Fable 5’s data retention policy is the most misunderstood story of Anthropic’s June 9, 2026 launch. The claim ricocheting around comment threads — that Anthropic suddenly started retaining everyone’s data for 30 days — is false. Thirty-day retention was already the standard non-ZDR API default, and consumer plans are explicitly unaffected. What actually changed is narrower and, for enterprises, arguably more consequential.
Zero-data-retention agreements — the contractual arrangements under which prompts and outputs are never stored — do not extend to Fable 5 or any Mythos-class model. An organization with a standing ZDR contract must explicitly enable retention in the Claude Console to use Fable 5 at all. Layer on a classifier-triggered human-review path and no publicly stated maximum retention window once content is flagged, and you have a genuine governance question that Microsoft’s legal team, GitHub’s admin defaults, and at least two analyst firms are now actively working through.
This guide separates what changed from what didn’t: the precise scope of the ZDR carve-out, Anthropic’s stated safety rationale, the questions the policy leaves open, how it compares with OpenAI’s approach, what enterprises actually did in response, and what the precedent record — read carefully — does and does not show.
- 01Fable 5 didn't invent 30-day retention.30 days was already Anthropic's non-ZDR API default, and consumer surfaces were already retained. The change is that ZDR agreements do not extend to Fable 5 / Mythos-class traffic — existing enterprise commitments are overridden for this model class.
- 02The flagged-content ceiling is the open question.Anthropic's own text says data is deleted after 30 days except in 'rare cases' — flagged content or legal holds. The Verge and PYMNTS report retention of up to two years for flagged material; Anthropic's primary wording states no number.
- 03Enterprises reacted within 24 hours.Microsoft restricted internal Fable 5 use pending legal review, and the model is absent from employees' internal Copilot picker. In GitHub Copilot, Fable 5 is disabled by default — Enterprise and Business admins must explicitly opt in.
- 04OpenAI still offers approved ZDR — with a caveat.OpenAI's ZDR remains available to approved organizations and isn't scoped by model tier. But a January 2026 court order compelling 20 million de-identified ChatGPT logs shows a retention promise is not the last word when a judge disagrees.
- 05This is a ToS change, not a law.No statute or regulator compelled the policy — Anthropic adopted it unilaterally as a stated safety measure. The no-training promise for retained data is company policy language; no named third-party audit of that specific claim has surfaced.
01 — What ChangedThe delta is a ZDR revocation, not new retention.
Start with what the policy actually says. Anthropic’s support article, effective June 9, 2026, applies to organizations that set up workspaces with zero data retention in the Claude Console, use Claude Code with ZDR in Claude Enterprise, or access Claude through AWS Bedrock, Google Cloud Agent Platform, or Microsoft Foundry with ZDR configured. Anthropic’s consumer plans — Free, Pro, and Max — are unaffected by this specific policy, because they were never zero-retention in the first place.
For everyone inside that scope, the change is binary. Every other current Claude API model — Opus 4.8, Sonnet 4.6, Haiku 4.5 — can still operate under ZDR agreements. Fable 5 and the Mythos-class models cannot, regardless of prior contract terms. To use Fable 5 at all, a ZDR organization must explicitly enable data retention for that traffic.
Opus 4.8 · Sonnet 4.6 · Haiku 4.5
Existing ZDR agreements continue to apply to every other current Claude API model. Nothing about the June 9 policy alters retention for these tiers, on first- or third-party platforms.
Fable 5 · Mythos-class
ZDR agreements do not extend to this model class. Organizations must explicitly enable retention in the Claude Console to route any traffic to Fable 5 — a policy change that overrides prior enterprise commitments for this tier.
"If your organization previously had a ZDR agreement with Anthropic, that agreement does not apply to Fable 5 traffic. This is a policy change that overrides existing enterprise commitments for this specific model class."— Jessica Eaves Mathews, AI-focused lawyer, via Cybernews, June 10, 2026
The reaction was immediate and, in places, less precise than the policy itself. Jun Park, founder and CEO of the AI training lab hillclimb, posted on X: “New policy from Anthropic: if you use Fable/Mythos, they collect your data. No exceptions. Not even for enterprise partners.” That is accurate for the Mythos tier — and it is the “not even for enterprise partners” part that makes this a different kind of policy change from a default that any customer could previously negotiate away. Palantir’s Alex Karp made a related, blunter argument about vendor data control this same news cycle — the question of who holds the data exhaust of frontier AI is becoming its own storyline.
02 — Stated RationaleWhy Anthropic says it needs the window.
