ChatGPT Now Personalizes From Email and Past Chats

ChatGPT personalization on the Free tier crossed a line on June 9, 2026. OpenAI updated its GPT-5.5 Instant announcement to confirm that enhanced personalization — drawing on past conversations, uploaded files, and connected Gmail — is now rolling out to the Free and Go plans, not just to Plus and Pro. The model that most of an agency's staff use on personal accounts can now remember and reuse what they put into it.

What is at stake is not the model getting smarter. GPT-5.5 Instant has been ChatGPT's default since May 5, 2026. What changed on June 9 is who the personalization reaches, and therefore what a casual, unmanaged free account is now quietly accumulating: client names, draft strategy, account details, and — if someone connected Gmail — an indexed copy of their inbox. For an agency, the risk is no longer hypothetical or confined to a paid SKU.

This guide covers what actually changed, what the model now draws on, the exact Gmail OAuth scope that gets granted, the audit-trail gap most coverage misses, the prompt-injection exposure that persistent memory introduces, and a tier-by-tier matrix plus a practical data policy you can hand to your team. Every fact below is sourced to OpenAI's own documentation or to named third-party research, and clearly labelled where a figure is vendor-stated.

GPT-5.5 Instant became ChatGPT's default model for all users — Free, Go, Plus, and Pro — on May 5, 2026, replacing GPT-5.3 Instant. At launch, the headline feature beyond the model itself was enhanced personalization: the ability to draw on a user's past chats, uploaded files, and connected Gmail. But that feature shipped first only to Plus and Pro on the web. For roughly five weeks, the free accounts that most agency staff actually use were untouched.

On June 9, 2026, OpenAI updated the same announcement with a short but consequential note: personalization improvements are now rolling out to ChatGPT Go and Free. The distinction OpenAI draws is that Free-tier responses pull from a reduced window of past conversations rather than the full history window that Plus and Pro receive. OpenAI has not published the exact size of that reduced window, so do not assume a specific number of chats or a date range — treat it as "some recent history," not none.

The interpretation that matters for an agency: most published coverage framed personalization as a Plus and Pro upgrade, which let teams reasonably assume their free-tier staff were unaffected. The June 9 note quietly closed that gap. The people most likely to be unaware of what they are now sharing are exactly the people on unmanaged free accounts — and they are often the ones drafting on live client work. If you want the deeper technical background on the model line that introduced this behaviour, our GPT-5.5 complete capabilities guide covers the Thinking and Pro variants, and the GPT-5.5 reasoning-behaviour migration playbook explains how the default model itself changed.

Enhanced personalization draws on three sources, each with a different risk profile. Past conversations are the obvious one: anything typed into ChatGPT can now shape later answers, which is useful for continuity and risky when those conversations contained client confidential material. Uploaded files are the second: documents shared for a one-off task become candidate context for future responses while Memory is enabled.

The third source is the one agencies underestimate — a connected Gmail account. According to OpenAI's own help documentation, connecting a Google app does not just give ChatGPT a live read at query time. It can create an indexed copy of the content and sync it. When Memory is enabled, that synced content can be used to proactively personalize responses, not only when you explicitly ask about your email.

There is one piece of genuinely reassuring detail in the same documentation, and it deserves to be stated precisely so it is not over-claimed. OpenAI states it does not train its general models directly on connected Google app data — with narrow exceptions: content you submit as feedback via thumbs up or down, content you manually copy and paste into a conversation, or content that ends up inside a ChatGPT response. That training carve-out, however, is a separate question from whether the data is used as live context for your own personalization. It is.

Most writing on this topic stops at "ChatGPT can read your email." The more useful, auditable fact is the specific OAuth scope that gets granted when a user connects Gmail: https://www.googleapis.com/auth/gmail.modify. That is a read-and-write scope, broader than a read-only permission would be. It is a concrete thing a Workspace administrator can look up and review in the Google Admin console rather than a vague worry.

To be careful about what this does and does not mean: granting a broad scope is not the same as ChatGPT acting destructively in your mailbox. The practical behaviour OpenAI documents is the indexed copy plus sync described above, and that indexed copy is deleted within 30 days of disconnecting the Google app. But for an agency running a security review, the right posture is to treat the scope itself as the auditable control point — because it is the thing your admin can actually allow or restrict for the entire organization.

This is the single most actionable point in this guide, and it is the one most coverage skips. Under the Dreaming V3 architecture, derived memories are stored in a separate data layer from the conversation logs. Deleting a conversation therefore does not delete the memories synthesized from it. To fully remove a piece of information, a user has to separately delete both the conversation and the corresponding memory entry.

