BusinessIndustry Guide13 min readPublished July 2, 2026

ZDR revoked for the frontier tier · 30-day retention required · consumer plans unaffected

Fable 5’s 30-Day Retention: The End of Zero Retention?

The viral headline — “Anthropic now retains everyone’s data” — is wrong. Thirty-day retention was already the non-ZDR API default, and consumer plans are unaffected. The real change: zero-data-retention agreements do not extend to Fable 5 and Mythos-class traffic, with a classifier-triggered human-review path and no publicly stated ceiling once content is flagged.

DA
Digital Applied Team
Senior strategists · Published Jul 2, 2026
PublishedJul 2, 2026
Read time13 min
Sources11 primary sources
Standard retention window
30days
Mythos-class models
effective Jun 9, 2026
Claude models keeping ZDR
3
Opus 4.8 · Sonnet 4.6 · Haiku 4.5
Fable 5 excluded
ChatGPT logs a court compelled
20M
de-identified · SDNY order
affirmed Jan 5, 2026
Copilot re-enabled Fable 5
Jul 1
GA → suspended → GA again

Fable 5’s data retention policy is the most misunderstood story of Anthropic’s June 9, 2026 launch. The claim ricocheting around comment threads — that Anthropic suddenly started retaining everyone’s data for 30 days — is false. Thirty-day retention was already the standard non-ZDR API default, and consumer plans are explicitly unaffected. What actually changed is narrower and, for enterprises, arguably more consequential.

Zero-data-retention agreements — the contractual arrangements under which prompts and outputs are never stored — do not extend to Fable 5 or any Mythos-class model. An organization with a standing ZDR contract must explicitly enable retention in the Claude Console to use Fable 5 at all. Layer on a classifier-triggered human-review path and no publicly stated maximum retention window once content is flagged, and you have a genuine governance question that Microsoft’s legal team, GitHub’s admin defaults, and at least two analyst firms are now actively working through.

This guide separates what changed from what didn’t: the precise scope of the ZDR carve-out, Anthropic’s stated safety rationale, the questions the policy leaves open, how it compares with OpenAI’s approach, what enterprises actually did in response, and what the precedent record — read carefully — does and does not show.

Key takeaways
  1. 01
    Fable 5 didn't invent 30-day retention.30 days was already Anthropic's non-ZDR API default, and consumer surfaces were already retained. The change is that ZDR agreements do not extend to Fable 5 / Mythos-class traffic — existing enterprise commitments are overridden for this model class.
  2. 02
    The flagged-content ceiling is the open question.Anthropic's own text says data is deleted after 30 days except in 'rare cases' — flagged content or legal holds. The Verge and PYMNTS report retention of up to two years for flagged material; Anthropic's primary wording states no number.
  3. 03
    Enterprises reacted within 24 hours.Microsoft restricted internal Fable 5 use pending legal review, and the model is absent from employees' internal Copilot picker. In GitHub Copilot, Fable 5 is disabled by default — Enterprise and Business admins must explicitly opt in.
  4. 04
    OpenAI still offers approved ZDR — with a caveat.OpenAI's ZDR remains available to approved organizations and isn't scoped by model tier. But a January 2026 court order compelling 20 million de-identified ChatGPT logs shows a retention promise is not the last word when a judge disagrees.
  5. 05
    This is a ToS change, not a law.No statute or regulator compelled the policy — Anthropic adopted it unilaterally as a stated safety measure. The no-training promise for retained data is company policy language; no named third-party audit of that specific claim has surfaced.

01What ChangedThe delta is a ZDR revocation, not new retention.

Start with what the policy actually says. Anthropic’s support article, effective June 9, 2026, applies to organizations that set up workspaces with zero data retention in the Claude Console, use Claude Code with ZDR in Claude Enterprise, or access Claude through AWS Bedrock, Google Cloud Agent Platform, or Microsoft Foundry with ZDR configured. Anthropic’s consumer plans — Free, Pro, and Max — are unaffected by this specific policy, because they were never zero-retention in the first place.

For everyone inside that scope, the change is binary. Every other current Claude API model — Opus 4.8, Sonnet 4.6, Haiku 4.5 — can still operate under ZDR agreements. Fable 5 and the Mythos-class models cannot, regardless of prior contract terms. To use Fable 5 at all, a ZDR organization must explicitly enable data retention for that traffic.