Anthropic’s stated reason is cross-request threat detection. The company frames the retention window as necessary to catch “complex and novel attacks” and jailbreak techniques that span multiple separate requests. The logic: a safety system that can only see one request at a time cannot recognize a Best-of-N-style attack assembled gradually across many prompts. Retaining a rolling 30-day window gives automated trust-and-safety systems the longitudinal visibility to correlate attempts.
The same mechanism explains the human-review path. When Anthropic’s automated classifiers flag content, it can be routed for human review — the same classifier infrastructure whose coding-workflow trade-offs we examined separately is what triggers extended retention here. Anthropic pairs this with two stated protections: by default, no Anthropic personnel can read retained conversations, and every instance of controlled access is written to a tamper-proof log that reviewers cannot modify.
Taken at face value, this is a coherent safety architecture: retention scoped to the most capable model class, access gated and logged, deletion the default. The support article puts the purpose plainly: “To ensure we’re responsibly deploying Mythos-class models, we are requiring limited data retention and review as part of our safety work.” The friction is not that the rationale is implausible — it is that several of its load-bearing terms are doing work the published text doesn’t fully specify. That is where the open questions live.
03 — Open QuestionsThree things the policy text leaves open.
First: how long is “rare cases”? Anthropic’s own wording says retained data is deleted after 30 days “except in the rare cases where it’s been flagged by our automated trust and safety systems or we’re legally required to keep it.” The primary text states no numeric ceiling for that exception. Two independent outlets do: The Verge reports that some flagged prompts and outputs can be stored for up to two years, and PYMNTS independently reports the same figure. Anthropic’s text says rare cases; press reports describe up to two years. Both statements can be true — but a compliance officer cannot cite “rare cases” in a data-processing register.
Second: who verifies the no-training promise? Anthropic states it won’t use retained Mythos-class data to train new Claude models. That is company policy language — self-attested. Anthropic holds SOC 2 Type II, ISO 27001, and ISO 42001 attestations, but those are general information-security and AI-management-system process controls, not a bespoke external audit of this specific corpus and this specific promise. No public record of such a named audit surfaced in our research. That is not evidence of a violation — it is an open question about verification, and one enterprises are entitled to ask before enabling retention.
Third: this is policy, not law. No statute, agency rulemaking, or court order compelled the 30-day requirement. Anthropic adopted it unilaterally as a stated safety measure, announced alongside the Fable 5 / Mythos 5 launch. Terms of service can change again — in either direction — at the same discretion that created them. Whatever your view of the safety rationale, the governance posture it demands from customers is different from a regime anchored in regulation.
Deleted in “almost all cases”
Anthropic's stated exceptions: content flagged by automated trust-and-safety systems, or data it is legally required to keep. The primary policy text gives no numeric maximum for either exception.
Press-reported, not Anthropic-stated
The Verge and PYMNTS independently report flagged content can be stored for up to two years. Anthropic's own wording says only 'rare cases' — treat the number as reporting, not vendor text.
Personnel, absent a flag
By default, no Anthropic personnel can read retained conversations. Access happens through a controlled path — e.g., after a classifier flag — and every access instance lands in a tamper-proof log reviewers cannot modify.
04 — Vendor ComparisonZero data retention across frontier vendors.
Most coverage treats “Anthropic requires retention” and “OpenAI still offers ZDR” as isolated facts. Put side by side — with the court-order record included — the picture is more textured. OpenAI’s ZDR remains available, but it is approval-gated: organizations must be approved by OpenAI, typically via its sales team, before ZDR can be selected at the org or project level. Once enabled, the store parameter is forced to false even if a request tries to set it. Crucially, OpenAI’s approval is not scoped to exclude specific model tiers the way Anthropic’s Fable 5 carve-out works — an approved customer keeps ZDR across models.