There is a retention tail on top of that. As reported in independent analysis of the Dreaming V3 update, OpenAI states that logs of deleted saved memories may be retained for up to 30 days for safety and debugging purposes. So the mental model of "I deleted the chat, the information is gone" is wrong on two counts: the derived memory persists separately, and even after you delete the memory, a log of it can survive for up to a month.

That Sources control is a genuine improvement worth crediting: when a response is personalized, an indicator below the reply shows which memories, past chats, or files informed it, and individual entries can be edited or deleted from there. The important caveat for collaboration is that these source indicators are not included when a chat is shared — a recipient of a shared conversation cannot see what personal context shaped the responses they are reading, which matters if staff share ChatGPT threads with clients.

Persistent, auto-synthesized memory does more than raise a privacy question — it changes the security model. Because memories are appended to the model's system prompt, a maliciously crafted instruction reaching ChatGPT through a document, a linked webpage, or a tool output can attempt to write to that persistent memory. The concern, documented by Tenable Research and reported in independent coverage of the Dreaming V3 rollout, is that this turns memory into a channel that can outlast a single session.

OpenAI shipped a partial mitigation on June 4, 2026: ChatGPT Lockdown Mode became available to all logged-in users, including personal Free, Go, Plus, and Pro accounts as well as self-serve Business. It is an opt-in setting that restricts the higher-risk capabilities an attacker would need to actually exfiltrate data — web access, external services, Agent Mode, Deep Research, Canvas networking, and file downloads. The important limitation to be honest about is that Lockdown Mode reduces the exfiltration stage; it does not block injected instructions from entering the conversation context in the first place.

For agencies handling regulated or sensitive client data, Lockdown Mode is worth deploying on accounts that touch that work, but it should be understood as one layer rather than a fix. Our deeper breakdown of what it disables and how to roll it out across a team is in the dedicated ChatGPT Lockdown Mode piece, and the memory mechanics behind all of this are covered in our Dreaming V3 memory architecture explainer.

This is the table no single source in the research set provides: each ChatGPT plan mapped against memory default, past-chat window, Gmail connection availability, admin control over memory, whether conversations are used for model training by default, and Lockdown Mode availability. Use it as a starting point for deciding which tier each class of agency work belongs on, and verify the live behaviour in settings before relying on any single cell.

Press coverage tends to blur three distinct privacy controls into one. They are not interchangeable, and each one leaves a different gap. The table below maps what each toggle controls, what it does not, and — critically — whether it has any effect on connected Gmail data. Note in particular that the model-training toggle does not govern Gmail data at all, and that turning off memory does not instantly purge it.

The practical takeaway from this table is that no single switch gives you confidentiality. Turning off "Improve the model for everyone" stops training but leaves personalization and Gmail indexing fully active. Turning off memory stops new personalization but does not retroactively erase what is stored. The only control that reliably keeps a one-off sensitive task out of both history and memory is Temporary Chat — which is exactly why it belongs at the centre of any agency policy.

A blanket ban on ChatGPT is neither realistic nor desirable — staff will use it regardless, and it is genuinely productive. The better move is a short written policy that maps each class of work to the right tier and the right control. Here is the decision tree we use when helping clients set one, and the same logic we apply to our own agentic delivery.

The three rules that make this policy stick are short enough to put on one page. First: client-identifiable work goes in Temporary Chat unless it is on a managed Business or Enterprise account. Second: Gmail connection is an admin decision, never an individual one, and on managed accounts only. Third: to remove something, delete the chat and the memory entry, and assume a short retention tail. If you want help turning that into an operational standard your team will actually follow, our AI digital transformation engagements build governance like this alongside the tooling, and our CRM and automation work keeps client data inside systems you control rather than in ad-hoc chat history.

Three announced changes in the next two months tighten the timeline for getting a policy in place. None has happened yet as of publication, but each is dated, and together they argue for sorting this out now rather than after the fact. The regulatory one in particular reframes personalization from an internal hygiene question into a compliance question for any agency with EU clients.

There is precedent that makes the regulatory column more than theoretical. In December 2024, Italy's data protection authority, the Garante, fined OpenAI 15 million euros over GDPR violations tied to ChatGPT data handling. For an EU-based agency evaluating whether free-tier personalization on client data is acceptable, that is a concrete reference point: regulators in the bloc have already shown willingness to act on exactly this category of issue, and the AI Act's transparency obligations add a second layer on top.

Reading the trend forward: the direction of travel is toward more personal context flowing into consumer AI by default, not less, and toward regulators treating that flow as something that must be disclosed and governed. The agencies that come out ahead will be the ones that decided their tier-and-policy posture before a client or a regulator asked them to produce it — not the ones scrambling to reconstruct what staff put into a free account after the question is already on the table.