The policy, verbatim
“Prompts submitted to, and outputs generated by, Mythos-class models are retained for 30 days to support our safety work, on every platform where these models are offered.” — Anthropic Support, “Data retention practices for Mythos-class models,” effective June 9, 2026.
ZDR intact
Opus 4.8 · Sonnet 4.6 · Haiku 4.5
Zero data retention still available

Existing ZDR agreements continue to apply to every other current Claude API model. Nothing about the June 9 policy alters retention for these tiers, on first- or third-party platforms.

Existing contracts honored
ZDR revoked
Fable 5 · Mythos-class
30-day retention required, all surfaces

ZDR agreements do not extend to this model class. Organizations must explicitly enable retention in the Claude Console to route any traffic to Fable 5 — a policy change that overrides prior enterprise commitments for this tier.

Opt-in retention or no access
"If your organization previously had a ZDR agreement with Anthropic, that agreement does not apply to Fable 5 traffic. This is a policy change that overrides existing enterprise commitments for this specific model class."— Jessica Eaves Mathews, AI-focused lawyer, via Cybernews, June 10, 2026

The reaction was immediate and, in places, less precise than the policy itself. Jun Park, founder and CEO of the AI training lab hillclimb, posted on X: “New policy from Anthropic: if you use Fable/Mythos, they collect your data. No exceptions. Not even for enterprise partners.” That is accurate for the Mythos tier — and it is the “not even for enterprise partners” part that makes this a different kind of policy change from a default that any customer could previously negotiate away. Palantir’s Alex Karp made a related, blunter argument about vendor data control this same news cycle — the question of who holds the data exhaust of frontier AI is becoming its own storyline.

02Stated RationaleWhy Anthropic says it needs the window.

Anthropic’s stated reason is cross-request threat detection. The company frames the retention window as necessary to catch “complex and novel attacks” and jailbreak techniques that span multiple separate requests. The logic: a safety system that can only see one request at a time cannot recognize a Best-of-N-style attack assembled gradually across many prompts. Retaining a rolling 30-day window gives automated trust-and-safety systems the longitudinal visibility to correlate attempts.

The same mechanism explains the human-review path. When Anthropic’s automated classifiers flag content, it can be routed for human review — the same classifier infrastructure whose coding-workflow trade-offs we examined separately is what triggers extended retention here. Anthropic pairs this with two stated protections: by default, no Anthropic personnel can read retained conversations, and every instance of controlled access is written to a tamper-proof log that reviewers cannot modify.

Anthropic's announcement, verbatim
“We will require 30-day retention for all traffic on Mythos-class models, on both first- and third-party surfaces. We won’t use this data to train new Claude models, or for any non-safety-related purpose, and we’ve instituted new privacy protections including logging all human access to the data and ensuring its deletion after 30 days in almost all cases.” — Anthropic, “A new data retention policy,” June 9, 2026.

Taken at face value, this is a coherent safety architecture: retention scoped to the most capable model class, access gated and logged, deletion the default. The support article puts the purpose plainly: “To ensure we’re responsibly deploying Mythos-class models, we are requiring limited data retention and review as part of our safety work.” The friction is not that the rationale is implausible — it is that several of its load-bearing terms are doing work the published text doesn’t fully specify. That is where the open questions live.

03Open QuestionsThree things the policy text leaves open.

First: how long is “rare cases”? Anthropic’s own wording says retained data is deleted after 30 days “except in the rare cases where it’s been flagged by our automated trust and safety systems or we’re legally required to keep it.” The primary text states no numeric ceiling for that exception. Two independent outlets do: The Verge reports that some flagged prompts and outputs can be stored for up to two years, and PYMNTS independently reports the same figure. Anthropic’s text says rare cases; press reports describe up to two years. Both statements can be true — but a compliance officer cannot cite “rare cases” in a data-processing register.

Second: who verifies the no-training promise? Anthropic states it won’t use retained Mythos-class data to train new Claude models. That is company policy language — self-attested. Anthropic holds SOC 2 Type II, ISO 27001, and ISO 42001 attestations, but those are general information-security and AI-management-system process controls, not a bespoke external audit of this specific corpus and this specific promise. No public record of such a named audit surfaced in our research. That is not evidence of a violation — it is an open question about verification, and one enterprises are entitled to ask before enabling retention.

Third: this is policy, not law. No statute, agency rulemaking, or court order compelled the 30-day requirement. Anthropic adopted it unilaterally as a stated safety measure, announced alongside the Fable 5 / Mythos 5 launch. Terms of service can change again — in either direction — at the same discretion that created them. Whatever your view of the safety rationale, the governance posture it demands from customers is different from a regime anchored in regulation.

