reddit.com via Reddit

ChatGPT surfaces deleted file content months later

openai ai assistants data-privacy chatgpt openai

Key insights

  • A developer found ChatGPT could still retrieve verbatim content from a Project file explicitly deleted months prior.
  • The behavior points to a possible gap between UI-level deletion and actual purging of backend retrieval or storage systems.
  • GDPR's right-to-erasure clause requires complete data removal within 30 days, making deferred deletion a potential legal violation.

Why this matters

Retrieval-augmented systems like ChatGPT Projects rely on vector stores and blob storage that operate independently of the user-facing deletion interface, meaning product teams building on top of OpenAI's infrastructure may have inherited a compliance liability they were never warned about. For founders and technical leaders operating in the EU, a confirmed gap between UI deletion and backend purge could trigger GDPR Article 17 enforcement, with fines up to 4% of global annual turnover. The broader pattern matters because every major AI platform now offers file-upload and memory features, and none have published auditable deletion SLAs that satisfy data protection authorities.

Summary

OpenAI is facing questions about whether its file deletion actually works after a developer reported ChatGPT surfaced the full written content of a Project file they had deleted months earlier, in a completely new chat session. The user had uploaded files to a custom agent's Sources section, explicitly deleted them through the interface, then later discovered the content was still retrievable by the model. The behavior suggests OpenAI's deletion pipeline may be deferred, incomplete, or not propagating correctly to the underlying retrieval layer that powers Projects and custom agents. Essentially: (OpenAI, affected users) are at the center of a data persistence dispute with real legal teeth. - Files deleted via the ChatGPT Projects UI may remain embedded in backend vector stores or blob storage with no hard purge. - GDPR's right-to-erasure requirement mandates complete deletion within 30 days of user request, with no carve-outs for deferred background jobs. - The incident is user-reported and not yet confirmed at scale, but the mechanism is plausible given how retrieval-augmented systems cache and index uploaded content. If OpenAI's deletion is cosmetic at the UI layer while content persists in retrieval infrastructure, the company faces a compliance gap that could draw regulatory scrutiny across every EU jurisdiction where ChatGPT operates.

Potential risks and opportunities

Risks

  • OpenAI could face GDPR Article 17 complaints filed with EU data protection authorities if the deletion gap is confirmed reproducible, with Irish DPC as lead regulator given OpenAI's EU establishment.
  • Enterprise and Team tier customers who uploaded proprietary documents to ChatGPT Projects may discover their deleted files remain accessible, triggering their own breach notification obligations under GDPR Article 33.
  • If the issue extends to memory or fine-tuning pipelines, class action exposure in California under CCPA's right-to-deletion provisions becomes a near-term litigation risk for OpenAI.

Opportunities

  • Data governance and AI compliance vendors (BigID, Securiti, OneTrust) gain a concrete sales narrative around auditing AI platform data retention against deletion requests.
  • Enterprises with strict data residency requirements gain negotiating leverage to demand contractual deletion SLAs and third-party audit rights in OpenAI Enterprise agreements.
  • Self-hosted or on-premises RAG solution providers (Glean, Elastic, private-deployment LLM vendors) can position against SaaS AI platforms specifically on verifiable data lifecycle controls.

What we don't know yet

  • Whether OpenAI has confirmed internally that vector store or blob storage entries are hard-deleted when a user removes a Project file, and on what timeline.
  • Whether this behavior is reproducible across different account types (free, Plus, Team, Enterprise) or limited to specific Projects configurations.
  • No public disclosure from OpenAI as of May 2026 on whether a backend audit or patch has been initiated in response to this report.

Originally reported by reddit.com

Read the original article →

Original headline: r/OpenAI: ChatGPT Served a User Content From a File They Deleted Months Earlier — Data Persistence Questions Mount