Enterprise privacy at OpenAI
The primary source: API data is not used for training by default, with retention controls explained.
Open openai.com →The major API providers (OpenAI, Anthropic) do not train on your API data by default and offer short or zero retention, so the common fear is mostly solved by reading the actual policies and signing the right agreement. Your real risks are elsewhere: prompt injection and data leakage in your own app (see the OWASP LLM Top 10), and your legal duties as a data fiduciary under India's DPDP Act or GDPR, including consent, purpose limitation, and deletion. Minimise what you send, redact PII where you can, and put your provider's terms in your own privacy policy.
A quick orientation. The real value is below: resources worth your time, from people who've actually done it.
The primary source: API data is not used for training by default, with retention controls explained.
Open openai.com →The developer-facing detail on what is stored, for how long, and how to reduce it.
Open developers.openai.com →The policy to quote when a customer asks whether their data trains the model.
Open openai.com →Anthropic's equivalent answer, including the commercial-products carve-out.
Open privacy.claude.com →Covers the 7-day default retention and zero-data-retention arrangements.
Open platform.claude.com →Where to pull compliance artifacts when an enterprise customer sends a security questionnaire.
Open anthropic.com →The ten security risks unique to LLM apps, with prompt injection at number one.
Open aembit.io →Concrete examples of each attack and the layered defences OWASP recommends.
Open oligo.security →Automatically probe your own app for injection and PII leaks before attackers do.
Open promptfoo.dev →A practitioner's walkthrough of how injections actually happen in RAG and agent apps.
Open paulmduvall.com →A startup-sized DPDP compliance checklist from an Indian privacy consultancy.
Open tsaaro.com →One of India's top tech law firms translating DPDP obligations for AI builders specifically.
Open ikigailaw.com →The 2025 final rules applied to AI products, including the significant data fiduciary trap.
Open protecto.ai →A global law firm's view for founders serving both Indian and international customers.
Open reedsmith.com →Covers the hard problem: deleting a user whose data is baked into model weights.
Open khuranaandkhurana.com →An independent plain-English summary to cross-check the official policies.
Open meetily.ai →Compares training and retention defaults across providers in one table.
Open spartner.software →The fast version of the OWASP list for a founder who needs the gist today.
Open mend.io →