimed): Carves out small claims court actions and requests for injunctive or equitable relief related to unauthorized use, service abuse, or intellectual property infringement from the mandatory informal dispute resolution and arbitration requirements. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Exceptions.%20This%20section,infringement%20or%20misappropriation.%20 ### governing law disputes — risk unknown > CLASS AND JURY TRIAL WAIVERS. You and OpenAI agree that Disputes must be brought on an individual basis only, and may not be brought as a plaintiff or class member in any purported class, consolidated, or representative proceeding. Class arbitrations, class actions, and representative actions are prohibited. Only individual relief is available. The parties agree to sever and litigate in court any request for public injunctive relief after completing arbitration for the underlying claim and all other claims. This does not prevent either party from participating in a class-wide settlement. You and OpenAI knowingly and irrevocably waive any right to trial by jury in any action, proceeding, or counterclaim. - Interpretation (disclaimed): Prohibits class arbitrations, class actions, and representative actions, requiring disputes to be brought individually only, while preserving the right to participate in class-wide settlements and permitting court litigation for public injunctive relief after arbitration. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20CLASS%20AND%20JURY,proceeding%2C%20or%20counterclaim.%20 ### governing law disputes — risk unknown > Batch arbitration. If 25 or more claimants represented by the same or similar counsel file demands for arbitration raising substantially similar Disputes within 90 days of each other, then you and OpenAI agree that NAM will administer them in batches of up to 50 claimants each (“Batch”), unless there are less than 50 claimants in total or after batching, which will comprise a single Batch. NAM will administer each Batch as a single consolidated arbitration with one arbitrator, one set of arbitration fees, and one hearing held by videoconference or in a location decided by the arbitrator for each Batch. If any part of this section is found to be invalid or unenforceable as to a particular claimant or Batch, it will be severed and arbitrated in individual proceedings. - Interpretation (disclaimed): Establishes a batch arbitration procedure for mass filings, requiring NAM to group 25 or more substantially similar claims filed within 90 days into batches of up to 50 for consolidated arbitration proceedings. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Batch%20arbitration.%20If,in%20individual%20proceedings.%20 ### governing law disputes — risk unknown > Severability. If any part of these arbitration terms is found to be illegal or unenforceable, the remainder will remain in effect, except that if a finding of partial illegality or unenforceability would allow class arbitration, class action, or representative action, this entire dispute resolution section will be unenforceable in its entirety. - Interpretation (disclaimed): Establishes a severability clause specific to the arbitration terms, providing that if any part is found unenforceable, the remainder survives, except that the entire dispute resolution section is void if severance would permit class arbitration or representative action. - Tier: All - Location: Terms of Service › “Dispute resolution” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Severability.%20If%20any,in%20its%20entirety.%20 ### governing law disputes — risk unknown > Assignment. You may not assign or transfer any rights or obligations under these Terms and any attempt to do so will be void. We may assign our rights or obligations under these Terms to any affiliate, subsidiary, or successor in interest of any business associated with our Services. - Interpretation (disclaimed): Restricts users from assigning or transferring their rights or obligations under the Terms, while permitting OpenAI to assign its rights to affiliates, subsidiaries, or successors in interest. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Assignment.%20You%20may,with%20our%20Services.%20 ### governing law disputes — risk unknown > Changes to these Terms or our Services. We are continuously working to develop and improve our Services. We may update these Terms or our Services accordingly from time to time. For example, we may make changes to these Terms or the Services due to: - Interpretation (disclaimed): Establishes OpenAI's right to update the Terms or Services and provides examples of reasons for such changes, setting the procedural context for modifications to the contractual relationship. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Changes%20to%20these,Services%20due%20to%3A%20 ### governing law disputes — risk unknown > Delay in enforcing these Terms. Our failure to enforce a provision is not a waiver of our right to do so later. Except as provided in the dispute resolution section above, if any portion of these Terms is determined to be invalid or unenforceable, that portion will be enforced to the maximum extent permissible and it will not affect the enforceability of any other terms. - Interpretation (disclaimed): This segment addresses waiver and severability: it clarifies that failure to enforce a provision is not a permanent waiver of rights, and that an invalid or unenforceable provision will be enforced to the maximum extent possible without affecting the remainder of the Terms, limiting the legal effect of non-enforcement and partial invalidity. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Delay%20in%20enforcing,any%20other%20terms.%20 ### governing law disputes — risk unknown > Entire agreement. These Terms contain the entire agreement between you and OpenAI regarding the Services and, other than any Service-specific terms, supersedes any prior or contemporaneous agreements between you and OpenAI. - Interpretation (disclaimed): This segment defines the scope of the entire agreement between the parties, establishing that these Terms constitute the complete and superseding agreement regarding the Services and replacing any prior or contemporaneous agreements, which is an integration clause with definitional and incorporative legal effect. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Entire%20agreement.%20These,you%20and%20OpenAI.%20 ### governing law disputes — risk unknown > Governing law. California law will govern these Terms except for its conflicts of laws principles. Except as provided in the dispute resolution section above, all claims arising out of or relating to these Terms will be brought exclusively in the federal or state courts of San Francisco, California. - Interpretation (disclaimed): This segment designates California law as the governing law for the Terms and mandates exclusive jurisdiction in federal or state courts in San Francisco, California for all claims, imposing a binding forum-selection and choice-of-law obligation on both parties. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Governing%20law.%20California,San%20Francisco%2C%20California.%20 ### moderation enforcement — risk unknown > Keep minors safe . Children and teens deserve special protection. Our services are designed to prevent harm and support their well-being, and must never be used to exploit, endanger, or sexualize anyone under 18 years old. We report apparent child sexual abuse material and child endangerment to the National Center for Missing and Exploited Children. We prohibit use of our services for: child sexual abuse material (CSAM), whether or not any portion is AI generated grooming of minors exposing minors to age-inappropriate content, such as graphic self-harm, sexual, or violent content promoting unhealthy dieting or exercise behavior to minors shaming or otherwise stigmatizing the body type or appearance of minors dangerous challenges for minors underaged sexual or violent roleplay underaged access to age-restricted goods or activities - Interpretation (disclaimed): This segment restricts use of OpenAI services for any content or activity that exploits, endangers, or sexualizes minors, including CSAM and grooming, and discloses an obligation to report apparent CSAM to NCMEC, constituting both a use restriction and a mandatory reporting procedure. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20Keep%20minors%20safe,goods%20or%20activities%20 ### moderation enforcement — risk unknown > Empower people . People should be able to make decisions about their lives and their communities. So we don’t allow our services to be used to manipulate or deceive people, to interfere with their exercise of human rights, to exploit people’s vulnerabilities, or to interfere with their ability to get an education or access critical services, including any use for: academic dishonesty deceit, fraud, scams, spam, or impersonation political campaigning, lobbying, foreign or domestic election interference, or demobilization activities automation of high-stakes decisions in sensitive areas without human review critical infrastructure education housing employment financial activities and credit insurance legal medical essential government services product safety components national security migration law enforcement - Interpretation (disclaimed): This segment prohibits use of OpenAI services to manipulate or deceive people, interfere with human rights, exploit vulnerabilities, or impede access to education and critical services, listing specific forbidden activities including academic dishonesty, fraud, election interference, and automation of high-stakes decisions without appropriate oversight. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20Empower%20people%20.,migration%20law%20enforcement%20 ### moderation enforcement — risk unknown > 2025-10-29: We've updated our Usage Policies to reflect a universal set of policies across OpenAI products and services. 2025-01-29: We've updated our Universal Policies to clarify prohibitions under applicable laws. 2024-01-10: We've updated our Usage Policies to be clearer and provide more service-specific guidance. 2023-02-15: We’ve combined our use case and content policies into a single set of usage policies, and have provided more specific guidance on what activity we disallow in industries we’ve considered high risk. 2022-11-09: We no longer require you to register your applications with OpenAI. Instead, we'll be using a combination of automated and manual methods to monitor for policy violations. 2022-10-25: Updated App Review process (devs no longer need to wait for approval after submitting as long as they comply with our policies). Moved to an outcomes-based approach and updated Safety Best Practices. 2022-06-07: Refactored into categories of applications and corresponding requirements. 2022-03-09: Refactored into “App Review”. 2022-01-19: Simplified copywriting and article writing/editing guidelines. 2021-11-15: Addition of “Content guidelines” section; changes to bullets on almost always approved uses and disallowed uses; renaming document from “Use case guidelines” to “Usage guidelines”. 2021-08-04: Updated with information related to code generation. 2021-03-12: Added detailed case-by-case requirements; small copy and ordering edits. 2021-02-26: Clarified the impermissibility of Tweet and Instagram generators. - Interpretation (disclaimed): This segment documents the version history of the Usage Policies with dated amendments, which serves to incorporate and supersede prior versions, defines the temporal scope of each policy iteration, and clarifies what changes were made to operative restrictions and obligations over time. - Tier: All - Location: Usage Policy › “Changelog” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%202025-10-29%3A%20We've%20updated,and%20Instagram%20generators.%20 ### moderation enforcement — risk unknown > We aim for our tools to be used safely and responsibly, while maximizing your control over how you use them. In building our Usage Policies, we keep a few important things in mind. - Interpretation (disclaimed): This segment introduces the purpose and framing of the Usage Policies, defining OpenAI's intent to enable safe and responsible use while maximizing user control; it establishes the conceptual scope of the policy document that governs enforcement. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20We%20aim%20for,things%20in%20mind.%20 ### moderation enforcement — risk unknown > We empower users to innovate with AI . We build AI products that maximize helpfulness and freedom, while ensuring safety. Usage Policies are just one way we set clear expectations for the use of our products within a broader safety ecosystem that sets responsible guardrails across our services. You can learn more about our safety approach and our commitment to customizability, transparency, and intellectual freedom to explore, debate, and create with AI. - Interpretation (disclaimed): This segment defines the philosophy behind the Usage Policies — maximizing helpfulness and freedom while ensuring safety — and cross-references a broader safety ecosystem, clarifying the policy's role in governance and setting expectations that frame enforcement obligations. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20We%20empower%20users,create%20with%20AI.%20 ### moderation enforcement — risk unknown > Responsible use is a shared priority . We assume the very best of our users. Our terms and policies —including these Usage Policies—set a reasonable bar for acceptable use. Our rules are no substitute for legal requirements, professional duties, or ethical obligations that should influence how people use AI. We hold people accountable for inappropriate use of our services, and breaking or circumventing our rules and safeguards may mean you lose access to our systems or experience other penalties. - Interpretation (disclaimed): This segment imposes an obligation on users to comply with terms and policies as a baseline for acceptable use, explicitly states that users are held accountable for inappropriate use, and warns that breaking or circumventing rules and safeguards may result in loss of access or other penalties, constituting an enforcement obligation. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20Responsible%20use%20is,experience%20other%20penalties.