I’m wondering if others have had a situation where they’re calling public OpenAPI API’s where there doesn’t appear to be a privacy policy available. Does this simply mean you’ve given up on using it for a Public GPT, or have you thought of a solution?
1 Like
You mean this? Privacy policy
Oh wait, or are you asking about how to handle an API call in GPT builder if it’s demanding a privacy policy that doesn’t exist from the endpoint?
I think GPT is assuming that you are the one who is creating the API endpoint yourself. And to be honest, I wouldn’t see how people wouldn’t need to develop their own custom API endpoint, if you aren’t representative of a larger company. That’s doesn’t mean impossible, but it would still be extremely difficult.
The reason why is that you can’t perform logic or execute code in the API calls themselves. It’s more like GPT yelling at another computer to do that for it so it can give back a natural language answer to the user.
If you are building your own API endpoints to any degree, even if to manage other public APIs from other companies, congratulations. You have a potential new product, and you get to be a part of us who are also trying to innovate the space and platform.
That also means the privacy policy becomes your responsibility to produce yourself.
It might be annoying, and you might not have realized what you did if you did build your own API endpoint, but this is a good problem to have.
Also, you’re literally interacting with a sophisticated text generator. Asking it to make a privacy policy for your app, and editing it to ensure it’s actually stating the truth doesn’t make it an arduous problem to solve 
.
1 Like
Yes indeed! I’m NOT asking about the openai privacy policy.
It’s not possible to share GPTs that don’t have a privacy URL, which is where my query comes from…
There are a lot of public OpenAPI endpoints. See apis(dot)guru for instance. There are over 2500 APIs that you can call.
Hmm, interesting thought that I can just call public APIs and make my own API endpoint and my own privacy policy. Although I don’t really see what part of the privacy I can offer, if let’s say I’m not persisting anything and simply pulling info from public endpoints (i.e. read not write). Seems like I’m just passing through whatever the user enters (which should be bound by OpenAI’s privacy policies) to a public endpoint, and I can’t determine what that public endpoint does with the input data…
I’ll see what Chatgpt thinks about that puzzle indeed 
2 Likes
Gotcha!
If you’re not persisting anything and not selling this or planning to evolve this into a sellable product, then you don’t need to know “know your customer” laws, and therefore can simply state in your privacy policy exactly what you described: You do not collect, share, nor use anyone’s data in any way, and all interactions are thereby subject to OpenAI’s privacy policies. You probably need a little bit more words than that, but basically, that’s the gist, and ChatGPT can help…inflate that lol.
Everyone knows it’s the document nobody reads, but in essence the privacy policy is meant to inform the user what you, the creator of this product(the GPT), is doing with their data. It is also meant to legally protect you in case someone makes a claim that you are doing something you shouldn’t with their data.
I’m working on something (kinda) similar, but it’s a tad more complex, and it requires me to manage OAuth tokens for persistence, so unfortunately my GPT’s privacy policy won’t be as simple. Consider yourself lucky.
If you’re at this stage already, you should feel really good about where you’re standing for the future. Seriously. I’m not gonna tell you what to do, but consider how you might be able to leverage multiple public APIs. There’s a lot of potential here, and this is why tool usage capabilities for custom GPTs is such a big deal.
custom GPTs are essentially better plugins, which in of themselves are freeware products. You are not just the hand that passes a message along, you are the messenger between two endpoints yourself.
I’m excited to see what you build. Please share it when it’s working!
Also, forewarning you might need to, considering tool usage and action development in GPT builder is…buggy at best.
3 Likes
Thanks for your reply Macha!
Thought I’d share the response I just got from Chatgpt about this:
(this i first GPT I cooked up with a public API chat(dot)openai(dot)com/g/g-LzdxH31Wm-magic-design-shopper. Unfortunately I can’t update it any more, so will need to duplicate I think 
)
When using a public API endpoint directly in your GPT, the approach to handling the privacy policy depends on a few factors, including the availability of a privacy policy for the public API and your method of integration. Here are some scenarios and what you might do in each:
Public API Has a Privacy Policy:
- Direct Link: If the public API provides a privacy policy, you can link directly to this policy in your GPT setup. This is straightforward and informs users about the data practices of the API you are using.
Public API Lacks a Privacy Policy:
- Create Your Own Policy: In this case, you would need to create a privacy policy that explains how the public API might handle data. This policy should detail the data processing activities as you understand them and disclose the lack of an official privacy policy from the API provider.
- Host Your Own Endpoint (Optional): Hosting your own endpoint to pass through the data is an option but not a necessity. If you choose to do this, your privacy policy would then cover how your endpoint handles data before passing it to the public API. This adds a layer of complexity but might give you more control over the data flow.
