Thanks for your reply Macha!
Thought I’d share the response I just got from Chatgpt about this:
(this i first GPT I cooked up with a public API chat(dot)openai(dot)com/g/g-LzdxH31Wm-magic-design-shopper. Unfortunately I can’t update it any more, so will need to duplicate I think 
)
When using a public API endpoint directly in your GPT, the approach to handling the privacy policy depends on a few factors, including the availability of a privacy policy for the public API and your method of integration. Here are some scenarios and what you might do in each:
Public API Has a Privacy Policy:
- Direct Link: If the public API provides a privacy policy, you can link directly to this policy in your GPT setup. This is straightforward and informs users about the data practices of the API you are using.
Public API Lacks a Privacy Policy:
- Create Your Own Policy: In this case, you would need to create a privacy policy that explains how the public API might handle data. This policy should detail the data processing activities as you understand them and disclose the lack of an official privacy policy from the API provider.
- Host Your Own Endpoint (Optional): Hosting your own endpoint to pass through the data is an option but not a necessity. If you choose to do this, your privacy policy would then cover how your endpoint handles data before passing it to the public API. This adds a layer of complexity but might give you more control over the data flow.
Using Your Own Privacy Policy:
- Explain Data Flow: Whether or not you host your own endpoint, your privacy policy should clearly explain how data is handled. This includes what data is collected, how it’s sent to the public API, and what users can expect in terms of data processing by the public API.
- Transparency about Unknowns: If you’re unsure about certain aspects of the public API’s data handling (due to the lack of a privacy policy), be transparent about these unknowns. Inform users that certain data processing aspects are outside of your control and knowledge.
Compliance and User Consent:
- Comply with Laws: Ensure your privacy policy and practices comply with relevant data protection laws.
- User Consent: Even though OpenAI handles user consent for API calls, your privacy policy should acknowledge this process and detail the types of data being shared with the public API.
Regular Updates: If the public API you’re using updates its data handling practices or publishes a privacy policy, update your GPT’s privacy policy accordingly.
In summary, you do not necessarily have to host your own endpoint. Your main responsibility is to provide a clear and comprehensive privacy policy that explains how data is handled when passed to the public API, including any limitations in your knowledge due to the lack of an official privacy policy from the API provider. Transparency and compliance are key in this process.