%20 ### moderation enforcement — risk unknown > We build with safety first . We monitor and enforce policies with privacy safeguards in place and clear review processes. We give developers practical moderation tools ⁠ (opens in a new window) and guidance so they can support their end users. We publish what our systems can and can’t do, share research and updates , and provide a simple way to report misuse . - Interpretation (disclaimed): This segment describes OpenAI's procedural commitments for policy monitoring and enforcement, including privacy safeguards, review processes, developer moderation tools, transparency publishing, and misuse reporting mechanisms. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20We%20build%20with,report%20misuse%20.%20 ### moderation enforcement — risk unknown > We update as we learn . People are using our systems in new ways every day, and we update our rules to ensure they are not overly restrictive or to better protect our users. We reserve all rights to withhold access where we reasonably believe it necessary to protect our service or users or anyone else. You can appeal ⁠ if you think we have made a mistake enforcing policy, and we will work to make things right. If you’d like to keep up with Usage Policies updates, complete this form . - Interpretation (disclaimed): This segment asserts OpenAI's reserved right to withhold access where necessary to protect its service or users, establishes a user right to appeal enforcement decisions, and describes a procedure for updating policies — combining a unilateral right of access restriction with a user remedy. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20We%20update%20as,this%20form%20.%20 ### moderation enforcement — risk unknown > Your use of OpenAI services must follow these Usage Policies: - Interpretation (disclaimed): This segment imposes a binding obligation on users, stating that their use of OpenAI services must comply with the Usage Policies that follow, making the subsequent restrictions and prohibitions contractually operative. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20Your%20use%20of,these%20Usage%20Policies%3A%20 ### moderation enforcement — risk unknown > Protect people . Everyone has a right to safety and security. So you cannot use our services for: threats, intimidation, harassment, or defamation suicide, self-harm, or disordered eating promotion or facilitation sexual violence or non-consensual intimate content terrorism or violence, including hate-based violence weapons development, procurement, or use, including conventional weapons or CBRNE illicit activities, goods, or services destruction, compromise, or breach of another’s system or property, including malicious or abusive cyber activity or attempts to infringe on intellectual property rights of others real money gambling provision of tailored advice that requires a license, such as legal or medical advice, without appropriate involvement by a licensed professional unsolicited safety testing circumventing our safeguards national security or intelligence purposes without our review and approval - Interpretation (disclaimed): This segment enumerates specific prohibited uses of OpenAI services that harm people, including threats, harassment, defamation, self-harm promotion, sexual violence, terrorism, weapons development, illicit activities, and malicious cyber activity, constituting binding use restrictions. - Tier: All - Location: Usage Policy › “Usage policies” - Source: https://openai.com/policies/usage-policies - Snapshot SHA-256: `ac99512924b1bf6e38a8e71ff0a66948490ac9d1a6f96a9c1b097816003265a0` - Wayback: — - Deep link: https://openai.com/policies/usage-policies#:~:text=%20Protect%20people%20.,review%20and%20approval%20 ### moderation enforcement — risk unknown > Written claims concerning copyright infringement must include the following information: - Interpretation (disclaimed): Obligates copyright claimants to include specific required information in written copyright infringement claims, establishing the procedural prerequisites for a valid DMCA-style notice. - Tier: All - Location: Terms of Service › “Attn: General Counsel / Copyright Agent” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Written%20claims%20concerning,the%20following%20information%3A%20 ### moderation enforcement — risk unknown > What you cannot do. You may not use our Services for any illegal, harmful, or abusive activity. For example, you may not: - Interpretation (disclaimed): This segment introduces a general prohibition against illegal, harmful, or abusive activity when using the Services and signals enumerated examples to follow, establishing the primary use restriction framework. - Tier: All - Location: Terms of Service › “Using our Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20What%20you%20cannot,you%20may%20not%3A%20 ### moderation enforcement — risk unknown > Use our Services in a way that infringes, misappropriates or violates anyone’s rights. Modify, copy, lease, sell or distribute any of our Services. Attempt to or assist anyone to reverse engineer, decompile or discover the source code or underlying components of our Services, including our models, algorithms, or systems (except to the extent this restriction is prohibited by applicable law). Automatically or programmatically extract data or Output (defined below). Represent that Output was human-generated when it was not. Interfere with or disrupt our Services, including circumvent any rate limits or restrictions or bypass any protective measures or safety mitigations we put on our Services. Use Output to develop models that compete with OpenAI. - Interpretation (disclaimed): This segment enumerates specific prohibited activities including rights infringement, copying or distributing Services, reverse engineering, automated data extraction, misrepresenting AI-generated output as human-generated, and service disruption, constituting detailed use restrictions enforceable against users. - Tier: All - Location: Terms of Service › “Using our Services” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Use%20our%20Services,compete%20with%20OpenAI.%20 ### moderation enforcement — risk unknown > Termination. You are free to stop using our Services at any time. We reserve the right to suspend or terminate your access to our Services or delete your account if we determine: - Interpretation (disclaimed): Grants OpenAI the right to suspend, terminate access, or delete accounts, while also acknowledging the user's right to stop using the services at any time. - Tier: All - Location: Terms of Service › “Termination and suspension” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Termination.%20You%20are,if%20we%20determine%3A%20 ### moderation enforcement — risk unknown > You breached these Terms or our Usage Policies⁠ ⁠ . We must do so to comply with the law. Your use of our Services could cause risk or harm to OpenAI, our users, or anyone else. - Interpretation (disclaimed): Specifies three conditions (breach of Terms/Usage Policies, legal compliance, risk or harm) that trigger OpenAI's right or obligation to suspend or terminate user access. - Tier: All - Location: Terms of Service › “Termination and suspension” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20You%20breached%20these,or%20anyone%20else.%20 ### moderation enforcement — risk unknown > Appeals. If you believe we have suspended or terminated your account in error, you can file an appeal with us by contacting our Support team⁠ ⁠ (opens in a new window) . - Interpretation (disclaimed): Provides users with a procedural remedy to appeal account suspension or termination decisions by contacting the Support team, creating an administrative recourse mechanism. - Tier: All - Location: Terms of Service › “Termination and suspension” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Appeals.%20If%20you,new%20window)%20.%20 ### moderation enforcement — risk unknown > If you believe that your intellectual property rights have been infringed, please send notice to the address below or fill out this form ⁠ . We may delete or disable content that we believe violates these Terms or is alleged to be infringing and will terminate accounts of repeat infringers where appropriate. - Interpretation (disclaimed): Establishes the procedure for submitting intellectual property infringement notices, and grants OpenAI the right to delete or disable infringing content and terminate repeat infringers' accounts. - Tier: All - Location: Terms of Service › “Copyright complaints” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20If%20you%20believe,infringers%20where%20appropriate.%20 ### moderation enforcement — risk unknown > A physical or electronic signature of the person authorized to act on behalf of the owner of the copyright interest A description of the copyrighted work that you claim has been infringed upon A description of where the allegedly infringing material is located on our site so we can find it - Interpretation (disclaimed): Specifies the required elements of a copyright infringement notice including authorized signature, description of copyrighted work, and identification of infringing material location, establishing procedural requirements for valid claims. - Tier: All - Location: Terms of Service › “Attn: General Counsel / Copyright Agent” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20A%20physical%20or,can%20find%20it%20 ### moderation enforcement — risk unknown > A statement by you that you have a good-faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law A statement by you that the above information in your notice is accurate and, under penalty of perjury, that you are the copyright owner or authorized to act on the copyright owner’s behalf - Interpretation (disclaimed): Obligates the claimant to include a good-faith belief statement and a perjury-penalty accuracy statement in the copyright infringement notice, establishing legal accountability for the notice's contents. - Tier: All - Location: Terms of Service › “Your address, telephone number, and e-mail address” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20A%20statement%20by,copyright%20owner%E2%80%99s%20behalf%20 ### moderation enforcement — risk unknown > Changes to the law or regulatory requirements. Security or safety reasons. Circumstances beyond our reasonable control. Changes we make in the usual course of developing our Services. To adapt to new technologies. - Interpretation (disclaimed): This segment lists the permissible grounds (legal/regulatory changes, security, force majeure, product development, new technologies) that justify modifications to the Terms, functioning as exceptions that excuse OpenAI from standard change-notification obligations. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Changes%20to%20the,to%20new%20technologies.%20 ### tier differences — risk unknown > Our Business Terms⁠ ⁠ govern use of ChatGPT Enterprise, our APIs, and our other services for businesses and developers. - Interpretation (disclaimed): This segment distinguishes business/developer services (ChatGPT Enterprise, APIs) from individual services and incorporates Business Terms by reference, defining the scope boundary between consumer and enterprise tiers. - Tier: All - Location: Terms of Service › “Effective: January 1, 2026 ( Previous version ⁠ )” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Our%20Business%20Terms%E2%81%A0,businesses%20and%20developers.%20 ### tier differences — risk unknown > Billing. If you purchase any Services, you will provide complete and accurate billing information, including a valid payment method. For paid subscriptions, we will automatically charge your payment method on each agreed-upon periodic renewal until you cancel. You’re responsible for all applicable taxes, and we’ll charge tax when required. If your payment cannot be completed, we may downgrade your account or suspend your access to our Services until payment is received. - Interpretation (disclaimed): This segment imposes billing obligations on paid users (accurate payment information, automatic periodic charges, tax responsibility) and establishes OpenAI's right to downgrade or suspend accounts for non-payment, creating enforceable financial obligations tied to paid service tiers. - Tier: All - Location: Terms of Service › “Paid accounts” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Billing.%20If%20you,payment%20is%20received.%20 ### tier differences — risk unknown > Service credits. You can pay for some Services in advance by purchasing service credits. All service credits are subject to our Service Credit Terms⁠ ⁠ . - Interpretation (disclaimed): This segment defines the option to purchase service credits in advance and incorporates the Service Credit Terms by reference, governing a specific paid-tier payment mechanism. - Tier: All - Location: Terms of Service › “Paid accounts” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Service%20credits.%20You,Terms%E2%81%A0%20%E2%81%A0%20.%20 ### tier differences — risk unknown > Cancellation. You can cancel⁠ ⁠ (opens in a new window) your paid subscription at any time. Payments are non-refundable, except where required by law. These Terms do not override any mandatory local laws regarding your cancellation rights. - Interpretation (disclaimed): This segment grants users the right to cancel paid subscriptions at any time, states that payments are generally non-refundable except as required by law, and preserves mandatory local cancellation rights, balancing platform cancellation policy against applicable consumer protection laws. - Tier: All - Location: Terms of Service › “Paid accounts” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Cancellation.%20You%20can,your%20cancellation%20rights.%20 ### tier differences — risk unknown > Changes. We may change our prices from time to time. If we increase our subscription prices, we will give you at least 30 days’ notice and any price increase will take effect on your next renewal so that you can cancel if you do not agree to the price increase. - Interpretation (disclaimed): This segment establishes OpenAI's right to change prices and imposes a procedural obligation to provide at least 30 days' notice before subscription price increases, with price changes taking effect at the next renewal cycle, giving users an opportunity to cancel before being bound by new pricing. - Tier: All - Location: Terms of Service › “Paid accounts” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20Changes.%20We%20may,the%20price%20increase.