ChatGPT July 7, 2026 7 min read

ChatGPT Enterprise vs Free: What Your AI Policy Should Say About Each

The difference between ChatGPT Free, Plus, Team, and Enterprise matters a lot for your AI policy. Here's how to classify each.

How ChatGPT's four tiers actually differ on data

OpenAI publishes its data practices for each product tier, and the differences are significant enough that treating them as interchangeable in your policy is a real risk. Here's what each tier actually does, based on OpenAI's published privacy policy and enterprise privacy documentation.

Tier Training on prompts (default) Can opt out of training? Zero data retention available? Admin controls?
Free Yes, by default Yes, per-user setting No No
Plus Yes, by default Yes, per-user setting No No
Team Off by default N/A (off by default) No Limited (workspace admin)
Enterprise Off by default N/A (off by default) Yes, via API agreement Yes (SSO, domain controls, audit logs)

The practical takeaway: Free and Plus users are opted in to model training unless they individually toggle it off in their account settings. That's a per-user action, not something IT can enforce centrally. Team and Enterprise disable training by default at the workspace level — but only Enterprise gives your IT or security team the admin visibility to verify that and enforce it.

For a fuller picture of how ChatGPT's consumer tiers stack up as workplace tools, see ChatGPT's workplace risk profile and the ChatGPT Enterprise risk profile in our tool directory.

Zero data retention: what it actually means (and what it doesn't cover)

Zero data retention (ZDR) is a term OpenAI uses specifically in the context of its API, not the ChatGPT web interface. Under a ZDR agreement, OpenAI does not store API inputs or outputs on its servers after the request is complete. This is meaningful for organizations building custom applications on top of OpenAI's API — but it does not automatically apply to your employees using ChatGPT.com in a browser.

ChatGPT Enterprise does not offer ZDR in the same technical sense as the API. What it does offer is a commitment that conversation data is not used for training, is retained for 30 days by default (configurable), and is accessible to your workspace admins. That's meaningfully better than Free or Plus, but it's not the same as zero retention — and your policy language should reflect that distinction.

Don't write "zero data retention" into your policy unless you're using the OpenAI API with a ZDR agreement in place. Misusing this term creates a false sense of security and a gap between your policy and reality.

For regulated industries — healthcare organizations subject to HIPAA Privacy Rule 45 CFR § 164.502(e), financial firms under FINRA Rule 4370, or any company handling EU personal data under GDPR Article 28 — the absence of a signed Data Processing Agreement (DPA) or Business Associate Agreement (BAA) with OpenAI matters enormously. OpenAI offers a BAA for Enterprise customers. It does not offer one for Free or Plus users. That alone should determine your classification of those tiers in your policy.

What your policy should actually say about each tier

Vague language like "use AI tools responsibly" or "do not share confidential information" doesn't hold up when an employee pastes a client contract into ChatGPT Free. Your policy needs to be explicit about which tier is approved, for what data types, and under what conditions. Here's a practical framework.

ChatGPT Free and Plus: Restrict to public-information tasks only. These tiers have no organizational controls, no central admin visibility, and training opt-out is per-user. Classify these as "personal use tools" and prohibit use with any company data — including internal communications, customer data, financial information, or any content that wouldn't be acceptable to post publicly. Your policy language might read: "ChatGPT Free and ChatGPT Plus accounts are not approved for use with company information. Employees may use these tools for general learning or personal tasks unrelated to their work responsibilities."

ChatGPT Team: Conditionally approved with data classification limits. Team accounts disable training by default and give a workspace admin limited controls. This tier is appropriate for internal, non-sensitive work tasks — drafting, summarizing public information, brainstorming — but should be prohibited for confidential client data, PII, or regulated data categories. Policy language: "ChatGPT Team accounts provisioned by [IT/Operations] are approved for Tier 1 and Tier 2 internal data only. Do not use ChatGPT Team with customer PII, financial records, health information, or any data classified as confidential."

ChatGPT Enterprise: Approved with conditions, tied to a signed DPA. This is the only ChatGPT tier appropriate for sensitive work tasks, and only after your legal team has reviewed and signed OpenAI's Data Processing Agreement and, where applicable, the BAA. Policy language: "ChatGPT Enterprise, provisioned through [IT], is approved for use with internal and confidential company data, subject to your data classification policy. Employees must use their company-provisioned Enterprise account — personal ChatGPT accounts are not a substitute."

If you want help drafting this language in a format that fits your existing employee handbook, the AI acceptable use policy template guide has a ready-to-adapt structure.

