We have developed a comment moderation tool that leverages the OpenAI API. Its primary function is to score incoming comments on our website to detect potential spam and ensure high-quality discussions. Importantly, the tool does not generate any content. It only produces a digit in the range of 0 to 9, with a maximum length of 1 token. The tool will soon be available publicly (installable as a WordPress plugin to speed up the comment moderation process for publishers)
For transparency, here’s how we plan to inform our users (the same will do the plugin users on their websites):
Privacy Policy:
“We utilize an AI-powered comment moderation system developed by TechSpokes Inc. to ensure quality and relevance in our community discussions. When you post comments on our website, be aware that your personal data is processed by OpenAI, serving as a data-processing agent on our behalf. The submitted comments are retained in logs for up to 30 days for technical purposes. This data is not shared with any third parties except if required by law. By posting comments, you acknowledge and consent to this processing of your personal data.”
Comment Form Footer:
“By commenting, you consent to AI moderation and data storage for up to 30 days. We don’t share data unless required by law. [Link: Details]”
Can you please confirm if our usage of the OpenAI API in this manner complies with the current usage policies? We aim to ensure full compliance and a transparent user experience.
On the face of it your statement seems accurate, but it does not seem to mention what you do with the data (if anything) i.e. what do you do with that data after it is checked, it could be that you have a separate section for that in the document as a whole.
My opinion is not that of an OpenAI staff member or as legal council, however, your use case seems inline with current OpenAI policy, at least that of it on display here.
Thanks for you reply. From data processing agreement from OpenAI (if I got those right) API call logs are stored up to 30 days for debugging purpose and are not shared with 3rd parties unless required by applicable law and with prior notice. Then the data is destroyed.
The statement from privacy policy is just a “mandatory” paragraph we will require our customers to include to their regular privacy policy page they have under their full control to be able to use the software.
As a technical provider, TechSpokes does not have any access to personal data submitted on our clients’ websites, nor the OpenAI API keys used by our clients’.
Processing of Personal Data. If you use the Services to process personal data, you must provide legally adequate privacy notices and obtain necessary consents for the processing of such data, and you represent to us that you are processing such data in accordance with applicable law. If you will be using the OpenAI API for the processing of “personal data” as defined in the GDPR or “Personal Information” as defined in CCPA, please fill out this form to request to execute our Data Processing Addendum.
Hi @sergeliatko ,
I hope you found the responses from @Foxalabs and @_j helpful. It’s always a good practice to refer to the OpenAI Terms of Use at Terms of use for the most up-to-date information. If you have any more questions or need further clarification, don’t hesitate to ask.
Thank you very much for your replies guys that is really helpful.
Seeing the above I will include a consent field to the comment form referring to the privacy policy page and a short code / macro to include in the privacy policy page content on clients’ websites.
Both will be mandatory conditions to get the plugin working besides regular software license keys. This way is going to be easy and compliant for everyone.
The only thing I will not be able to control from the plug in itself is the data processing addendum agreement between my customer and OpenAI. But I can include a checkbox in the admin settings to get confirmation the client have signed such an agreement with OpenAI.