top of page
Search

ChatGPT: how to use it securely without sharing sensitive information

ree

With the rise of GPT-5 and advanced multimodal capabilities, ChatGPT is now used for tasks involving financial data, healthcare records, legal documents, and confidential projects. However, sending sensitive information into ChatGPT without proper safeguards can create compliance and privacy risks, especially on free and consumer plans. As of August-September 2025, OpenAI has introduced several tools and enterprise-grade configurations to help individuals, teams, and organizations control data retention, restrict exposure, and maintain security standards.


Here we explain the most effective ways to use ChatGPT securely, covering all plans, settings, and deployment options.



Use Temporary Chats to prevent storing conversations.

The easiest way for free and Plus users to limit exposure is by enabling Temporary Chat mode.

  • How it works:

    • When activated, conversations are excluded from permanent chat history.

    • Logs are still stored temporarily for up to 30 days for abuse monitoring and troubleshooting.

    • After 30 days, data is automatically purged unless flagged for policy violations.

  • Availability:

    • Available to all users on free, Plus, Team, and Enterprise plans.

    • Works on both web and mobile apps.

  • Training policy:

    • Conversations in Temporary Chats are never used for model training.

For users handling confidential information on a one-time basis, Temporary Chats are the simplest privacy measure. However, temporary logs still exist, meaning legal subpoenas can require their disclosure.



Use zero-data-retention (ZDR) endpoints for complete isolation.

For developers and organizations needing maximum privacy, OpenAI offers Zero-Data-Retention (ZDR) endpoints.

  • How it works:

    • Use the API header x-zerodata=true to route traffic through ZDR-designated endpoints.

    • Data is processed for real-time abuse detection only and discarded instantly.

    • Nothing is logged, stored, or analyzed beyond the active request.

  • Availability:

    • Supported for Plus, Team, Enterprise, and custom API accounts.

    • Inaccessible from free-tier web and mobile interfaces.

  • Pricing impact:

    • ZDR requests are billed at a +25% premium over standard API rates.

  • Limitations:

    • Not compatible with Assistants threads or persistent file storage.

    • Best suited for financial institutions, healthcare applications, and regulated workflows.

ZDR provides absolute log isolation and is the only option when sensitive data must never be retained or discoverable.


Configure custom data retention for teams and enterprises.

Starting June 2025, OpenAI introduced admin console retention controls for ChatGPT Team, Enterprise, and Edu plans.

  • Retention settings available:

    • 30 days (default).

    • 14 days.

    • 7 days.

    • 0 days — only for Enterprise and Edu tiers.

  • Behavior:

    • Shorter retention windows automatically disable search features and conversation history analytics.

    • All deletions propagate across back-end storage within the configured window.

  • Ideal use cases:

    • Enterprises operating under GDPR, HIPAA, or financial compliance frameworks.

    • Teams requiring region-specific data handling or stricter audit logging.

This flexibility gives organizations more granular control over their ChatGPT data while maintaining regulatory compliance.


Enable regional data residency and private tenant hosting.

For enterprises handling regulated data, OpenAI supports data residency guarantees and private deployments:

  • EU & Germany region lock:

    • Introduced in April 2025 for Enterprise and select Team workspaces.

    • Ensures all data remains within the EU-based data centers to satisfy GDPR obligations.

  • Azure OpenAI Private-Link deployments:

    • Preview launched January 2025 for GPT-4o and GPT-5 models.

    • Routes ChatGPT traffic within a customer-controlled virtual network (VNet).

    • No OpenAI-side logging; customers retain full control over storage and monitoring.

  • Ideal for:

    • Enterprises in finance, healthcare, government, and critical infrastructure sectors.

    • Customers needing complete network-level isolation for sensitive workloads.

Private tenant hosting is the highest-security configuration available today, combining regional residency with network-level isolation.


Understand encryption and security guarantees.

OpenAI applies strong encryption standards across all ChatGPT deployments:

  • In transit: All traffic is encrypted using TLS 1.3.

  • At rest: Stored data uses AES-256 encryption by default.

  • Planned improvements:

    • Full end-to-end encryption (E2EE) for chat content is in active development, with pilots scheduled for early 2026.

While current encryption secures data storage and transmission, users handling highly sensitive information should still use ZDR endpoints or private-network deployments to avoid third-party access requests.


Sign a HIPAA BAA for healthcare-related usage.

For organizations working with protected health information (PHI), OpenAI provides a HIPAA Business Associate Agreement (BAA) program:

  • How to request: Submit to baa@openai.com.

  • Availability: Supported for Enterprise and custom API accounts.

  • Coverage:

    • Ensures OpenAI complies with HIPAA obligations regarding PHI handling.

    • Pairs well with ZDR endpoints for medical AI workflows.

  • Limitations:

    • Consumer ChatGPT on free or Plus tiers is not HIPAA compliant.

    • PHI should never be shared on endpoints without an executed BAA.

Healthcare organizations should always combine BAAs with stricter retention settings to remain compliant.


Use built-in tools to download or delete your data.

OpenAI offers a self-service GDPR portal to help users manage stored data:

  • Capabilities:

    • Download all stored conversations and associated account metadata.

    • Permanently delete historical data on demand.

  • Deletion guarantees:

    • Completed within ≤30 days unless the account is under a legal hold.

    • Deleted data cannot be recovered.

For personal users concerned about privacy, this tool ensures full lifecycle control over stored information.


Best practices for protecting sensitive data.

Goal

Recommended feature

Availability

Retention

Avoid storing any conversation

Temporary Chats

Free, Plus, Team, Enterprise

Logs purged ≤ 30 days

Ensure no logs exist at all

ZDR endpoints

Plus, Team, Enterprise

Logs dropped instantly

Limit retention to short windows

Admin retention controls

Team, Enterprise, Edu

Choose 30, 14, 7, or 0 days

Guarantee local data isolation

Azure Private-Link deployment

Enterprise only

Customer-controlled storage

Stay compliant with HIPAA

Business Associate Agreement

Enterprise, API

Protects PHI access legally

Maintain regional compliance

EU data residency lock

Enterprise, select Team

Restricts logs to EU centers

Full deletion rights

GDPR self-service portal

All users

Complete erasure ≤ 30 days



Key takeaways.

  • Free and Plus users should enable Temporary Chats and avoid pasting sensitive, regulated, or confidential data into persistent chats.

  • Developers and enterprises can use Zero-Data-Retention endpoints to ensure no logs are kept.

  • Enterprise customers gain deeper controls, including custom retention periods, regional data residency, and private VNet deployments.

  • OpenAI never uses customer data for model training unless explicit opt-in consent is provided.

  • Healthcare, finance, and legal teams should combine BAAs, ZDR, and admin retention controls for maximum compliance.


By configuring these tools appropriately, users can leverage ChatGPT’s advanced features while maintaining privacy, data control, and security across all usage tiers.


____________

FOLLOW US FOR MORE.


DATA STUDIOS


bottom of page