On June 4, 2026, OpenAI announced Dreaming V3, the largest update to ChatGPT's memory system since the feature launched. The new architecture synthesizes context across all your conversations and keeps it current automatically. OpenAI describes it as giving ChatGPT the equivalent of long-term memory across sessions.
For personal users, this is a quality-of-life improvement. For teams using ChatGPT at work, it is a governance change that requires attention.
TL;DR: OpenAI's Dreaming V3 (June 4, 2026) rebuilds ChatGPT memory to persist detailed user profiles across all sessions. Business and Enterprise plan rollout is coming in weeks. Memory is independent of training opt-outs. Disabling training does not disable memory. If employees share client names, project details, or personal data in ChatGPT conversations, that data can accumulate in memory. GDPR Article 17 right-to-erasure and CCPA data retention obligations apply. Four actions: audit memory, set org policy, update acceptable use policy, review DPA terms.
What Dreaming V3 actually does
Previous ChatGPT memory stored explicit facts you saved. Dreaming V3 changes the model: the system now continuously synthesizes memory from your conversations, without you needing to manually save anything.
OpenAI's blog post describes it as a background process that runs during idle periods, similar to how human memory consolidates during sleep. The system extracts relevant information from recent conversations and updates your persistent profile automatically. It also updates memory over time, so a note that "you are going to Singapore in July" becomes "you went to Singapore in July 2026" after the date passes.
The practical result for a business user: anything you tell ChatGPT in the course of work, including your role, your company, client names, ongoing projects, technical constraints, budget limits, internal process details, can be retained and surfaced in future conversations without your active involvement.
The governance gap between training opt-out and memory
Most enterprise teams that have thought about ChatGPT privacy have focused on the model training question: does OpenAI use our conversations to train future models? For Business and Enterprise customers, the answer is no by default, confirmed in OpenAI's enterprise privacy terms.
Memory is a different system entirely. Disabling training does not disable memory. A user on a Business plan whose organization has opted out of training can still have a memory profile built from their work conversations, retained on OpenAI's servers, and surfaced in every future session.
The two features are independent, and the controls for each are in different places. Training opt-out is managed at the organization level through the admin console or data processing agreement terms. Memory is managed through user settings (Settings, then Personalization) or through organization-level admin controls on Business and Enterprise plans.
If your team made a governance decision about ChatGPT based on the training opt-out alone, that decision needs to be revisited in light of Dreaming V3.
What data is actually at risk
The practical risk is not that ChatGPT memory stores raw conversations. It stores a synthesized profile, which means extracted facts and preferences. The concern is what facts get extracted.
In a normal work context, a user describing a compliance problem to ChatGPT might mention a client's name, the nature of a regulatory issue, the internal team handling it, and a timeline. All of that can enter the synthesized memory profile. A user asking for help drafting an email might reference a colleague's name and a sensitive personnel situation. A developer asking for debugging help might describe the internal architecture of a system containing customer data.
None of this requires the user to explicitly save a memory entry. Dreaming V3 extracts it automatically.
For organizations subject to GDPR, this creates two specific obligations. GDPR Article 17 gives data subjects the right to erasure of their personal data. If employee data or client personal data enters a user's ChatGPT memory, those individuals may have the right to request deletion, and your organization needs a mechanism to honor those requests. GDPR Article 13 requires transparency about how personal data is processed, which means your employee and client privacy notices may need to reference AI tool memory features.
For organizations subject to CCPA, the retention of personal information in AI memory profiles triggers the same retention and deletion obligations as any other stored personal information.
The admin control picture
OpenAI has built organization-level memory controls for Business and Enterprise plans, accessible through the admin console. Administrators can disable memory for all users in their organization, which prevents Dreaming V3 from building or accessing memory profiles for any employee account.
For Free and Plus users, memory control is individual. Each user can go to Settings, then Personalization, and toggle memory off. Users can also view their current memory profile and delete individual entries or all memory from the same settings page.
The API also now includes a memory_context parameter that developers can use to build applications that leverage long-term user profiles. This means memory capabilities are now accessible to teams building internal tools on top of ChatGPT, not just users of the consumer product.