Deletion default
Deleted in “almost all cases”
30days

Anthropic's stated exceptions: content flagged by automated trust-and-safety systems, or data it is legally required to keep. The primary policy text gives no numeric maximum for either exception.

support.claude.com
Flagged ceiling
Press-reported, not Anthropic-stated
2yrs

The Verge and PYMNTS independently report flagged content can be stored for up to two years. Anthropic's own wording says only 'rare cases' — treat the number as reporting, not vendor text.

The Verge · PYMNTS
Default read access
Personnel, absent a flag
0

By default, no Anthropic personnel can read retained conversations. Access happens through a controlled path — e.g., after a classifier flag — and every access instance lands in a tamper-proof log reviewers cannot modify.

Stated protection

04Vendor ComparisonZero data retention across frontier vendors.

Most coverage treats “Anthropic requires retention” and “OpenAI still offers ZDR” as isolated facts. Put side by side — with the court-order record included — the picture is more textured. OpenAI’s ZDR remains available, but it is approval-gated: organizations must be approved by OpenAI, typically via its sales team, before ZDR can be selected at the org or project level. Once enabled, the store parameter is forced to false even if a request tries to set it. Crucially, OpenAI’s approval is not scoped to exclude specific model tiers the way Anthropic’s Fable 5 carve-out works — an approved customer keeps ZDR across models.

Zero-data-retention treatment across Anthropic and OpenAI access tiers: ZDR availability, default retention, flagged or exception ceiling, and known court-compelled disclosure precedent.
Access tierZDR available?Default retentionFlagged / exception ceilingCourt-compelled precedent
Anthropic — Claude API
Opus 4.8 / Sonnet 4.6 / Haiku 4.5Yes — existing ZDR agreements still apply30 days (standard non-ZDR API default); zero under ZDR“Rare cases” per Anthropic support textNone reported to date
Fable 5 / Mythos-classNo — ZDR does not extend to this tier; retention must be enabled in the Console30 days, required on all first- and third-party surfacesAnthropic: “rare cases”; press reports (The Verge, PYMNTS): up to two yearsNone reported to date
OpenAI
API, approved ZDR customersYes — approval-gated; not scoped by model tier once grantedAbuse-monitoring logs retained up to 30 days by defaultLegal-hold exceptions still applySee ChatGPT order — no API-specific order reported
ChatGPT EnterpriseCustomer-controlled retention (“You control how long your data is retained”)Configurable; no training on business data by defaultLegal holds remain reachable by courtsYes — 20M de-identified ChatGPT logs ordered produced in copyright discovery, affirmed Jan 5, 2026

The court-order column is the uncomfortable part for anyone tempted by a simple “Anthropic bad, OpenAI good” framing. On January 5, 2026, U.S. District Judge Sidney H. Stein affirmed a magistrate order requiring OpenAI to produce 20 million de-identified ChatGPT logs in the consolidated New York Times / Chicago Tribune / authors copyright litigation. The court rejected OpenAI’s privacy objection, reasoning that ChatGPT users, unlike wiretap subjects, “voluntarily submitted their communications” to OpenAI. This was discovery in a copyright dispute, not a breach — but it establishes that a contractual retention promise does not put a vendor’s data beyond the reach of a court. Data that exists can be compelled; data that was never stored cannot.

There is also an infrastructure wrinkle for cloud deployments. AWS documentation, cited by Cybernews, notes that for Bedrock customers, “Once you opt in data retention, your data will leave AWS’s data and security boundary.” That is a cloud-architecture constraint, not just a policy toggle — for certain regulated Bedrock workloads, it can disqualify Fable 5 outright regardless of how the organization feels about the 30-day window itself.

05Enterprise ResponseMicrosoft, GitHub, and the vendor-risk lens.

The clearest signal of how seriously enterprises took the change came from the company closest to it. Within a day of launch, The Verge reported that Microsoft was limiting internal employee use of Fable 5 specifically because of the retention policy. Fable 5 is absent from the internal model picker Microsoft employees use for GitHub Copilot, while every other Claude model remains available internally — because those models still operate under ZDR. Microsoft’s legal teams were evaluating the change, with two stated concerns: customer data and confidential information. As of the report, it was not yet clear whether legal would clear Fable 5 for internal use; Microsoft declined to comment.

