Personal Data Flows and Privacy Policy Traceability in Third-party LLM Apps in the GPT Ecosystem

Juan-Carlos Carrillo; Jose Luis Martin-Navarro; Rongjun Ma; Jose Such

Personal Data Flows and Privacy Policy Traceability in Third-party LLM Apps in the GPT Ecosystem

Authors: Juan-Carlos Carrillo (VRAIN, Universitat Politècnica de València, Spain), Jose Luis Martin-Navarro (Aalto University, Finland; VRAIN, Universitat Politècnica de València, Spain), Rongjun Ma (Aalto University, Finland), Jose Such (INGENIO (CSIC-Universitat Politècnica de València), Spain)

Volume: 2026
Issue: 1
Pages: 273–295
DOI: https://doi.org/10.56553/popets-2026-0015

Download PDF

Abstract: The rapid growth of platforms for customizing Large Language Models (LLMs), such as OpenAI’s GPTs, has raised new privacy and security concerns, particularly related to the exposure of user data via third-party API integrations in LLM apps. To assess privacy risks and data practices, we conducted a large-scale analysis of OpenAI’s GPTs ecosystem. Through the analysis of 5,286 GPTs and the 44,102 parameters they use through API calls to external services, we systematically investigated the types of user data collected, as well as the completeness and discrepancies between actual data flows and GPTs’ stated privacy policies. Our results highlight that approximately 35% of API parameters enable the sharing of sensitive or personally identifiable information, yet only 15% of corresponding privacy policies provide complete disclosure. By quantifying these discrepancies, our study exposes critical privacy risks and underscores the need for stronger oversight and support tools in LLM-based application development. Furthermore, we uncover widespread problematic practices among GPT creators, such as missing or inaccurate privacy policies and a misunderstanding of their privacy responsibilities. Building on these insights, we propose design recommendations that include actionable measurements to improve transparency and informed consent, enhance creator responsibility, and strengthen regulation.

Keywords: LLM apps, privacy policy, measurement

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.