%20 ### tier differences — risk unknown > We will give you at least 30 days advance notice of changes to these Terms that materially adversely impact you either via email or an in-product notification. All other changes will be effective as soon as we post them to our website. If you do not agree to the changes, you must stop using our Services. - Interpretation (disclaimed): This segment establishes the procedure for notifying users of material adverse changes (30 days advance notice via email or in-product notification), the effective date of other changes, and the consequence of non-acceptance (cessation of service use), creating a binding notice-and-acceptance mechanism. - Tier: All - Location: Terms of Service › “General Terms” - Source: https://openai.com/policies/terms-of-use - Snapshot SHA-256: `8723dc661c7b368af58307cefec344bc56f066add527e7c4c59aad500891b8be` - Wayback: — - Deep link: https://openai.com/policies/terms-of-use#:~:text=%20We%20will%20give,using%20our%20Services.%20 --- # GRC Risk Assessment — Microsoft Copilot - Platform: **Microsoft Copilot** (microsoft-copilot) - Headline risk rating: **HIGH** - Website: https://copilot.microsoft.com - Generated: 2026-06-14T10:29:58.255Z - Findings (verified, published): **96** > Every assertion is anchored to a verbatim quote with a SHA-256 snapshot hash and a Wayback archive URL for independent verification. Informational only; not legal advice. ## Control crosswalk (NIST AI RMF 1.0 + ISO/IEC 42001) | Surface | Risk | Confidence | NIST AI RMF | ISO/IEC 42001 | |---|---|---|---|---| | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | training use | unknown | high | MAP-2.3 / MEASURE-2.6 (data provenance & training use) | ISO 42001 A.7.4 (data for AI systems) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | medium | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | high | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | output ownership | unknown | medium | MAP-1.1 (IP & output rights) | ISO 42001 A.5.2 (AI policy / IP) | | commercial use | unknown | medium | MANAGE-1.3 (use limitations) | ISO 42001 A.9.2 (intended use) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | medium | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | privacy data use | unknown | high | MEASURE-2.10 (privacy risk) | ISO 42001 A.7.5 (privacy) | | data retention | unknown | medium | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | data retention | unknown | high | MANAGE-2.2 (data lifecycle) | ISO 42001 A.7.6 (data lifecycle) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | high | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | medium | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | subprocessors data sharing | unknown | medium | MAP-4.1 (third-party/supply-chain) | ISO 42001 A.10.2 (third parties) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | medium | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | high | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | audit rights dpa residency | unknown | medium | GOVERN-2.1 (accountability, audit) | ISO 42001 A.6.2 (internal audit) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | indemnity liability | unknown | high | GOVERN-6.1 (liability allocation) | ISO 42001 A.9.4 (responsibilities) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | confidentiality | unknown | high | MEASURE-2.7 (confidentiality) | ISO 42001 A.7.5 (information handling) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | governing law disputes | unknown | high | GOVERN-1.1 (legal/regulatory) | ISO 42001 A.5.2 (legal context) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | high | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | moderation enforcement | unknown | medium | MANAGE-4.1 (enforcement) | ISO 42001 A.9.3 (operation controls) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | high | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | | tier differences | unknown | medium | MAP-3.4 (context of use by tier) | ISO 42001 A.9.2 (intended use) | ## Evidence (verbatim, with provenance) ### training use — risk unknown > Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs, including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): This segment explicitly restricts the use of prompts, responses, and Microsoft Graph data by prohibiting their use to train foundation LLMs, including those used by Microsoft 365 Copilot, thereby limiting how customer data may be used for model improvement. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Prompts%2C%20responses%2C%20and,by%20Microsoft%20365%20Copilot. ### training use — risk unknown > Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs, including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): This segment expressly restricts the use of prompts, responses, and data accessed through Microsoft Graph, stating they are not used to train foundation LLMs including those used by Microsoft 365 Copilot, creating a binding data-use limitation. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Prompts%2C%20responses%2C%20and,by%20Microsoft%20365%20Copilot. ### training use — risk unknown > We may use customer feedback, which is optional, to improve Microsoft 365 Copilot, just like we use customer feedback to improve other Microsoft 365 services and Microsoft 365 productivity apps. We don't use this feedback to train the foundation LLMs used by Microsoft 365 Copilot. Customers can manage feedback through admin controls. For more information, see Manage Microsoft feedback for your organization and Providing feedback about Microsoft Copilot with Microsoft 365 apps . - Interpretation (disclaimed): This segment restricts the use of optional customer feedback, stating it will not be used to train foundation LLMs used by Microsoft 365 Copilot, while permitting its use to improve Copilot services, and grants admins the right to manage feedback through admin controls. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20may%20use,Microsoft%20365%20apps%20. ### training use — risk unknown > Your personal data collected from the use of connected experiences in Microsoft 365 isn’t used to train large language models (LLMs), including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): Explicitly restricts Microsoft from using personal data collected from connected experiences in Microsoft 365 to train large language models, including those used by Microsoft 365 Copilot. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Your%20personal%20data,by%20Microsoft%20365%20Copilot. ### training use — risk unknown > By combining data and context, Work IQ helps tailor Copilot and agents with specialized instructions that optimize them for specific tasks. - Interpretation (disclaimed): This segment describes how Work IQ combines data and context to generate specialized instructions that tailor Copilot and agents for specific tasks — defining the mechanism by which user data is used to train or tune AI model behavior, implicating training-use obligations and restrictions. - Tier: All - Location: “Skills and tools” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20By%20combining%20data,for%20specific%20tasks.%20 ### output ownership — risk unknown > We don’t own Your Content, but we may use Your Content to operate Copilot and improve it. By using Copilot, you grant us permission to use Your Content, which means we can copy, distribute, transmit, publicly display, publicly perform, edit, translate, and reformat it, and we can give those same rights to others who work on our behalf. We get to decide whether to use Your Content, and we don’t have to pay you, ask your permission, or tell you when we do. But that doesn’t mean we can use it however we want. The Microsoft Privacy Statement explains how we use Your Content, and the privacy options in Copilot give you control over some of those uses. We can decide to remove or stop using Your Content at any time for any reason. By sharing Your Content with Copilot, you promise us that you have all rights to Your Content and that if we use Your Content, we won’t be violating someone else’s rights. Although our Terms grant you permission to use Copilot, we are not granting you any rights in the underlying technology, intellectual property, or data that makes up Copilot. - Interpretation (disclaimed): This segment addresses content ownership by stating Microsoft does not own user content but grants itself a broad license to copy, distribute, transmit, display, perform, edit, translate, and reformat user content and to sublicense these rights to third parties, establishing the scope of Microsoft's license to user-submitted Prompts and related content. - Tier: All - Location: Terms of Service › “OWNERSHIP OF CONTENT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20We%20don%E2%80%99t%20own,that%20makes%20up%20Copilot. ### output ownership — risk unknown > Can I trust the content that Microsoft 365 Copilot creates? Who owns that content? - Interpretation (disclaimed): This segment frames questions about trustworthiness of Copilot-created content and ownership of that content, signaling the output ownership surface addressed in the document. - Tier: All - Location: Privacy Policy › “What extensibility options are available for Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Can%20I%20trust,owns%20that%20content%3F%20 ### output ownership — risk unknown > The responses that generative AI produces aren't guaranteed to be 100% factual. While we continue to improve responses, users should still use their judgment when reviewing the output before sending them to others. Our Microsoft 365 Copilot capabilities provide useful drafts and summaries to help you achieve more while giving you a chance to review the generated AI rather than fully automating these tasks. - Interpretation (disclaimed): Disclaims that generative AI responses are not guaranteed to be 100% factual and places responsibility on users to review output before use, limiting Microsoft's liability for accuracy of generated content. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20The%20responses%20that,fully%20automating%20these%20tasks. ### output ownership — risk unknown > Microsoft doesn't claim ownership of the output of the service. That said, we don't make a determination on whether a customer's output is copyright protected or enforceable against other users. This is because generative AI systems may produce similar responses to similar prompts or queries from multiple customers. Consequently, multiple customers may have or claim rights in content that is the same or substantially similar. - Interpretation (disclaimed): Disclaims Microsoft's ownership of service output and disclaims any determination on whether customer output is copyright-protected or enforceable against others, noting that similar outputs may be generated for multiple customers. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20doesn't%20claim,same%20or%20substantially%20similar. ### output ownership — risk unknown > Quickly turn your ideas into designed content, videos, podcasts, or surveys—or edit what you already have. Get started easily with a prompt, a template, or your company brand kit. - Interpretation (disclaimed): This segment describes the Create feature allowing users to turn ideas into designed content, videos, podcasts, or surveys — defining the types of AI-generated outputs produced, which is relevant to output ownership classification regarding who holds rights over AI-created works. - Tier: All - Location: “Create” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Quickly%20turn%20your,company%20brand%20kit.%20 ### commercial use — risk unknown > Create or customize agents for specific tasks or workflows with Copilot Studio. You can start from a template or build from scratch using natural language. - Interpretation (disclaimed): This segment describes Copilot Studio as a tool allowing users to create or customize agents for specific tasks using natural language or templates, defining the scope of permissible commercial use and customization rights granted to subscribers. - Tier: All - Location: “Learn more” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Create%20or%20customize,using%20natural%20language.%20 ### privacy data use — risk unknown > Microsoft 365 Copilot, including Microsoft 365 Copilot Search , is compliant with our existing privacy, security, and compliance commitments to Microsoft 365 commercial customers, including the General Data Protection Regulation (GDPR) and European Union (EU) Data Boundary. - Interpretation (disclaimed): This segment states that Microsoft 365 Copilot, including Copilot Search, is compliant with existing privacy, security, and compliance commitments to Microsoft 365 commercial customers, including GDPR and the EU Data Boundary, thereby imposing a compliance obligation on Microsoft with respect to customer data processing. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot%2C,Union%20(EU)%20Data%20Boundary. ### privacy data use — risk unknown > How does Microsoft 365 Copilot use your proprietary organizational data? - Interpretation (disclaimed): This segment poses the question of how Microsoft 365 Copilot uses proprietary organizational data, framing the scope of the data use discussion but not itself imposing a legal obligation; however it signals the surface area of data use rights addressed in the document. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20How%20does%20Microsoft,proprietary%20organizational%20data%3F%20 ### privacy data use — risk unknown > How does Microsoft 365 Copilot protect organizational information and data? - Interpretation (disclaimed): This segment poses the question of how Copilot protects organizational information and data, framing a section on data protection obligations without itself being a binding clause. