GPT Privacy & Domain Verification Checklist (For Actions)

Q: How do I handle deletion requests?

Include an email in your policy and be ready to delete logs/subscriber data upon request.

Publishing a GPT with Actions? Use this copy‑paste checklist to meet requirements and keep user data safe.

Last updated: September 27, 2025

TL;DR (5 steps)

Publish a public Privacy Policy URL on your domain.
Verify your domain in the GPT builder (TXT record or hosted file).
Configure auth in your OpenAPI spec (API key / Bearer / OAuth2).
Don’t send PII unless essential; minimize logs; add error handling.
Test happy‑path + error paths and confirm clear user messaging.

Domain Verification (TXT or File)

Option A: DNS TXT

Add a TXT record at your DNS host, then wait for propagation.

# DNS provider → yourdomain.com (root zone)
Type: TXT
Name/Host: _gpt-verify
Value: gpt-verify=YOUR_RANDOM_TOKEN
TTL: 300

If your DNS flattens the name, the host field may appear as _gpt-verify.yourdomain.com.

Option B: File upload

Upload a specific file to your site and confirm ownership.

# Create file at your web root
/public_html/.well-known/gpt-verify.txt

# File contents
gpt-verify=YOUR_RANDOM_TOKEN

Create the .well-known folder if it doesn’t exist.

Privacy Policy — Copy Blocks

Purpose & Data Types

We operate tools that run on the ChatGPT platform. When you use our GPT, we may process:
- Email address (if you contact us or subscribe)
- Conversation content sent to our API via Actions (only when needed to fulfill a request)
- Technical metadata (timestamps, IP, user agent) for security and abuse prevention

How We Use Data

We use data to deliver the requested feature, improve reliability, and respond to inquiries. We do not sell personal data. We minimize logging and retain only what is necessary for short periods unless required by law.

Sharing

We may share data with service providers (hosting, email, analytics) to operate our services. These providers are contractually required to protect your information and may only use it as instructed by us.

Retention & Deletion

We keep contact/subscriber data until you unsubscribe or request deletion. API logs are retained briefly for troubleshooting and security. To request deletion or access, email hello@howtocreateagpt.com.

Your Rights

Depending on your location, you may have rights to access, correct, delete, or port your data. Contact us to exercise these rights; we will respond promptly.

Security & PII Minimization

We design our Actions to avoid sending personally identifiable information (PII) unless essential to provide the requested feature. Do not share sensitive data in prompts.

Auth Config — Quick Snippets

API Key

components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
security:
  - ApiKeyAuth: []

Bearer Token

components:
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
security:
  - BearerAuth: []

OAuth2 (Auth Code)

components:
  securitySchemes:
    OAuth2:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://auth.example.com/oauth/authorize
          tokenUrl: https://auth.example.com/oauth/token
          scopes:
            read: Read data
            write: Write data
security:
  - OAuth2: [read, write]

PII Guardrails (what to avoid)

Do not send passwords, access tokens, or government IDs via Actions.
Prefer user or resource IDs over full names/emails whenever possible.
Mask or truncate free‑text fields; validate parameters server‑side.
Keep responses minimal and non‑sensitive; return references/URLs instead of raw records.
Log request IDs, not entire payloads. Redact PII in logs.

Pre‑Publish Checklist

Privacy URL reachable at /privacy.html
Domain verified (TXT or file) and OpenAPI URL stable
Auth configured; secrets stored server‑side
Error responses return clear messages; user‑facing text is friendly
Instructions include a privacy line (don’t send PII)
Run tests: happy path, missing param, 4xx/5xx, and timeouts

FAQ

Do I need a privacy policy if I don’t use Actions?

Best practice: yes, but Actions require it since your API may process user data.

Is DNS verification better than file upload?

Either works. DNS TXT is more resilient if you move hosting; file upload is quick if you control the site.

Can I send emails from an Action?

Yes, but avoid sending user PII unless essential. Inform users and provide an opt‑out.

How do I handle deletion requests?

Include an email (e.g., hello@howtocreateagpt.com) in your policy. Be ready to delete logs/subscriber data upon request.