Using Your Own Privacy Policy:
- Explain Data Flow: Whether or not you host your own endpoint, your privacy policy should clearly explain how data is handled. This includes what data is collected, how it’s sent to the public API, and what users can expect in terms of data processing by the public API.
- Transparency about Unknowns: If you’re unsure about certain aspects of the public API’s data handling (due to the lack of a privacy policy), be transparent about these unknowns. Inform users that certain data processing aspects are outside of your control and knowledge.
Compliance and User Consent:
- Comply with Laws: Ensure your privacy policy and practices comply with relevant data protection laws.
- User Consent: Even though OpenAI handles user consent for API calls, your privacy policy should acknowledge this process and detail the types of data being shared with the public API.
Regular Updates: If the public API you’re using updates its data handling practices or publishes a privacy policy, update your GPT’s privacy policy accordingly.
In summary, you do not necessarily have to host your own endpoint. Your main responsibility is to provide a clear and comprehensive privacy policy that explains how data is handled when passed to the public API, including any limitations in your knowledge due to the lack of an official privacy policy from the API provider. Transparency and compliance are key in this process.
2 Likes
Excellent discussion 
I’d love to see our Privacy Policy examples by use-case / scenario. Soo I’ll work on one now and post shortly and see if it gains traction. Feel free to post yours as well if you’d like. 
Template: General Privacy Policy | GPT Actions
Level: Basic / General
Use Case: General ChatGPT Assistant usage with secure, non-user-related ‘API-specific’ data / configurations located within cloud.
[Company/Product Name] Privacy Policy
Last Updated: [Insert Date]
Introduction
Welcome to [Company/Product Name]. This Privacy Policy outlines our commitments and your rights regarding the collection, use, and protection of your personal information. It applies to all services and products offered by [Company/Product Name].
Information Collection
What We Collect:
- We collect information necessary to provide our services, such as queries and interaction data with our ChatGPT assistant.
- We do not collect personal identification information unless voluntarily provided by you for specific services.
How We Collect:
- Information is collected through your interaction with our services and voluntary disclosures.
Use of Information
- The information collected is solely used for providing and improving our services.
- We do not use your data for profiling or targeted advertising.
- [Company/Product Name] does not collect, share, nor use personally identifiable data in any way. All interactions with our services are subject to OpenAI’s privacy policy and OpenAI’s terms of use.
Data Sharing and Disclosure
- [Company/Product Name] does not share any user information with third parties.
- We do not disclose user information publicly or to any external entities, except as required by law.
Data Retention and Deletion
- [Company/Product Name] does not hold any data persistently. All data is deleted immediately after the interaction or service provision.
- Users can request the deletion of any data they have voluntarily provided.
Data Security
- We employ robust security measures to protect data from unauthorized access and misuse.
- Despite our efforts, no digital platform can guarantee absolute security.
User Rights and Control
- Users have the right to access and control any personal information provided to us.
- Requests for access, correction, or deletion of personal data can be made through our contact channels.
Changes to Our Privacy Policy
- We reserve the right to modify this privacy policy at any time. Changes will be posted on our website with an updated revision date.
Contact Us
- If you have any questions or concerns about our privacy practices, please contact us at [Provide Contact Information].
Jurisdiction
This policy is governed by GDPR and CCPA law by way of OpenAI’s terms of use.
By using [Company/Product Name]'s services, you acknowledge that you have read and understood this Privacy Policy.
Note: It’s essential to ensure that this privacy policy is in alignment with the actual practices of your service and complies with relevant laws and regulations. Consulting with a legal expert is advisable to confirm its suitability. Additionally, since your policy mentions OpenAI’s privacy policies, ensure that you understand and accurately represent how those policies interact with your own.
4 Likes
Been offline for a while just seen this, thanks it’s very helpful 
1 Like
@AxW Thank you immensely for the example privacy policy. I was unable to locate many resources online about setting this up, and this post was the only information I had to work off of.
That in mind, I was able to easily set up a privacy policy based on your template, host it on AWS S3 using my private personal domain, and use the URL of the policy document in chatGPT successfully to publish it publicly.
A thousand thanks! Based on my success, I highly recommend using this template.
1 Like
Quick question, in order for OpenAI to accept the privacy statements, and being able to make your own GPT public while using your own API to communicate with several external Web Apps, does the privacy policy need to be hosted on your own website? So in my case I use Heroku to deploy my pythin scripts that communicate with other APIs and GPT to call the Heroku endpoints. I tried to add them there but they got ignored…