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20How%20does%20Microsoft,information%20and%20data%3F%20 ### privacy data use — risk unknown > How does Microsoft 365 Copilot meet regulatory compliance requirements? - Interpretation (disclaimed): This segment frames a question about how Microsoft 365 Copilot meets regulatory compliance requirements, introducing the compliance discussion but not itself imposing a legal obligation. - Tier: All - Location: Privacy Policy › “What extensibility options are available for Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20How%20does%20Microsoft,regulatory%20compliance%20requirements%3F%20 ### privacy data use — risk unknown > Do privacy controls for connected experiences in Microsoft 365 Apps apply to Microsoft 365 Copilot? - Interpretation (disclaimed): This segment frames a question about whether privacy controls for connected experiences in Microsoft 365 Apps apply to Copilot, introducing the applicability of privacy controls without independently establishing obligations. - Tier: All - Location: Privacy Policy › “What extensibility options are available for Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Do%20privacy%20controls,Microsoft%20365%20Copilot%3F%20 ### privacy data use — risk unknown > Microsoft 365 Copilot provides value by connecting LLMs to your organizational data. Microsoft 365 Copilot accesses content and context through Microsoft Graph. It can generate responses anchored in your organizational data, such as user documents, emails, calendar, chats, meetings, and contacts. Microsoft 365 Copilot combines this content with the user's working context, such as the meeting a user is in now, the email exchanges the user had on a topic, or the chat conversations the user had last week. Microsoft 365 Copilot uses this combination of content and context to help provide accurate, relevant, and contextual responses. - Interpretation (disclaimed): This segment defines how Microsoft 365 Copilot accesses and combines organizational data (documents, emails, calendar, chats, meetings, contacts) through Microsoft Graph to generate responses, establishing the scope of data processing activities. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot use your proprietary organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,relevant%2C%20and%20contextual%20responses. ### privacy data use — risk unknown > Microsoft 365 Copilot only surfaces organizational data to which individual users have at least view permissions. It's important that you're using the permission models available in Microsoft 365 services, such as SharePoint, to help ensure the right users or groups have the right access to the right content within your organization. This includes permissions you give to users outside your organization through inter-tenant collaboration solutions, such as shared channels in Microsoft Teams . - Interpretation (disclaimed): This segment restricts Microsoft 365 Copilot to surfacing only organizational data to which individual users have at least view permissions, and instructs organizations to rely on Microsoft 365 permission models to enforce access controls, imposing a data access boundary obligation. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,in%20Microsoft%20Teams%20. ### privacy data use — risk unknown > When you enter prompts using Microsoft 365 Copilot, the information contained within your prompts, the data they retrieve, and the generated responses remain within the Microsoft 365 service boundary, in keeping with our current privacy, security, and compliance commitments. Microsoft 365 Copilot uses Azure OpenAI services for processing, not OpenAI's publicly available services. Azure OpenAI doesn't cache customer content and Copilot modified prompts for Microsoft 365 Copilot. For more information, see the Data stored about user interactions with Microsoft 365 Copilot section later in this article. - Interpretation (disclaimed): This segment imposes an obligation that prompts, retrieved data, and generated responses remain within the Microsoft 365 service boundary consistent with privacy, security, and compliance commitments, and specifies that Azure OpenAI (not public OpenAI) is used for processing and does not cache customer content. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you%20enter,later%20in%20this%20article. ### privacy data use — risk unknown > When you're using web search, Microsoft 365 Copilot parses the user's prompt and identifies terms where web search would improve the quality of the response. Based on these terms, Copilot generates a search query that it sends to the Bing Search service. For more information, Data, privacy, and security for web queries in Microsoft 365 Copilot and Microsoft 365 Copilot Chat . - Interpretation (disclaimed): This segment describes the procedure by which Microsoft 365 Copilot processes user prompts for web search, generating search queries sent to Bing Search service, and references further detail on data, privacy, and security for web queries. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you're%20using,365%20Copilot%20Chat%20. ### privacy data use — risk unknown > When agents are enabled, Microsoft 365 Copilot determines whether it needs to use a specific agent to help provide a relevant response to the user. If an agent is needed, Microsoft 365 Copilot generates a search query to send to the agent on the user's behalf. The query is based on the user's prompt, Copilot activity history, and data the user has access to in Microsoft 365. - Interpretation (disclaimed): This segment describes the procedure by which Microsoft 365 Copilot determines whether to invoke an agent and generates a search query on the user's behalf based on prompt, activity history, and accessible data, defining the data processing flow for agent interactions. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20agents%20are,to%20in%20Microsoft%20365. ### privacy data use — risk unknown > The permissions model within your Microsoft 365 tenant can help ensure that data won't unintentionally leak between users, groups, and tenants. Microsoft 365 Copilot presents only data that each individual can access using the same underlying controls for data access used in other Microsoft 365 services. Semantic Index honors the user identity-based access boundary so that the grounding process only accesses content that the current user is authorized to access. For more information, see Microsoft's privacy policy and service documentation . - Interpretation (disclaimed): This segment imposes an obligation that Microsoft 365 Copilot presents only data each individual user can access using the same underlying access controls as other Microsoft 365 services, and that Semantic Index honors user identity-based access boundaries during grounding, restricting data surfacing to authorized content only. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20The%20permissions%20model,and%20service%20documentation%20. ### privacy data use — risk unknown > Your control over your data is reinforced by Microsoft's commitment to comply with broadly applicable privacy laws, such as the GDPR, and privacy standards, such as ISO/IEC 27018, the world's first international code of practice for cloud privacy. - Interpretation (disclaimed): Establishes Microsoft's obligation to comply with broadly applicable privacy laws (GDPR) and privacy standards (ISO/IEC 27018), reinforcing customer control over their data. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Your%20control%20over,practice%20for%20cloud%20privacy. ### privacy data use — risk unknown > Microsoft continues to adapt and respond to fulfill AI regulatory requirements as they evolve, so we earn and keep the trust of customers, partners, and regulators. - Interpretation (disclaimed): States Microsoft's commitment (obligation) to adapt and respond to fulfil evolving AI regulatory requirements, establishing an ongoing duty to maintain regulatory compliance. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20continues%20to,customers%2C%20partners%2C%20and%20regulators. ### privacy data use — risk unknown > Microsoft 365 Copilot provides broad compliance offerings and certifications, including GDPR , ISO 27001 , HIPAA , and the ISO 42001 standard for AI management systems . These help support our customers on their compliance journeys, complemented by features such as contractual readiness, built-in information and communication technology risk management, and operational resilience tooling. - Interpretation (disclaimed): Lists compliance offerings and certifications (GDPR, ISO 27001, HIPAA, ISO 42001) that Microsoft 365 Copilot provides, establishing contractual readiness obligations supporting customers' compliance journeys. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,and%20operational%20resilience%20tooling. ### privacy data use — risk unknown > Microsoft is committed to complying with all laws and regulations applicable to Microsoft, including the EU AI Act, to enable our AI solutions to meet evolving standards for trustworthy and responsible AI. Microsoft 365 Copilot is built on top of Microsoft's existing commitments to data security and privacy . There's no change to these commitments. Copilot is integrated into Microsoft 365 and adheres to existing privacy, security, and compliance commitments to Microsoft 365 customers. - Interpretation (disclaimed): Affirms Microsoft's obligation to comply with applicable laws including the EU AI Act and reaffirms that existing data security and privacy commitments to Microsoft 365 customers remain unchanged for Copilot. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20is%20committed,to%20Microsoft%20365%20customers. ### privacy data use — risk unknown > Work IQ is the unique intelligence layer behind Microsoft 365 Copilot and agents that helps Copilot know you, your job and your company—connecting individual and organizational knowledge to deliver intelligence built just for you and the flow of your work. - Interpretation (disclaimed): This segment defines 'Work IQ' as an intelligence layer that connects individual and organizational knowledge — including emails, files, meetings, chats, and transactions — to personalize Copilot outputs, establishing the scope of data processing and the nature of the system's use of user and organizational data. - Tier: All - Location: “Microsoft 365 Copilot,” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Work%20IQ%20is,of%20your%20work.%20 ### privacy data use — risk unknown > Work IQ starts with your work and business data—all the rich knowledge in your emails, files, meetings, chats, and transactions—capturing how work gets done across your organization. - Interpretation (disclaimed): This segment specifies that Work IQ processes emails, files, meetings, chats, and transactions to capture organizational work patterns, defining the categories of personal and business data used by the platform — directly relevant to privacy/data-use classification. - Tier: All - Location: “Data” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Work%20IQ%20starts,across%20your%20organization.%20 ### privacy data use — risk unknown > Work IQ uses memory to learn from your unique style, preferences, and habits, adapting to your patterns over time. - Interpretation (disclaimed): This segment states that Work IQ uses memory to learn from a user's unique style, preferences, and habits over time — describing persistent data retention and behavioral profiling of individual users, which carries implications for privacy and data-use rights. - Tier: All - Location: “Context” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Work%20IQ%20uses,patterns%20over%20time.%20 ### privacy data use — risk unknown > Supercharge productivity, streamline tasks, and uncover insights in seconds with secure AI chat powered by Work IQ. It works across Microsoft apps and gives everyone access to agents—all in the flow of work. - Interpretation (disclaimed): This segment describes the AI chat feature as 'secure' and powered by Work IQ, working across Microsoft apps — defining the scope of data access and the security representation associated with the chat functionality, relevant to privacy and data-use characterization. - Tier: All - Location: “Chat” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Supercharge%20productivity%2C%20streamline,flow%20of%20work.%20 ### privacy data use — risk unknown > Describe what you’re looking for—as a question, phrase, or command—and find it fast with AI-powered enterprise search. With Work IQ, it goes beyond keywords to surface the right results from your work content and apps. - Interpretation (disclaimed): This segment describes AI-powered enterprise search that uses Work IQ to surface results from the user's work content and apps, defining the scope of data queried and processed by the search feature — relevant to privacy and data-use classification. - Tier: All - Location: “Search” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Describe%20what%20you%E2%80%99re,content%20and%20apps.%20 ### privacy data use — risk unknown > Bring together your Copilot chats, files, meeting notes, and project materials—then build on it. Copilot Notebooks helps you organize and analyze your content, and even create something new from it. You can also get AI-generated podcast-style summaries of your content to help you quickly catch up. - Interpretation (disclaimed): This segment describes Copilot Notebooks as aggregating Copilot chats, files, meeting notes, and project materials to organize, analyze, and generate new content — defining the scope of data retention and reuse within the Notebooks feature, relevant to privacy and data-use obligations. - Tier: All - Location: “Notebooks” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Bring%20together%20your,quickly%20catch%20up.%20 ### privacy data use — risk unknown > You own your data—and we help keep it that way. Prompts, inputs, and responses are never used to train the models. - Interpretation (disclaimed): This segment expressly states that the customer owns their data and imposes a restriction on Microsoft prohibiting the use of prompts, inputs, and responses to train the underlying models, which is a core operative limitation on training use. - Tier: All - Location: “Built-in data privacy” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20You%20own%20your,train%20the%20models.%20 ### data retention — risk unknown > What data is stored about user interactions with Microsoft 365 Copilot? - Interpretation (disclaimed): This segment frames the question of what data is stored about user interactions with Microsoft 365 Copilot, signaling the retention and storage scope addressed in the document. