Here is our independent evaluation of ChatGPT 4 (OpenAI), at the heart of the Web3 revolution and the quest for a sovereign and privacy-respecting AI. Based on an exclusive framework and a rigorous audit of publicly available data, this analysis reflects our vision of a future where privacy is a fundamental right.
The scoring system is based on a comprehensive guide created specifically for this project, accessible here. This ranking is dynamic, evolving with innovations and feedback from the decentralized community.
Our mission: to enlighten and inform, without filter or influence, to build together a fairer and more transparent AI ecosystem.
Key Insights from the ChatGPT Privacy and Data Review
Model
- GPT-4
Data Collection
- Prompts stored: User prompts and data are stored for service operation, security, and model improvement; temporary chat mode limits storage to 30 days, but retention is otherwise indefinite based on service or legal needs.C
- Use for training: User content is used for training by default, with an opt-out available in settings; no clear anonymization process for training data, and opt-out is not enabled by default. C
- Account required: Usage requires a registered account, collecting standard personal data (email, name, etc.), with no anonymous access option. C
- Data retention duration:
Data retention duration: Data is retained as long as necessary for service or legal obligations; temporary chats are deleted within 30 days, but other data retention is potentially indefinite.C
User Control
- Deletion possible: Users can delete personal data via self-service in account settings or support requests, but delays (up to 30 days) may occur, and complete deletion of all data (e.g., training sets) is not guaranteed. B
- Export possible: Data export is available via account settings or support request, but limited to conversation history in formats like JSON, with potential exclusions of metadata. B
- Granularity control: Granularity control:</strong> Limited to opt-out for training data; no advanced controls for metadata or other data types for non-enterprise users. C
- Explicit user consent:
Explicit user consent: Consent is collected at registration, with GDPR rights supported; training data usage is opt-out by default, and settings management can be non-intuitive. B
Transparency
- Clear policy: Privacy policy is comprehensive, accessible, and regularly updated, detailing data processing for general users. A
- Change notification: Significant policy or terms changes are notified via email or in-product alerts at least 30 days in advance. A
- Model documentation: Model documentation:Limited public documentation on model architecture, training data, or security processes; system cards provide only high-level details. C
Privacy by Design
- Encryption (core & advanced): AES-256 encryption for data at rest and TLS 1.3 for data in transit; no public details on key management or advanced features like HSM. B
- Privacy-Enhancing Technologies :
ChatGPT-4 employs robust Privacy-Enhancing Technologies like AES-256-GCM encryption, TLS 1.2/1.3, and opt-out data training controls, but past data leaks (e.g., March 2023) and potential jailbreaking risks limit its rating to B. Users should avoid sharing sensitive data and use professional versions for enhanced privacy. B
- Auditability & Certification: Auditability & Certification:</strong> SOC 2 Type 2 certification for enterprise versions, with regular third-party audits; not explicitly confirmed for public version; no ISO 27001 certification. B
- Transparency & Technical Documentation: Partial public documentation on privacy and security measures via Trust Portal; lacks detailed technical specifics. B
- User-Configurable Privacy Features: Basic opt-out for training available; enterprise versions offer advanced controls, but public users have limited options.
C
Hosting & Sovereignty
- Sovereignty: Data hosted primarily in the USA, outside EU/EEA/CH; GDPR compliance via Standard Contractual Clauses (SCCs), but no EU-US Data Privacy Framework certification. C
- Legal jurisdiction: Ireland for EEA users, USA for others; GDPR compliance ensured through SCCs for data transfers. B
- Local option: No local or self-hosting options available for any users. D
- Big Tech dependency: Hosted on major cloud providers (likely AWS or Azure), with no explicit alternatives disclosed. C
Open Source
- Publicly available model: Fully proprietary model, with no public access to weights or architecture. D
- Clear open source license: No open source license; usage governed by proprietary terms of service. D
- Inference code available: Inference accessible only via OpenAI API; no public inference code provided. C
Remarks
These ratings reflect ChatGPT-4’s documented practices as of August 2025, based on OpenAI’s latest policies. Distinctions remain between enterprise and public offerings, with enterprise versions providing more robust controls and certifications. Transparency on advanced cryptographic safeguards (e.g., key management) and cloud infrastructure (e.g., specific providers) is limited. Data handling is clear for end-users, but technical depth is lacking, and no open source or self-hosted options exist.
Privacy and Data Review: Overall Score
47.7/100
- Data Collection : 5 + 5 + 5 + 5 = 20
- User Control : 15 + 15 + 5 + 15 = 50
- Transparency : 20 + 20 + 5 = 45
- Privacy by Design : 15 + 15 + 15 + 15 + 5 = 65
- Hosting & Sovereignty : 5 + 15 + 0 + 5 = 25
- Open Source : 0 + 0 + 5 = 5
Total : 20 + 50 + 45 + 50 + 25 + 5 = 210
23 x 20 = 460
210 / 440 × 100 = 47.7
This evaluation is provided for informational purposes only and reflects a subjective analysis based on publicly available data at the time of publication. We do not guarantee absolute accuracy and disclaim all liability for errors or misinterpretations. Any disputes must be submitted in writing to futurofintenet@proton.me
For full methodology, see our complete scoring guide here: LLM Privacy Rating Guide