Browser extensions and plugins: the gap your policy probably isn't covering

Even if you've nailed the ChatGPT tier language, there's a second surface area most policies miss entirely: browser extensions and third-party plugins that connect to ChatGPT or OpenAI's API.

Extensions like ChatGPT sidebar tools, AI writing assistants that wrap OpenAI's API, and productivity apps with "ChatGPT inside" integrations often operate under their own privacy policies — not OpenAI's. An employee might be using a browser extension that routes their prompts through a third party's servers before hitting OpenAI, adding a data processor your IT team has never reviewed. This is a textbook shadow AI scenario.

Your policy should address this explicitly. Recommended language: "Employees may not install browser extensions, add-ons, or third-party applications that connect to AI services — including ChatGPT — unless those tools have been reviewed and approved by IT. Approval of ChatGPT Enterprise does not constitute approval of third-party tools that use the ChatGPT or OpenAI API."

Also worth noting: ChatGPT's plugin ecosystem (now largely folded into GPTs) allows custom integrations that can send data to external services. If your Enterprise workspace has GPTs enabled, your admin should audit which GPTs are available to employees and whether any connect to external APIs outside OpenAI's infrastructure.

Moving employees from personal to enterprise accounts: the migration gap

The most common real-world problem isn't employees who've never used ChatGPT — it's employees who've been using personal Free or Plus accounts for months, often for legitimate work tasks, before your organization stood up an Enterprise account. The migration from personal to enterprise isn't just a technical switch; it's a policy and data hygiene problem.

Here's what the migration gap looks like in practice:

Your migration policy should include three steps. First, set a hard cutover date: after [date], personal ChatGPT accounts may not be used for any work tasks. Second, send employees instructions for deleting their ChatGPT conversation history (Settings → Data Controls → Delete all chats in the personal account). Third, use your Enterprise admin tools to verify that employees are logging in with their company credentials, not personal ones — SSO enforcement is the cleanest way to close this gap.

This migration moment is also a good time to run a broader AI tool audit. Employees who've been using ChatGPT personally for work are often using other unsanctioned tools too. The generate a tailored policy kit tool can help you build the policy framework before you kick off that audit.

Common questions

What is the difference between ChatGPT Team and ChatGPT Enterprise for data privacy purposes?

ChatGPT Team disables model training by default and gives a workspace admin basic controls, but it doesn't include a signed Data Processing Agreement (DPA) or BAA with OpenAI, and its admin tools are limited. ChatGPT Enterprise includes a DPA, optional BAA for healthcare organizations, SSO enforcement, audit logs, and configurable data retention — making it the only tier appropriate for sensitive or regulated data. If your organization handles HIPAA-covered data or EU personal data subject to GDPR Article 28, Team is not a substitute for Enterprise. The cost difference is real, but so is the compliance gap.

Can employees just opt out of ChatGPT model training on their personal accounts to make it compliant?

No — opting out of training on a personal Free or Plus account removes one risk, but it doesn't address the others. Personal accounts still have no central admin visibility, no DPA with your organization, no BAA option, and no enforcement mechanism. You can't verify whether an employee actually toggled the opt-out, and the setting applies per-account, not organization-wide. For any company data, the opt-out workaround isn't an acceptable compliance strategy. Restrict personal accounts to non-work use and provision Enterprise accounts for employees who need to use ChatGPT with company data.

Does ChatGPT Enterprise offer zero data retention?

Not in the same sense as OpenAI's API ZDR agreement. ChatGPT Enterprise does not train on your data and gives admins control over retention periods (30 days by default), but conversation data is retained on OpenAI's infrastructure for that window. True zero data retention — where inputs and outputs aren't stored after the request completes — is an API-level feature for organizations building on top of OpenAI's API directly. For most companies, Enterprise's terms are strong enough for sensitive internal work, but don't describe it as "zero data retention" in your policy unless you've also set up API-level ZDR.

What should we do about employees who've already been using personal ChatGPT accounts for work?

Set a hard cutover date, communicate it clearly, and give employees specific instructions to delete their personal ChatGPT conversation history before that date. Then enforce company account use through SSO so that employees can only access ChatGPT Enterprise with their company credentials on managed devices. The historical data in personal accounts is already subject to whatever terms those employees agreed to individually — you can't retroactively fix that, but you can stop it from accumulating further. Treat this as a data hygiene incident requiring documentation, not just a policy rollout.

Generate your AI policy in 10 minutes

Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.

Generate my policy kit →