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20What%20data%20is,Microsoft%20365%20Copilot%3F%20 ### data retention — risk unknown > When a user interacts with Microsoft 365 Copilot (using apps such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt and Copilot's response, including citations to any information used to ground Copilot's response. We refer to the user's prompt and Copilot's response to that prompt as the "content of interactions" and the record of those interactions is the user's Copilot activity history. For example, this stored data provides users with Copilot activity history in Microsoft 365 Copilot Chat (previously named Business Chat) and meetings in Microsoft Teams . This data is processed and stored in alignment with contractual commitments with your organization's other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft 365 Copilot. - Interpretation (disclaimed): This segment imposes an obligation to store data about user interactions with Microsoft 365 Copilot, defining the scope of stored data as including user prompts, Copilot responses, and citations, and defines 'content of interactions' and 'Copilot activity history' as operative terms. - Tier: All - Location: Privacy Policy › “Data stored about user interactions with Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20a%20user,by%20Microsoft%20365%20Copilot. ### data retention — risk unknown > Your users can delete their Copilot activity history, which includes their prompts and the responses Copilot returns, by going to the My Account portal . For more information, see Delete your Microsoft 365 Copilot activity history . - Interpretation (disclaimed): This segment grants users the right to delete their Copilot activity history, including prompts and responses, through the My Account portal, establishing a user-exercisable deletion right over stored interaction data. - Tier: All - Location: Privacy Policy › “Deleting the history of user interactions with Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Your%20users%20can,Copilot%20activity%20history%20. ### subprocessors data sharing — risk unknown > You also authorize the third party to share information about you with us (“ Third Party Content ”). We aren’t responsible for any errors or omissions in Third Party Content, including information about you that may be wrong or otherwise incorrect. If you have questions about or disagree with the information that a third party provided to Copilot Health, you must address it with the third party. We do not control Third Party Content, so we are not responsible for any loss or damage that may result from your use of Third Party Content in Copilot Health. - Interpretation (disclaimed): This segment authorizes third parties to share user information with Microsoft ('Third Party Content'), disclaims responsibility for errors or inaccuracies in such third-party data, and disclaims liability for loss or damage resulting from use of Third Party Content, addressing third-party data sharing and associated liability limitations. - Tier: All - Location: Terms of Service › “COPILOT HEALTH” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=You%20also%20authorize%20the,Content%20in%20Copilot%20Health. ### subprocessors data sharing — risk unknown > Anthropic models within Microsoft 365 Copilot experiences are provided under the Microsoft Product Terms and Data Protection Addendum. Learn more about Anthropic's safeguards. - Interpretation (disclaimed): This segment specifies that Anthropic models within Microsoft 365 Copilot are provided under the Microsoft Product Terms and Data Protection Addendum and references Anthropic's safeguards, incorporating those governing terms by reference for subprocessor data handling. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Anthropic%20models%20within,about%20Anthropic's%20safeguards.%20 ### subprocessors data sharing — risk unknown > Anthropic is a subprocessor for Microsoft 365 Copilot. For more information, see Anthropic as a subprocessor for Microsoft Online Services . - Interpretation (disclaimed): This segment discloses that Anthropic is a named subprocessor for Microsoft 365 Copilot and incorporates by reference further information about Anthropic's role as a subprocessor for Microsoft Online Services, creating a subprocessor transparency obligation. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Anthropic%20is%20a,Microsoft%20Online%20Services%20. ### subprocessors data sharing — risk unknown > When you're using agents to help Microsoft 365 Copilot to provide more relevant information, check the privacy statement and terms of use of the agent to determine how it will handle your organization's data. For more information, see Extensibility of Microsoft 365 Copilot . - Interpretation (disclaimed): This segment directs users to review the privacy statement and terms of use of any agent used with Microsoft 365 Copilot to understand how that agent handles organizational data, establishing a due-diligence procedure for third-party data handling disclosures. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you're%20using,Microsoft%20365%20Copilot%20. ### subprocessors data sharing — risk unknown > We may deploy other AI models for Microsoft 365 Copilot to use that are hosted and operated by Microsoft. These models are governed by the same contractual and data protection commitments already in place, including that no data leaves Microsoft. For more information about models that may be used by Copilot, see Understanding AI functionality and models in Microsoft Online Services . - Interpretation (disclaimed): This segment discloses that Microsoft may deploy additional AI models hosted and operated by Microsoft for Copilot use, and imposes an obligation that these models are governed by the same contractual and data protection commitments already in place, including a restriction that no data leaves Microsoft. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20may%20deploy,Microsoft%20Online%20Services%20. ### subprocessors data sharing — risk unknown > While Microsoft 365 Copilot is already able to use the apps and data within the Microsoft 365 ecosystem, many organizations still depend on various external tools and services for work management and collaboration. Microsoft 365 Copilot experiences can reference third-party tools and services when responding to a user's request by using Microsoft Graph connectors or agents. Data from Graph connectors can be returned in Microsoft 365 Copilot responses if the user has permission to access that information. - Interpretation (disclaimed): This segment discloses that Microsoft 365 Copilot can reference third-party tools and services via Graph connectors or agents, and that data from Graph connectors may be returned in Copilot responses subject to the user's access permissions, establishing third-party data sharing scope. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20While%20Microsoft%20365,to%20access%20that%20information. ### subprocessors data sharing — risk unknown > Manage agents for Microsoft 365 Copilot in the Microsoft 365 admin center - Interpretation (disclaimed): This segment incorporates by reference the article on managing agents for Microsoft 365 Copilot in the admin center, which governs third-party agent data sharing and admin control procedures. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Manage%20agents%20for,365%20admin%20center%20 ### subprocessors data sharing — risk unknown > Add agents to Copilot that automate common tasks or work on your behalf. Ready-to-use agents—from Microsoft and trusted partners—are available in the Agent Store. Agents tap into Work IQ and are tuned for your unique workflows and business needs. - Interpretation (disclaimed): This segment describes agents from Microsoft and trusted partners available in the Agent Store that tap into Work IQ — implicitly identifying third-party partners as entities that access organizational data through agents, which is relevant to subprocessor and data-sharing classification. - Tier: All - Location: “Next” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Add%20agents%20to,and%20business%20needs.%20 ### audit rights dpa residency — risk unknown > Anthropic models are out of scope for the EU Data Boundary and when available, in-country LLM processing commitments. For more information, see Anthropic as a subprocessor for Microsoft Online Services . - Interpretation (disclaimed): This segment creates an exception by stating that Anthropic models are outside the scope of the EU Data Boundary and in-country LLM processing commitments, and cross-references further information about Anthropic as a subprocessor, establishing a data residency carve-out. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Anthropic%20models%20are,Microsoft%20Online%20Services%20. ### audit rights dpa residency — risk unknown > What data residency commitments does Microsoft 365 Copilot make? - Interpretation (disclaimed): This segment frames the question of what data residency commitments Microsoft 365 Copilot makes, introducing the residency commitments discussed in the document. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20What%20data%20residency,365%20Copilot%20make%3F%20 ### audit rights dpa residency — risk unknown > To view and manage this stored data, admins can use Content search or Microsoft Purview. Admins can also use Microsoft Purview to set retention policies for the data related to chat interactions with Copilot. For more information, see the following articles: - Interpretation (disclaimed): This segment grants admins the right to view and manage stored interaction data using Content Search or Microsoft Purview, and grants admins the right to set retention policies for Copilot chat interaction data, referencing further procedural articles. - Tier: All - Location: Privacy Policy › “Data stored about user interactions with Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20To%20view%20and,see%20the%20following%20articles%3A ### audit rights dpa residency — risk unknown > Microsoft Purview data security and compliance protections for generative AI apps - Interpretation (disclaimed): This segment incorporates by reference the Microsoft Purview data security and compliance protections article as governing the management of generative AI app data including Copilot interactions. - Tier: All - Location: Privacy Policy › “Overview of Content search” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20Purview%20data,generative%20AI%20apps%20 ### audit rights dpa residency — risk unknown > For Microsoft Teams chats with Copilot, admins can also use Microsoft Teams Export APIs to view the stored data. - Interpretation (disclaimed): This segment grants admins the additional right to use Microsoft Teams Export APIs to view stored Copilot interaction data for Microsoft Teams chats, expanding the set of tools available for data access and audit. - Tier: All - Location: Privacy Policy › “Learn about retention for Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20For%20Microsoft%20Teams,view%20the%20stored%20data. ### audit rights dpa residency — risk unknown > Microsoft 365 Copilot calls to the LLM are routed to the closest data centers in the region, but also can call into other regions where capacity is available during high utilization periods. - Interpretation (disclaimed): This segment discloses that LLM calls are routed to the closest regional data centers but may also route to other regions during high utilization, informing customers of potential cross-region data routing relevant to data residency obligations. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and the EU Data Boundary” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,during%20high%20utilization%20periods. ### audit rights dpa residency — risk unknown > For European Union (EU) users, we have additional safeguards to comply with the EU Data Boundary . EU traffic stays within the EU Data Boundary while worldwide traffic can be sent to the EU and other countries or regions for LLM processing. - Interpretation (disclaimed): This segment imposes an obligation to keep EU user traffic within the EU Data Boundary as an additional safeguard for EU users, while disclosing that worldwide traffic may be sent to the EU and other regions for LLM processing. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and the EU Data Boundary” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20For%20European%20Union,regions%20for%20LLM%20processing. ### audit rights dpa residency — risk unknown > Microsoft 365 Copilot is upholding data residency commitments as outlined in the Microsoft Product Terms and Data Protection Addendum. Microsoft 365 Copilot was added as a covered workload in the data residency commitments in Microsoft Product Terms on March 1, 2024. - Interpretation (disclaimed): This segment imposes an obligation that Microsoft 365 Copilot upholds data residency commitments as outlined in the Microsoft Product Terms and Data Protection Addendum, and incorporates those instruments by reference, noting Copilot was added as a covered workload on March 1, 2024. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and data residency” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,on%20March%201%2C%202024. ### audit rights dpa residency — risk unknown > Microsoft Advanced Data Residency (ADR) and Multi-Geo Capabilities offerings include data residency commitments for Microsoft 365 Copilot customers as of March 1, 2024. For EU customers, Microsoft 365 Copilot is an EU Data Boundary service. Customers outside the EU may have their queries processed in the US, EU, or other regions. - Interpretation (disclaimed): This segment specifies data residency commitments under Microsoft Advanced Data Residency and Multi-Geo Capabilities for Copilot customers as of March 1, 2024, designates Copilot as an EU Data Boundary service for EU customers, and discloses that non-EU customers may have queries processed in the US, EU, or other regions. - Tier: All - Location: Privacy Policy › “Microsoft 365 Copilot and data residency” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20Advanced%20Data,EU%2C%20or%20other%20regions. ### audit rights dpa residency — risk unknown > Additionally, we prioritize open dialogue with our partners and regulatory authorities. We provide customers with direct access to Microsoft compliance professionals, proactive guidance, and curated solutions to help navigate regulatory compliance, such as the Microsoft 365 Copilot & Copilot Chat Risk Assessment Quickstart . Our approach in the AI-driven landscape aims to empower organizations to innovate confidently with solutions built with transparency, privacy, and security in mind. - Interpretation (disclaimed): States Microsoft's obligation to provide customers with direct access to compliance professionals, proactive guidance, and curated solutions for navigating regulatory compliance, constituting a service-level commitment. - Tier: All - Location: Privacy Policy › “Meeting regulatory compliance requirements” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Additionally%2C%20we%20prioritize,and%20security%20in%20mind. ### indemnity liability — risk unknown > Copilot is an AI-powered conversational service. Copilot will generate Responses to Prompts you submit and may also offer you Responses directly in your ongoing