"Microsoft is limiting the use of Claude Fable 5 for employees because of Anthropic's new data retention requirements."— Tom Warren, Senior Correspondent, The Verge, June 10, 2026
Jun 9, 2026
Copilot GA
github.blog changelog

GitHub rolls Fable 5 out to GitHub Copilot as generally available on launch day, alongside the model's broader release.

Generally available
Jun 12, 2026
Suspended everywhere
All Copilot experiences

Access suspended across all GitHub Copilot experiences — concurrent with the broader export-control suspension that hit Fable 5 that week, not solely a retention decision.

Export-control driven
Jul 1, 2026
Re-enabled, opt-in
Admin policy disabled by default

Fable 5 returns to general availability in Copilot — but the policy ships disabled by default for Enterprise and Business admins, who must explicitly opt in. Other Claude models run under standing ZDR.

Default off

The GitHub timeline needs its footnote read: the June 12 suspension coincided with the export-control suspension that also hit Fable 5 this cycle, so it cannot be attributed to the retention policy alone. The more telling governance artifact is the July 1 re-enablement: unlike other Claude models, Fable 5 came back disabled by default, requiring an explicit admin opt-in. That default is a quiet but precise institutional judgment — the retention terms are different enough that no administrator should inherit them silently.

The analyst framing
Forrester’s analyst blog frames the change as overriding existing zero-retention agreements and adds a vendor-risk dimension most security teams hadn’t priced: “any vendor in your ecosystem can turn on a Mythos-class model overnight, even before your organization ever ‘adopts’ it.” Forrester also predicts the first internal document most security teams circulate about Fable 5 will be guidance on prompts that bypass its fallbacks — that is, evading the classifier — an incentive worth naming plainly. Bitsight published separate third-party-risk coverage reinforcing the same point: exposure now arrives through vendors, not only through your own model choices.

06Precedent, PreciselyWhat the leak record actually shows.

The strongest argument against any retained corpus is precedent: data that exists can leak. But the precedent record gets cited sloppily, and the incident most likely to appear in a comment thread as “see, Anthropic leaks data too” is the one that proves something different. On March 31, 2026, Anthropic accidentally shipped a 59.8MB JavaScript source map in Claude Code npm package version 2.1.88, exposing roughly 512,000 lines across ~1,884 TypeScript source files of the coding agent’s internal harness — memory architecture, internal feature flags and codenames, and an internal system prompt among them.

That was a self-inflicted leak of Anthropic’s own internals — its intellectual property, not its users’ conversations. Anthropic’s spokesperson statement to VentureBeat was explicit: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach.” It should not be conflated with the retention story — and equally, it should not be waved away, because it demonstrates the mundane way exposure actually happens: packaging mistakes, misconfigurations, human error. The categorical comparisons matter, so here they are side by side.

Timeline of AI infrastructure exposure incidents: the Claude Code npm source-map leak, the OpenAI Redis bug, and the DeepSeek ClickHouse exposure, compared by what was exposed, scope, root cause, and whether user data was involved.
IncidentWhat was exposedScopeRoot causeUser data involved?
Claude Code npm source mapMar 31, 2026Internal TypeScript source of the coding agent’s harness — memory architecture, feature flags, internal codenames, an internal system prompt59.8MB source map · ~512,000 lines · ~1,884 filesRelease packaging error — human error, per AnthropicNo — “No sensitive customer data or credentials were involved or exposed” (Anthropic statement)
OpenAI Redis library bugMar 20, 2023Some users’ chat titles; partial payment-related information for a subset of usersSubset of active users during the incident windowBug in an open-source Redis client libraryYes — genuine but contained user-data exposure
DeepSeek ClickHouse exposureDiscovered Jan 29, 2025Plaintext chat history, API keys, backend operational metadata in open log streams1,000,000+ log entries, found “within minutes” by Wiz ResearchFully open, unauthenticated public databaseYes — openly accessible until responsible disclosure

Read as a set, the table cuts both ways. Against Anthropic: the company asking enterprises to accept mandatory retention had a packaging error expose its own internals three months earlier — controls fail in boring ways, and a retained user corpus raises the stakes of every future boring failure. For Anthropic: its incident is categorically different from the two genuine user-data exposures in the record, and its own retained-data protections — default-inaccessible storage, logged access — are precisely the controls DeepSeek’s wide-open database lacked. The precedent record argues for taking retention seriously; it does not, on its own, convict anyone.

07The DecisionWhat teams should actually do with this.

