How long do vendors keep your data, and can you turn that off?

“Not used for training” is not the same as “not stored.” A vendor can keep your prompts for a while even when it never feeds them to a model, usually to watch for abuse or to meet a legal request.

OpenAI describes this directly: “By default, abuse monitoring logs are generated for all API feature usage and retained for up to 30 days, unless longer retention is required by law.”^[1] Anthropic takes a narrower stance for its commercial API, saying conversation content “is not retained by default,” with retention applied only where a specific feature requires it.^[2]

For organizations that need a stronger guarantee, vendors offer zero data retention (ZDR). With OpenAI’s ZDR, customer content is excluded from abuse-monitoring logs and the request is not stored after it completes; the store parameter “is always treated as false,” and customers must be approved to use it.^[1] Anthropic describes ZDR as an arrangement where “customer data is not stored at rest after the API response is returned, except where needed to comply with law or combat misuse.”^[2] Even under ZDR, there are limits: Anthropic notes that if a session is flagged for a policy violation, it “may retain inputs and outputs for up to 2 years.”^[2]

Two extra details matter for regulated work. Anthropic offers HIPAA-ready API access for protected health information under a signed Business Associate Agreement.^[2] And some newer models carry their own floor: Claude Fable 5 and Mythos 5 are designated as requiring 30-day retention, so zero data retention “is not available” for them on the Claude API.^[2]

References

1. Data controls in the OpenAI platform — OpenAI
2. API and data retention — Anthropic

Related

• Do AI vendors train their models on what you type? →
• Why is running a model locally a stronger privacy guarantee than a policy? →