conversations or for things you have asked Copilot to remember. Copilot tries to give you good answers, but it can make mistakes. Sometimes, the sources Copilot uses may not be reliable, relevant, or accurate, and sometimes, Copilot may give you wrong information. When responding, Copilot may use information it finds on the internet, and we don’t control that content. You might see Responses that seem convincing but are incomplete, inaccurate, or inappropriate. Always use your judgment and check the information you get from Copilot before you make decisions or act. Carefully review Responses and Creations before sharing them so you’re not exposing personal information you wouldn’t want others to see. If you see something wrong or inappropriate from Copilot, use the Report or Feedback features in Copilot to let us know. If you have a legal concern about something Copilot says, please use the Report a Concern page to tell us. Because of the way Copilot works, the Responses you get from Copilot may not be unique to you. Copilot may give the same or similar Responses and Creations to Microsoft, or to other people. Other people may send similar Prompts as yours, and they could get the same, similar, or different Responses and Creations. By using Copilot, you’re telling us that: You’ve read, understood, and agree to these Terms, and will abide by the Code of Conduct (below). You’ll use Copilot only in lawful ways and in compliance with all applicable laws. You won’t use Copilot to violate our or anyone else’s rights. - Interpretation (disclaimed): This segment disclaims the reliability and accuracy of Copilot's Responses, warns that outputs may be wrong or incomplete, and notes that Microsoft does not control internet content used in Responses, limiting Microsoft's liability for inaccurate or misleading outputs. - Tier: All - Location: Terms of Service › “HOW YOU USE COPILOT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Copilot%20is%20an,or%20anyone%20else%E2%80%99s%20rights. ### indemnity liability — risk unknown > Depending on your location and other factors, we may offer you the opportunity to browse, shop and buy certain products through Copilot. If you use Copilot to buy something, it’s sold and shipped by a third party (“ Merchant ”), not by us. We don’t process payments for your purchases through Copilot. Anything you buy with Copilot is subject to the Merchant’s terms and conditions (including pricing, fees, and shipping, cancellation, and refund policies). You are responsible for reading and complying with the Merchant’s terms that apply to your purchase, including how the Merchant collects and uses your personal information under its privacy policy. We aren’t responsible or liable for any dispute between you and the Merchant about your purchase. If you have any disputes or questions about any product you purchase through Copilot, you must address it directly with the Merchant. If you have disputes or questions about your payment for the product, you must address it with your payment issuer, bank, or wallet provider. We collect, store, use, and share your personal information, including your payment information and purchases you make, in accordance with the Microsoft Privacy Statement . You authorize each Merchant to share with us information about you and your purchase, and for us to send information (including your personal information and transaction details) to the Merchant, the Merchant’s payment processor, our payment processor, or other third party necessary to complete your purchase. - Interpretation (disclaimed): This segment clarifies that purchases through Copilot are fulfilled by third-party Merchants (not Microsoft), that Microsoft does not process payments, and that users are responsible for Merchant terms and conditions, limiting Microsoft's liability for third-party commercial transactions conducted through Copilot. - Tier: All - Location: Terms of Service › “SHOPPING EXPERIENCES” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Depending%20on%20your,to%20complete%20your%20purchase. ### indemnity liability — risk unknown > Copilot may include advertising. Copilot may include both automated and manual (human) processing of data. You shouldn’t share any information with Copilot that you don’t want us to review. We plan to continue to develop and improve Copilot, but we make no guarantees or promises about how Copilot will operate or that it will operate as intended. Sometimes, we may offer certain features or services as part of “Copilot Labs.” These features and services are highly experimental and may not always work as intended. We may add, modify, or remove features or services from Copilot Labs at any time for any reason. We may limit the speed or performance of Copilot as we think necessary. When you request that Copilot take Actions on your behalf, you are solely responsible for those Actions and any results or consequences. Copilot can make mistakes, and it may not work as intended. Do not use Copilot as a substitute for professional advice. Always verify the accuracy of information presented by Copilot before you rely on it. We are not responsible for any consequences that arise from your use of or reliance on Copilot. WITHOUT LIMITING SECTION 12 OF THE MICROSOFT SERVICES AGREEMENT IN ANY WAY, BUT FOR THE SAKE OF CLARITY, WE DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND ABOUT COPILOT. For example, we can’t promise that any Copilot’s Responses won’t infringe someone else’s rights (like their copyrights, trademarks, or rights of privacy) or defame them. - Interpretation (disclaimed): This segment discloses that Copilot may include advertising and both automated and human data processing, warns users not to share information they don't want reviewed, disclaims guarantees about Copilot's operation, and addresses the experimental nature of Copilot Labs features, limiting Microsoft's liability for service performance and feature availability. - Tier: All - Location: Terms of Service › “IMPORTANT DISCLOSURES & WARNINGS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Copilot%20may%20include,or%20defame%20them.%20 ### indemnity liability — risk unknown > You are solely responsible if you choose to publish or share Copilot’s Responses publicly or with any other person. You agree to indemnify us and hold us harmless (including our affiliates, employees and any other agents) from and against any claims, losses, and expenses (including attorneys' fees) arising from or relating to your use of Copilot, including without limitation your use, sharing, or publication of any Prompt, Responses, or Creations, or your breach of these Terms or violation of applicable law. You may stop using Copilot at any time. If you want to close your Microsoft Account, please see the Microsoft Services Agreement . - Interpretation (disclaimed): This segment imposes an indemnification obligation on users to defend and hold harmless Microsoft and its affiliates from claims, losses, and expenses (including attorneys' fees) arising from their use of Copilot, sharing or publishing of Prompts, Responses, or Creations, or breach of these Terms or applicable law. - Tier: All - Location: Terms of Service › “IMPORTANT DISCLOSURES & WARNINGS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=You%20are%20solely%20responsible,Microsoft%20Services%20Agreement%20. ### indemnity liability — risk unknown > If a third party sues a commercial customer for copyright infringement for using Microsoft's Copilots or the output they generate, we'll defend the customer and pay the amount of any adverse judgments or settlements that result from the lawsuit, as long as the customer used the guardrails and content filters we have built into our products. For more information, see Microsoft announces new Copilot Copyright Commitment for customers . - Interpretation (disclaimed): Establishes Microsoft's obligation to defend commercial customers and pay adverse judgments or settlements arising from third-party copyright infringement lawsuits related to Copilot use or output, conditioned on the customer using prescribed guardrails and content filters. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20If%20a%20third,Commitment%20for%20customers%20. ### confidentiality — risk unknown > We already implement multiple forms of protection to help prevent customers from compromising Microsoft 365 services and applications or gaining unauthorized access to other tenants or the Microsoft 365 system itself. Here are some examples of those forms of protection: - Interpretation (disclaimed): Describes Microsoft's obligation to implement multiple protective measures preventing unauthorized access to customer data and tenant isolation within Microsoft 365 services. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20already%20implement,those%20forms%20of%20protection%3A ### confidentiality — risk unknown > Logical isolation of customer content within each tenant for Microsoft 365 services is achieved through Microsoft Entra authorization and role-based access control. For more information, see Microsoft 365 isolation controls . - Interpretation (disclaimed): Specifies the obligation to achieve logical isolation of customer content within each tenant through Microsoft Entra authorization and role-based access control, protecting confidentiality of tenant data. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Logical%20isolation%20of,365%20isolation%20controls%20. ### confidentiality — risk unknown > Microsoft uses rigorous physical security, background screening, and a multi-layered encryption strategy to protect the confidentiality and integrity of customer content. - Interpretation (disclaimed): States Microsoft's obligation to use physical security, background screening, and multi-layered encryption to protect the confidentiality and integrity of customer content. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20uses%20rigorous,integrity%20of%20customer%20content. ### confidentiality — risk unknown > Microsoft 365 uses service-side technologies that encrypt customer content at rest and in transit, including BitLocker, per-file encryption, Transport Layer Security (TLS), and Internet Protocol Security (IPsec). For specific details about encryption in Microsoft 365, see Encryption in the Microsoft Cloud . - Interpretation (disclaimed): Details Microsoft's obligation to encrypt customer content at rest and in transit using specific technologies (BitLocker, TLS, IPsec), establishing a security commitment for data protection. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20uses,the%20Microsoft%20Cloud%20. ### governing law disputes — risk unknown > IF YOU LIVE IN (OR YOUR PRINCIPAL PLACE OF BUSINESS IS IN) THE UNITED STATES, PLEASE READ THE BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER IN SECTION 15 OF THE MICROSOFT SERVICES AGREEMENT . IT AFFECTS HOW DISPUTES RELATING TO THESE TERMS ARE RESOLVED. Welcome to Copilot, your personal AI companion! These Terms explain how you can use Copilot. By using Copilot, you agree to these Terms. Please read them carefully before you start using Copilot. - Interpretation (disclaimed): This segment incorporates by reference the binding arbitration clause and class action waiver in Section 15 of the Microsoft Services Agreement and conditions their applicability on US residency or principal place of business, establishing how disputes relating to these Terms are resolved. - Tier: All - Location: Terms of Service › “Summary of Changes” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20IF%20YOU%20LIVE,you%20start%20using%20Copilot. ### governing law disputes — risk unknown > By agreeing to these Terms, you’re also agreeing to the Microsoft Services Agreement , a legal agreement between you and us that applies to your use of our Services (including Copilot). If you have a Microsoft account, you already agreed to the Microsoft Services Agreement when you first created a Microsoft account. If you log in to Copilot using a non-Microsoft account, we may automatically create a Microsoft account for you, or let you link that non-Microsoft account to your existing Microsoft Account. Even if you don’t have a Microsoft Account – for example, if you’re using Copilot without logging in, you’re still agreeing to the Microsoft Services Agreement by using Copilot. Please make sure you review it carefully. If you use Copilot to create images, you’re also agreeing to the Image Creator Terms . If you use Copilot to access, update, or use payment methods (like credit cards) you’ve saved in your Microsoft Wallet, you are subject to the Payment Services Terms . If you use Gaming Copilot or other AI-powered experiences provided in connection with any Xbox Services, you are also subject to the Xbox Community Standards . Copilot may be integrated into other products and services we separately license to you. For example, Microsoft 365 Family or Microsoft 365 Personal subscriptions are separately licensed under the terms at https://www.microsoft.com/useterms . If any of the language in those other agreements conflicts with the language in these Terms, the language in these Terms controls. When you use Copilot, you are subject to the Microsoft Privacy Statement , which describes how we collect, use, and share information relating to your use of Copilot. - Interpretation (disclaimed): This segment incorporates the Microsoft Services Agreement by reference as a binding legal agreement governing use of the Services, and describes the mechanism by which a Microsoft account (and thus that agreement) may be automatically created or linked for users of Copilot, establishing the contractual framework that applies. - Tier: All - Location: Terms of Service › “OTHER TERMS & AGREEMENTS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20By%20agreeing%20to,your%20use%20of%20Copilot. ### governing law disputes — risk unknown > From time to time, we might need to update these Terms for different reasons. Some of those reasons might include adding new features, complying with changing laws, addressing security, safety, or fraud issues, or making our Terms clearer and easier to understand. There may be rare circumstances where we need to update these Terms immediately. Otherwise, we’ll post the updated Terms to this page at least 30 days before they take effect. We’ll also include the date the terms take effect at the top of the page, so you can easily tell when we’ve made an update. If you keep using Copilot after the updates take effect, you’re agreeing to those updates. If you don’t agree to the updates, you must stop