ChatGPT Data Retention Quietly Changed. What it Means for Healthcare and Regulated Industries.
ChatGPT Data Retention Changed. Why it Affects Millions of Users, Even with Enterprise, Team, Plus and Pro Subscriptions
Due to ongoing legal disputes in the U.S. between major publishers and OpenAI regarding alleged copyright violations from illegal training data, courts are now demanding OpenAI retain all data, including deleted content to investigate potential concealed copyright infringements. As a result, OpenAI has been ordered to store output log data, even for enterprise and opt-out users.
What Does this Mean for SMBs Using OpenAI GPT-Based AI Products?
Highly sensitive industries like healthcare institutions and medical clinics had more (not entirely) control over their data before when subscribing to Teams or Enterprise ChatGPT subscription. Especially SMBs - and builders of AI products that build upon OpenAI API had:
- Permanent chat deletions
- API content could be removed from OpenAI systems within 30 days
- Opt-out options were available for data usage in model training
- Enterprise and Teams users had strict privacy boundaries by default
- Deleted chats were not retained or searchable
Since June 2025, this has changed.
"Businesses face heightened risks when using ChatGPT, including potential exposure of sensitive data and compliance challenges, especially in regulated industries like healthcare and finance."
Source: OpenAI's ChatGPT Data Retention Policy Explained - Geeky Gadgets
What Are Potential Data Privacy Issues of ChatGPT for Healthcare Institutions, Banks or SMBs?
Now, certain user data may be retained regardless of settings:
đźš« Permanent deletion is no longer guaranteed for ChatGPT Free, Plus, Pro, and Team users
đźš« Conversations may now be preserved, even if deleted by the user
đźš« Stored conversations may be searchable for audit or legal purposes
đźš« Over 60 billion chats from 200M+ users are now retained by OpenAI
đźš« Only API users with a “Zero Data Retention” agreement are exempt from this retention. Unfortunately, achieving 'Zero Data Retention' is difficult and nearly impossible for an SMB.
Why Is ChatGPT's Retention Policy Critical for EU and Swiss SMBs Wanting to Use AI?
1) In the EU, data retention is strictly regulated under the GDPR, which mandates that "personal data must be stored only as long as necessary for the intended purpose."
2) Additionally, the “right to be forgotten” (Article 17 GDPR) guarantees users the ability to have their data deleted upon request.
3) This creates a clear conflict between the U.S. legal obligations and EU data privacy laws, meaning OpenAI will likely have to apply different rules in the EU regarding data retention.
What are Safer AI Alternatives?
There are alternatives that are safer and GDPR compliant:
1) dreamleap is a secure, Swiss-Made AI platform that is used by legal companies, banks, financial institutions, industrial and medical healthcare companies.
2) It provides hybrid AI systems and models, so that cloud-based APIs with local models (not processing to Open AI directly) are available. On top, on-premises installations with strict data control provide even more guardrails and security mechanisms.
3) We focus on multimodal and best-in-breed models - also including the Open weight Swiss Open Source Model from ETH or specific sustainable models in the market for the specific tasks.
4) dreamleap also builds, and integrate on your systems, providing value from day one.
Why is dreamleap AI used by many SMBs?
dreamleap has an intelligent retrieval mechanism based on LLMs, RAG, Agentic components and advanced AI engineering models and mechanism that do not process data outside the EU.
dreamleap already provides many top AI agents out of the box, with a strong focus on business value, enablement, data compliance, and security, combined with flexible hosting options and affordable pricing for SMBs.
What about Microsoft Copilot vs. ChatGPT OpenAI?
MS Copilot is providing more safety regarding data processing for EU companies, however, with "Microsoft 365 Copilot calls to the LLM are routed to the closest data centers in the region, but also can call into other regions where capacity is available during high utilization periods." Please find all important information here: https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy
Please find a great overview here: https://www.rosenthal.ch/downloads/VISCHER_ki-tools-03-25.pdf
What do I have to watch out when evaluating AI providers?
First, always check with a provider whether they use the OpenAI GPT API directly. If they do, your data may be at risk, according to the new retention changes.
Second, verify whether providers build their AI solutions on top of existing platforms (such as Crew AI, n8n, Make, or Lovable). If so, clarify whether these tools are approved for use within your organization. Many of them process your data externally, proactively need access to your data, which may not be appropriate for highly sensitive information.
Third, if you need to use internal data for your AI applications, ensure that you work with a provider like creamleap, which offers dedicated models hosted in your own cloud or on-premises environment.
If you're an SMB or working with non-sensitive data (i.e., no strategic, personal identifiable information (PII), or confidential content), and if the data may be processed outside the EU or accessed by the tool itself, using ChatGPT or similar services can be acceptable.
dreamleap is ideal if you want maximum security and flexibility to integrate with your own data, even alongside third-party tools, while maintaining full control.