The trend beneath the policy is worth naming. For years, the frontier-model market treated privacy terms as a negotiable enterprise perk — the more you paid, the less the vendor kept. Fable 5 inverts that at the top of the capability curve: the most capable tier now carries the least negotiable data terms, on the argument that capability itself is what creates the safety obligation. If that framing holds, retention stops being a pricing lever and becomes a property of the model class — something you architect around rather than negotiate away.

Projecting forward, the likeliest equilibrium is stratification. Frontier tiers carry safety-driven retention and, increasingly, metered access; the previous generation holds ZDR as its differentiator; and open-weight or locally deployed models become the trailing-but-private floor — the on-device alternative to metered, retained frontier access. None of those positions is wrong; they are different answers to how much capability a given workload is worth trading for control.

Frontier capability
Enable retention, use Fable 5

Right when the capability delta materially changes outcomes and the workload contains no regulated or client-confidential data. Document the Console opt-in, the 30-day window, and the flagged-content exception in your data-processing records first.

Accept the terms, scoped
ZDR preserved
Stay on Opus 4.8 / Sonnet 4.6

Existing ZDR agreements still cover every non-Mythos Claude model. For most enterprise workloads the prior generation remains strong — and it keeps your zero-retention posture intact without changing vendors.

Default for regulated data
Vendor alternative
OpenAI approved ZDR

OpenAI's ZDR is approval-gated but not scoped by model tier once granted. Remember the January 2026 order: courts can compel data that exists anywhere — ZDR's real value is minimizing what exists to compel.

Second frontier option
Maximum control
Open-weight / on-device

Trailing capability, but prompts never leave infrastructure you control — no retention policy to read, no vendor toggle to audit. Strongest fit for sovereignty-bound and highly regulated workloads.

Private by architecture

Whichever posture fits, the operational work is the same: inventory which of your vendors can route traffic to Mythos-class models, read the retention terms as they apply to your contracts rather than as headlines describe them, and decide per-workload instead of per-vendor. That vendor-exposure inventory is exactly the kind of governance exercise our AI transformation engagements run for enterprises — mapping where frontier models touch your data, under which terms, and what the switch costs actually are.

08ConclusionThe price of the frontier?

Open questions, honestly held

Zero retention didn't end — it moved down a tier.

Strip away the inaccurate headlines and the facts are these: Anthropic revoked zero data retention for one model class, stated a safety rationale, paired it with real but self-attested protections, and left the flagged-content ceiling specified only by press reporting. Enterprises responded rationally — Microsoft paused, GitHub made it opt-in — and the previous Claude generation keeps ZDR intact.

The questions that remain open are the honest ones. Can a no-training promise for retained data be independently verified, and would Anthropic submit that specific claim to a named external audit? Will the “rare cases” exception acquire a stated ceiling in Anthropic’s own text? And if mandatory retention plus metered access is becoming the price of the frontier, how many workloads are willing to pay it — versus settling for trailing capability that never leaves their own hardware?

We don’t claim to know the answers. We do claim the framing matters: this is not a story about a company harvesting everyone’s data, and it is not nothing. It is a unilateral redefinition of what enterprise privacy terms mean at the top of the capability curve — and the most useful response is neither outrage nor shrug, but a workload-by-workload decision made with the actual policy text in hand.

AI governance, done per-workload

Frontier capability and data control are now a per-workload trade.

Our team helps enterprises map where frontier models touch their data — vendor exposure inventories, retention-term reviews, per-workload model routing, and governance frameworks that survive the next policy change.

Free consultationExpert guidanceTailored solutions
What we work on

AI vendor-risk engagements

  • Vendor exposure inventory — who can route to Mythos-class
  • Retention-term review against your actual contracts
  • Per-workload model routing — frontier / ZDR / local
  • Regulated-data architecture for cloud AI platforms
  • Governance programs for mixed open + closed stacks
FAQ · Fable 5 data retention

The questions we get every week.

No. Thirty-day retention was already Anthropic's standard non-ZDR API default before Fable 5 launched, and consumer surfaces (Free, Pro, Max) were already retained — those plans are explicitly unaffected by this policy. What changed on June 9, 2026 is that zero-data-retention agreements do not extend to Fable 5 or other Mythos-class models. Organizations that previously operated under ZDR must explicitly enable retention in the Claude Console to use Fable 5 at all. So the accurate summary is a ZDR revocation for one model class, not a new retention regime for everyone.