using Copilot. - Interpretation (disclaimed): This segment establishes the procedural mechanism by which Microsoft may unilaterally update the Terms, including the obligation to post updates at least 30 days in advance (except in urgent circumstances), the method of notice (posting to the page with an effective date), and the consequence that continued use of Copilot after the effective date constitutes acceptance of the updated Terms. - Tier: All - Location: Terms of Service › “UPDATES TO THESE TERMS” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20From%20time%20to,must%20stop%20using%20Copilot. ### moderation enforcement — risk unknown > You need to be old enough to use Copilot – usually at least 13, but sometimes 18 or older, depending on your country’s laws. Because laws vary by country, Copilot isn’t available everywhere. If you’re under 18, or if you use Copilot without logging in, we might turn off or limit some features for legal or safety reasons. If we ask for your birthday and country when you sign up or log in, you must give us your real information. Don’t use tools or computer programs (like bots or scrapers) to access Copilot. You can only use Copilot for your own personal use. - Interpretation (disclaimed): This segment restricts Copilot access based on age (minimum 13 or 18 depending on jurisdiction), prohibits use of bots or scrapers, limits use to personal use only, and authorizes Microsoft to disable features for minors or unauthenticated users, imposing access eligibility restrictions and enforcement authority. - Tier: All - Location: Terms of Service › “WHO CAN USE COPILOT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20You%20need%20to,your%20own%20personal%20use. ### moderation enforcement — risk unknown > When you use Copilot, you must follow the general Code of Conduct set out in the Microsoft Services Agreement . As applied to Copilot, this means: Don’t use Copilot to harm yourself or others . Don’t use Copilot to help harass, bully, abuse, threaten, or intimidate other people, or otherwise harm others. Don’t use Copilot to help exploit others based on age, disability, or social or economic situations. Don’t damage our ability to provide Copilot to you and others . Don’t use bots or scrapers, and don’t engage in technical attacks, excess usage, prompt-based manipulation, “jailbreaking”, and other abuses. Don’t violate the privacy of others . Don’t use Copilot to help violate the privacy of others, including sharing their private information (e.g. “doxing”). Don’t use Copilot to infer sensitive information about others, like a person's race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. Don’t try to use Copilot for facial identification, to collect or process someone else’s sensitive personal data, or to try to verify someone’s identity. Don’t share or capture images, video, audio, or other content that includes other people without their consent, and don’t try to use Copilot to process someone else’s biometric identifiers or information. Don’t use Copilot to trick, lie to, or cheat others . Don’t use Copilot to help mislead or deceive people. Don’t use Copilot to create or share disinformation or content that will be used to impersonate, defraud, or deceive others. - Interpretation (disclaimed): This segment imposes specific behavioral restrictions on users by prohibiting harmful, harassing, abusive, threatening, or service-damaging uses of Copilot, and incorporates the Microsoft Services Agreement Code of Conduct by reference, establishing enforceable conduct obligations. - Tier: All - Location: Terms of Service › “CODE OF CONDUCT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20When%20you%20use,or%20deceive%20others.%20 ### moderation enforcement — risk unknown > Don’t infringe the rights of others . Don’t use Copilot to infringe on other people’s legal rights, including their intellectual property and publicity rights. Don’t create or share inappropriate content or material . Don’t use Copilot to create or share adult content, violence or gore, hateful content, terrorism and violent extremist content, glorification of violence or suicide, child sexual exploitation or abuse material, or content that is otherwise disturbing or offensive. Don’t use Copilot to create or edit images, voice, or video of other people (e.g. “deepfakes”) without their permission. Don’t do anything illegal . Don’t use Copilot to break the law, or to help or encourage others to break the law. If you see something wrong or inappropriate from Copilot, use the Report or Feedback features in Copilot to let us know. If you have a legal concern about something Copilot says, please use the Report a Concern page to tell us. We may block, restrict, or remove your Prompts or other content from you that violates these Terms, or that could lead Copilot to create a Response that violates these Terms. - Interpretation (disclaimed): This segment restricts users from using Copilot to infringe intellectual property or publicity rights, and prohibits creation or sharing of adult content, violent content, hateful content, extremist content, and non-consensual deepfakes, establishing content moderation restrictions enforceable against users. - Tier: All - Location: Terms of Service › “CODE OF CONDUCT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20Don%E2%80%99t%20infringe%20the,that%20violates%20these%20Terms. ### moderation enforcement — risk unknown > We may choose to limit or stop offering or supporting Copilot or any feature within Copilot at any time and for any reason. Unless prohibited by law, we may limit, suspend, or permanently revoke your access to or use of Copilot (and potentially all other Services) in our sole discretion, at any time and without notice . Some of the reasons we might do this, for example, is if you breach these Terms or violate the Code of Conduct, if we suspect you’re engaged in fraudulent or illegal activity, or if your Microsoft Account or the account you use to log in to Copilot is suspended or closed. If you feel your access has been restricted by mistake, you may ask us to reevaluate our decision by submitting a request using the Report a Concern form outlining what you think we got wrong and why. - Interpretation (disclaimed): This segment grants Microsoft the right to limit, suspend, or permanently revoke user access to Copilot at any time, without notice and in its sole discretion, including for breach of Terms, Code of Conduct violations, suspected fraud, or account suspension, establishing broad enforcement authority over user access. - Tier: All - Location: Terms of Service › “OUR DECISIONS ABOUT COPILOT” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20We%20may%20choose,got%20wrong%20and%20why. ### moderation enforcement — risk unknown > Microsoft 365 Copilot operates with multiple protections, which include, but aren't limited to, blocking harmful content , detecting protected material , and blocking prompt injections (jailbreak attacks) . - Interpretation (disclaimed): This segment describes Microsoft's operational protections including blocking harmful content, detecting protected material, and blocking prompt injections, establishing obligations for moderation and safety enforcement within the Copilot service. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Microsoft%20365%20Copilot,injections%20(jailbreak%20attacks)%20. ### moderation enforcement — risk unknown > While abuse monitoring, which includes human review of content, is available in Azure OpenAI, Microsoft 365 Copilot services have opted out of it. For information about content filtering, see the How does Copilot block harmful content? section later in this article. - Interpretation (disclaimed): This segment states that Microsoft 365 Copilot services have opted out of abuse monitoring (including human review of content) available in Azure OpenAI, creating a documented exception to standard content moderation procedures, and cross-references content filtering information. - Tier: All - Location: Privacy Policy › “Note” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20While%20abuse%20monitoring%2C,later%20in%20this%20article. ### moderation enforcement — risk unknown > In the Integrated apps section of the Microsoft 365 admin center , admins can view the permissions and data access required by an agent as well as the agent's terms of use and privacy statement. Admins have full control to select which agents are allowed in their organization. A user can only access the agents that their admin allows and that the user installed or is assigned. Microsoft 365 Copilot only uses agents that are turned on by the user. - Interpretation (disclaimed): This segment grants admins the right to view agent permissions, data access requirements, terms of use, and privacy statements, and to control which agents are permitted within their organization, establishing organizational governance rights over Copilot extensibility. - Tier: All - Location: Privacy Policy › “Extensibility of Microsoft 365 Copilot” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20In%20the%20Integrated,on%20by%20the%20user. ### moderation enforcement — risk unknown > When you have data that's encrypted by Microsoft Purview Information Protection, Microsoft 365 Copilot honors the usage rights granted to the user. This encryption can be applied by sensitivity labels or by restricted permissions in apps in Microsoft 365 by using Information Rights Management (IRM). For more information about using Microsoft Purview with Microsoft 365 Copilot, see Microsoft Purview data security and compliance protections for generative AI apps . - Interpretation (disclaimed): Establishes that Microsoft 365 Copilot is obligated to honor usage rights granted via Microsoft Purview Information Protection encryption, including sensitivity labels and IRM permissions, restricting Copilot's access to encrypted content based on those rights. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20When%20you%20have,generative%20AI%20apps%20. ### moderation enforcement — risk unknown > For content accessed through agents in Microsoft 365, encryption can exclude programmatic access, thus limiting the agent from accessing the content. For more information, see Configure usage rights for Azure Information Protection . - Interpretation (disclaimed): Restricts agent access to encrypted content by stating that encryption can exclude programmatic access, thereby limiting what agents in Microsoft 365 can access. - Tier: All - Location: Privacy Policy › “How does Microsoft 365 Copilot protect organizational data?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20For%20content%20accessed,Azure%20Information%20Protection%20. ### moderation enforcement — risk unknown > Some privacy controls for connected experiences in Microsoft 365 Apps can affect the availability of Microsoft 365 Copilot features. This includes the privacy controls for connected experiences that analyze your content and the privacy control for optional connected experiences. For more information about these privacy controls, see Overview of privacy controls for Microsoft 365 Apps for enterprise . - Interpretation (disclaimed): States that certain privacy controls for connected experiences affect the availability of Microsoft 365 Copilot features, establishing the procedural relationship between privacy settings and feature access. - Tier: All - Location: Privacy Policy › “Important” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Some%20privacy%20controls,Apps%20for%20enterprise%20. ### moderation enforcement — risk unknown > If you turn off connected experiences that analyze your content on devices in your organization, Microsoft 365 Copilot features won't be available to your users in the following apps: - Interpretation (disclaimed): Restricts Microsoft 365 Copilot feature availability in specific apps (Excel, OneNote, Outlook, PowerPoint, Word) when the organization disables connected experiences that analyze content, limiting service delivery based on admin privacy controls. - Tier: All - Location: Privacy Policy › “Privacy control for connected experiences that analyze your content” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20If%20you%20turn,in%20the%20following%20apps%3A ### moderation enforcement — risk unknown > This applies to when you're running the most current version of these apps on Windows, Mac, iOS, or Android devices. - Interpretation (disclaimed): Defines the scope of the privacy control restriction as applying to the most current versions of the listed apps on Windows, Mac, iOS, and Android devices, delimiting applicability. - Tier: All - Location: Privacy Policy › “Word” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20This%20applies%20to,iOS%2C%20or%20Android%20devices. ### moderation enforcement — risk unknown > There's also a privacy control that turns off all connected experiences, including connected experiences that analyze your content. If you use that privacy control, Microsoft 365 Copilot features won't be available in the apps and on the devices described above. - Interpretation (disclaimed): States that activating the all-connected-experiences privacy control also disables Copilot features in the specified apps and devices, extending the restriction to a broader control setting. - Tier: All - Location: Privacy Policy › “Word” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20There's%20also%20a,the%20devices%20described%20above. ### moderation enforcement — risk unknown > In addition to content filtering provided by the Azure OpenAI Service, certain Microsoft 365 Copilot scenarios provide other mitigations, such as filters to help prevent workplace harms from happening. Workplace harms refers to a category of harms that can result from generative AI or models making inferences, judgments, or evaluations about an employee based on their workplace communication. Currently, that means inferences, judgments, or evaluations about an employee's performance, attitude, internal or emotional state, or personal characteristics. We restrict the use of generative AI or models from being used for these purposes. - Interpretation (disclaimed): Restricts the use of generative AI in certain Microsoft 365 Copilot scenarios to prevent workplace harms, specifically prohibiting AI from making inferences or evaluations about employee performance, attitude, internal state, or personal characteristics. - Tier: All - Location: Privacy Policy › “How does Copilot block harmful content?