Four governance actions
1. Audit what ChatGPT memory has stored for your accounts.
Before deciding on a policy, understand the current state. Any user who has been using ChatGPT (on any plan) for more than a few months may have a memory profile built from prior conversations. Have employees check Settings, then Personalization, then Manage Memory to see what has been stored. If business-sensitive or personal data appears, delete those entries and document what was found.
2. Set an organization memory policy before the Business/Enterprise rollout.
If your organization is on a Business or Enterprise plan, act before the Dreaming V3 rollout reaches your accounts. Decide now whether to enable or disable memory at the organization level. For most organizations handling client data or employee personal data, the conservative choice is to disable memory at the org level and allow individual employees to enable it only for use cases that have been reviewed. Blanket enablement before assessing the data exposure is the riskier path.
3. Add memory to your AI acceptable use policy.
Your current AI acceptable use policy almost certainly does not mention AI memory features. Add a clause covering: what categories of data employees may not discuss in memory-enabled ChatGPT sessions, the requirement to disable memory when handling personal data, and the process for requesting deletion of memory entries that contain business-sensitive information. The AI acceptable use policy template has the sections this clause should sit within.
4. Update your AI vendor DPA review to cover memory retention.
Most DPA reviews focus on training data and processing. Add memory-specific questions: how long is memory retained, what is the deletion process, does memory storage trigger data processing agreement obligations, and which data center region stores memory for EU users. These questions belong in your next AI vendor due diligence review of OpenAI.
What memory means for different ChatGPT plan types
The memory feature behaves differently across plan types, which matters for how you govern it by role and use case within your organization.
Free users: Dreaming V3 is rolling out to Free accounts globally over the coming weeks. Free users can view and delete their memory in Settings but cannot manage it at a team level. For organizations where employees may be using personal Free accounts for work tasks, this is a shadow AI risk. Those employees are building memory profiles on OpenAI's servers that the organization cannot audit or control.
Plus and Pro users: Memory launched with Dreaming V3 and is on by default. Individual users can disable it in Settings. There is no organization-level control for Plus and Pro subscriptions, which means if your organization purchases Plus seats for employees, each employee manages their own memory independently.
Business plan: Organization-level memory controls are coming with the Business rollout of Dreaming V3 in the coming weeks. Admins will be able to enable or disable memory for the entire organization through the admin console. This is the plan tier where centralized governance becomes possible.
Enterprise plan: Same admin controls as Business, plus access to the memory_context API parameter for custom application development. Enterprise agreements also include stronger data processing terms and the ability to negotiate specific data retention commitments.
The practical governance implication: if your organization has a mix of plan types, you may only be able to enforce a memory policy for your Business or Enterprise accounts. Employees on personal Free or Plus accounts are outside your administrative control, which means your acceptable use policy needs to address whether personal account use for work tasks is permitted, and if so, under what conditions.
The ChatGPT memory deletion process
Before your next policy review, it is worth understanding exactly how memory deletion works in practice, because the process matters for honoring data subject deletion requests.
Individual users can view their memory profile by going to Settings, then Personalization, then Manage Memory. The interface shows a list of memory entries as short text summaries of what the system has retained. Users can delete individual entries by clicking the delete button next to each, or delete all memory at once.
Deleting memory from the Settings interface removes the entries from the active memory profile. OpenAI's terms state that deleted data is removed consistent with their standard data deletion timelines, which for most account types means the data is removed from production systems within 30 days and from backup systems within 90 days.
For organizations with GDPR data subject deletion obligations, the process is: the data subject requests erasure, the organization identifies which ChatGPT accounts the individual's personal data may have entered (via employee accounts), those account holders delete the relevant memory entries, and OpenAI's retention schedule applies for backend deletion. This is manageable but requires having visibility into which employees have discussed which individuals' data in ChatGPT.
Checklist
- All ChatGPT users in organization have checked memory settings and identified what is stored
- Business-sensitive or personal data entries in memory deleted and documented
- Organization-level memory policy decided (enable/disable) before Business/Enterprise rollout
- Admin console configured to reflect that policy
- AI acceptable use policy updated with memory-specific clause
- Privacy notices updated to reference AI tool memory if personal data is in scope
- DPA review of OpenAI updated to include memory retention questions
- Process established for handling data subject deletion requests relating to AI memory