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20In%20addition%20to,used%20for%20these%20purposes. ### moderation enforcement — risk unknown > If you turn off optional connected experiences in your organization, Microsoft 365 Copilot features that are optional connected experiences won't be available to your users. For example, turning off optional connected experiences could affect the availability of web search . - Interpretation (disclaimed): Restricts availability of Copilot features that are optional connected experiences (e.g., web search) when the organization disables optional connected experiences, limiting feature access based on privacy settings. - Tier: All - Location: Privacy Policy › “Privacy control for optional connected experiences” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20If%20you%20turn,of%20web%20search%20. ### moderation enforcement — risk unknown > There's also a privacy control that turns off all connected experiences, including optional connected experiences. If you use that privacy control, Microsoft 365 Copilot features that are optional connected experiences won't be available. - Interpretation (disclaimed): States that the all-connected-experiences privacy control also disables optional connected experience Copilot features, extending the restriction of segment 107 to the broader control. - Tier: All - Location: Privacy Policy › “Privacy control for optional connected experiences” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20There's%20also%20a,experiences%20won't%20be%20available. ### moderation enforcement — risk unknown > We continue to improve algorithms to proactively address issues, such as misinformation and disinformation, content blocking, data safety, and preventing the promotion of harmful or discriminatory content in line with our responsible AI principles . - Interpretation (disclaimed): States Microsoft's ongoing obligation to improve algorithms to proactively address misinformation, disinformation, content blocking, data safety, and prevention of harmful or discriminatory content in line with responsible AI principles. - Tier: All - Location: Privacy Policy › “About the content that Microsoft 365 Copilot creates” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20continue%20to,responsible%20AI%20principles%20. ### moderation enforcement — risk unknown > To help block harmful content, Microsoft 365 Copilot uses safeguards that work alongside AI models used to generate responses. Depending on the scenario, these safeguards may include Microsoft first-party protections or, in some cases, safety mitigations built into the underlying model. These safeguards use a defense-in-depth approach and can include a mix of Microsoft first-party protections that help detect and reduce jailbreak attempts and prompt injection patterns (including cross-prompt injection attacks), content harm filters to identify harmful content in prompts or generated responses (such as Hate & Fairness, Sexual, Violence, and Self-harm), or in some scenarios, safety mitigations built into the underlying model. - Interpretation (disclaimed): Describes Microsoft's obligation to implement safeguards alongside AI models to block harmful content, including first-party protections against jailbreak attempts, prompt injection, and content harm filters applied to prompts and generated responses. - Tier: All - Location: Privacy Policy › “How does Copilot block harmful content?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20To%20help%20block,into%20the%20underlying%20model. ### moderation enforcement — risk unknown > Hate and fairness-related harms refer to any content that uses pejorative or discriminatory language based on attributes like race, ethnicity, nationality, gender identity and expression, sexual orientation, religion, immigration status, ability status, personal appearance, and body size. Fairness is concerned with making sure that AI systems treat all groups of people equitably without contributing to existing societal inequities. Sexual content involves discussions about human reproductive organs, romantic relationships, acts portrayed in erotic or affectionate terms, pregnancy, physical sexual acts, including those portrayed as an assault or a forced act of sexual violence, prostitution, pornography, and abuse. Violence describes language related to physical actions that are intended to harm or kill, including actions, weapons, and related entities. Self-harm language refers to deliberate actions that are intended to injure or kill oneself. - Interpretation (disclaimed): Defines categories of harmful content subject to filtering (hate/fairness-related harms and sexual content), establishing the scope of content moderation obligations and restrictions on generated outputs. - Tier: All - Location: Privacy Policy › “How does Copilot block harmful content?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Hate%20and%20fairness-related,injure%20or%20kill%20oneself. ### moderation enforcement — risk unknown > Yes, Microsoft 365 Copilot provides detection for protected materials, which includes text subject to copyright and code subject to licensing restrictions. This detection may not be available in all Microsoft 365 Copilot scenarios, and not all of these mitigations are relevant for all Microsoft 365 Copilot scenarios. - Interpretation (disclaimed): Confirms Microsoft's obligation to provide detection for protected materials including copyrighted text and licensed code within Microsoft 365 Copilot, while noting availability may vary by scenario. - Tier: All - Location: Privacy Policy › “Does Copilot provide protected material detection?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Yes%2C%20Microsoft%20365,Microsoft%20365%20Copilot%20scenarios. ### moderation enforcement — risk unknown > Jailbreak attacks are prompts designed to bypass Copilot's safeguards or induce non-compliant behavior. Microsoft 365 Copilot helps mitigate these attacks by using proprietary techniques, such as jailbreak and cross-prompt injection attack (XPIA) classifiers. These classifiers analyze inputs to the Copilot service and help block high-risk prompts prior to model execution. These classifiers may not be available in all Microsoft 365 Copilot scenarios. - Interpretation (disclaimed): This segment describes the technical procedure Microsoft uses to detect and block jailbreak and cross-prompt injection attacks, including classifier-based input analysis prior to model execution, and notes availability limitations — establishing a moderation enforcement mechanism with a partial disclaimer on scope. - Tier: All - Location: Privacy Policy › “Does Copilot block prompt injections (jailbreak attacks)?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20Jailbreak%20attacks%20are,Microsoft%20365%20Copilot%20scenarios. ### moderation enforcement — risk unknown > The AI models that power Microsoft 365 Copilot are regularly updated and enhanced. Model updates bring performance improvements, more advanced reasoning, and expanded capabilities, but they don't change your security, privacy, or compliance settings. For more information, see Microsoft 365 Blog: Understanding foundation model changes in Microsoft 365 Copilot . - Interpretation (disclaimed): This segment disclaims that model updates do not change security, privacy, or compliance settings, limiting customer expectations about the impact of AI model changes on their data governance obligations. - Tier: All - Location: Privacy Policy › “What happens when foundation model changes occur?” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20The%20AI%20models,Microsoft%20365%20Copilot%20. ### moderation enforcement — risk unknown > As AI is poised to transform our lives, we must collectively define new rules, norms, and practices for the use and impact of this technology. Microsoft has been on a Responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. - Interpretation (disclaimed): This segment references Microsoft's self-imposed obligation to adhere to responsible AI principles and practices since 2017, establishing an ethical governance commitment relevant to how the AI platform is operated and regulated. - Tier: All - Location: Privacy Policy › “Committed to responsible AI” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20As%20AI%20is,that%20put%20people%20first. ### moderation enforcement — risk unknown > At Microsoft, we're guided by our AI principles , our Responsible AI Standard , and decades of research on AI, grounding, and privacy-preserving machine learning. A multidisciplinary team of researchers, engineers, and policy experts reviews our AI systems for potential harms and mitigations - refining training data, filtering to limit harmful content, query- and result-blocking sensitive topics, and applying Microsoft technologies like InterpretML and Fairlearn to help detect and correct data bias. We make it clear how the system makes decisions by noting limitations, linking to sources, and prompting users to review, fact-check, and adjust content based on subject-matter expertise. For more information, see Governing AI: A Blueprint for the Future . - Interpretation (disclaimed): This segment describes Microsoft's obligation to follow its AI principles and Responsible AI Standard, including specific technical measures such as filtering harmful content, query/result blocking, and bias detection — constituting enforceable internal governance commitments affecting platform moderation and enforcement. - Tier: All - Location: Privacy Policy › “Committed to responsible AI” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20At%20Microsoft%2C%20we're,for%20the%20Future%20. ### moderation enforcement — risk unknown > We aim to help our customers use our AI products responsibly, sharing our learnings, and building trust-based partnerships. For these new services, we want to provide our customers with information about the intended uses, capabilities, and limitations of our AI platform service, so they have the knowledge necessary to make responsible deployment choices. We also share resources and templates with developers inside organizations and with independent software vendors (ISVs), to help them build effective, safe, and transparent AI solutions. - Interpretation (disclaimed): This segment describes Microsoft's commitment to provide customers with information about intended uses, capabilities, and limitations of the AI platform, and to share responsible deployment resources — establishing a transparency and support obligation relevant to moderation and responsible use enforcement. - Tier: All - Location: Privacy Policy › “Committed to responsible AI” - Source: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy - Snapshot SHA-256: `d643c9476086c66cd1210cb99c13332a36a59d8f8b302ca35dbe9bdb093607f7` - Wayback: — - Deep link: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy#:~:text=%20We%20aim%20to,and%20transparent%20AI%20solutions. ### moderation enforcement — risk unknown > Copilot is built on a comprehensive approach to enterprise-grade security and responsible AI—so you can move faster without compromising the safeguards your business depends on. - Interpretation (disclaimed): This segment makes a general representation about enterprise-grade security and responsible AI design, functioning as a disclaimer that conveys the vendor's security posture without creating a specific contractual obligation or enforceable guarantee. - Tier: All - Location: “Secure by design” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Copilot%20is%20built,business%20depends%20on.%20 ### moderation enforcement — risk unknown > Copilot inherits your Microsoft 365 permissions, sensitivity labels, and retention policies—so people only see what they’re meant to. - Interpretation (disclaimed): This segment describes Microsoft's obligation to provide comprehensive IT tools for managing Copilot and agents at scale, enabling security oversight and control at every administrative level. - Tier: All - Location: “Governed access” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Copilot%20inherits%20your,they%E2%80%99re%20meant%20to.%20 ### tier differences — risk unknown > We've added terms for Copilot Health (which take effect immediately). We’ve included a link to the Payment Services Terms , which apply if you use payment and wallet-related features in Copilot. We’ve updated our disclosures and warnings to be clearer about how you should and shouldn’t use Copilot. We’ve made other minor formatting and wording changes to accurately reflect current product experiences. - Interpretation (disclaimed): This segment summarizes material changes to the Terms including the addition of Copilot Health terms, incorporation of Payment Services Terms by reference, and updated disclosures, thereby incorporating external documents and flagging feature-specific obligations. - Tier: All - Location: Terms of Service › “Summary of Changes” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20We've%20added%20terms,reflect%20current%20product%20experiences. ### tier differences — risk unknown > These Terms don’t apply to Microsoft 365 Copilot apps or services unless that specific app or service says that these Terms apply. - Interpretation (disclaimed): This segment explicitly carves out Microsoft 365 Copilot apps and services from the scope of these Terms unless a specific app or service expressly states these Terms apply, creating a tier-based distinction in coverage. - Tier: All - Location: Terms of Service › “Other Copilot-branded apps and services that link to these Terms” - Source: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse - Snapshot SHA-256: `c81a2e9e91bec90ad8c83816e8cf58369b3dd4bce1152ce23b383d05edc0be43` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse#:~:text=%20These%20Terms%20don%E2%80%99t,that%20these%20Terms%20apply. ### tier differences — risk unknown > Add Copilot to your Microsoft 365 plan, get both together if you’re new, or try Copilot Chat today. - Interpretation (disclaimed): This segment describes the available purchasing paths (adding Copilot to an existing plan, bundling with Microsoft 365, or using Copilot Chat), defining the different tier/plan options available to customers without imposing obligations or restrictions. - Tier: All - Location: “Get started with Microsoft 365 Copilot” - Source: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work - Snapshot SHA-256: `e6745f65d0fb4f4a947bf141e628b2ef6705f6ff07b279f8c1f93f501c65ef5e` - Wayback: — - Deep link: https://www.microsoft.com/en-us/microsoft-365/copilot/copilot-for-work#:~:text=%20Add%20Copilot%20to,try%20Copilot%20Chat%20today.