| Access tier | ZDR available? | Default retention | Flagged / exception ceiling | Court-compelled precedent |
|---|---|---|---|---|
| Anthropic — Claude API | ||||
| Opus 4.8 / Sonnet 4.6 / Haiku 4.5 | Yes — existing ZDR agreements still apply | 30 days (standard non-ZDR API default); zero under ZDR | “Rare cases” per Anthropic support text | None reported to date |
| Fable 5 / Mythos-class | No — ZDR does not extend to this tier; retention must be enabled in the Console | 30 days, required on all first- and third-party surfaces | Anthropic: “rare cases”; press reports (The Verge, PYMNTS): up to two years | None reported to date |
| OpenAI | ||||
| API, approved ZDR customers | Yes — approval-gated; not scoped by model tier once granted | Abuse-monitoring logs retained up to 30 days by default | Legal-hold exceptions still apply | See ChatGPT order — no API-specific order reported |
| ChatGPT Enterprise | Customer-controlled retention (“You control how long your data is retained”) | Configurable; no training on business data by default | Legal holds remain reachable by courts | Yes — 20M de-identified ChatGPT logs ordered produced in copyright discovery, affirmed Jan 5, 2026 |
The court-order column is the uncomfortable part for anyone tempted by a simple “Anthropic bad, OpenAI good” framing. On January 5, 2026, U.S. District Judge Sidney H. Stein affirmed a magistrate order requiring OpenAI to produce 20 million de-identified ChatGPT logs in the consolidated New York Times / Chicago Tribune / authors copyright litigation. The court rejected OpenAI’s privacy objection, reasoning that ChatGPT users, unlike wiretap subjects, “voluntarily submitted their communications” to OpenAI. This was discovery in a copyright dispute, not a breach — but it establishes that a contractual retention promise does not put a vendor’s data beyond the reach of a court. Data that exists can be compelled; data that was never stored cannot.
There is also an infrastructure wrinkle for cloud deployments. AWS documentation, cited by Cybernews, notes that for Bedrock customers, “Once you opt in data retention, your data will leave AWS’s data and security boundary.” That is a cloud-architecture constraint, not just a policy toggle — for certain regulated Bedrock workloads, it can disqualify Fable 5 outright regardless of how the organization feels about the 30-day window itself.
05 — Enterprise ResponseMicrosoft, GitHub, and the vendor-risk lens.
The clearest signal of how seriously enterprises took the change came from the company closest to it. Within a day of launch, The Verge reported that Microsoft was limiting internal employee use of Fable 5 specifically because of the retention policy. Fable 5 is absent from the internal model picker Microsoft employees use for GitHub Copilot, while every other Claude model remains available internally — because those models still operate under ZDR. Microsoft’s legal teams were evaluating the change, with two stated concerns: customer data and confidential information. As of the report, it was not yet clear whether legal would clear Fable 5 for internal use; Microsoft declined to comment.
"Microsoft is limiting the use of Claude Fable 5 for employees because of Anthropic's new data retention requirements."— Tom Warren, Senior Correspondent, The Verge, June 10, 2026
Copilot GA
GitHub rolls Fable 5 out to GitHub Copilot as generally available on launch day, alongside the model's broader release.
Suspended everywhere
Access suspended across all GitHub Copilot experiences — concurrent with the broader export-control suspension that hit Fable 5 that week, not solely a retention decision.
Re-enabled, opt-in
Fable 5 returns to general availability in Copilot — but the policy ships disabled by default for Enterprise and Business admins, who must explicitly opt in. Other Claude models run under standing ZDR.
The GitHub timeline needs its footnote read: the June 12 suspension coincided with the export-control suspension that also hit Fable 5 this cycle, so it cannot be attributed to the retention policy alone. The more telling governance artifact is the July 1 re-enablement: unlike other Claude models, Fable 5 came back disabled by default, requiring an explicit admin opt-in. That default is a quiet but precise institutional judgment — the retention terms are different enough that no administrator should inherit them silently.
06 — Precedent, PreciselyWhat the leak record actually shows.
The strongest argument against any retained corpus is precedent: data that exists can leak. But the precedent record gets cited sloppily, and the incident most likely to appear in a comment thread as “see, Anthropic leaks data too” is the one that proves something different. On March 31, 2026, Anthropic accidentally shipped a 59.8MB JavaScript source map in Claude Code npm package version 2.1.88, exposing roughly 512,000 lines across ~1,884 TypeScript source files of the coding agent’s internal harness — memory architecture, internal feature flags and codenames, and an internal system prompt among them.
That was a self-inflicted leak of Anthropic’s own internals — its intellectual property, not its users’ conversations. Anthropic’s spokesperson statement to VentureBeat was explicit: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach.” It should not be conflated with the retention story — and equally, it should not be waved away, because it demonstrates the mundane way exposure actually happens: packaging mistakes, misconfigurations, human error. The categorical comparisons matter, so here they are side by side.
| Incident | What was exposed | Scope | Root cause | User data involved? |
|---|---|---|---|---|
| Claude Code npm source mapMar 31, 2026 | Internal TypeScript source of the coding agent’s harness — memory architecture, feature flags, internal codenames, an internal system prompt | 59.8MB source map · ~512,000 lines · ~1,884 files | Release packaging error — human error, per Anthropic | No — “No sensitive customer data or credentials were involved or exposed” (Anthropic statement) |
| OpenAI Redis library bugMar 20, 2023 | Some users’ chat titles; partial payment-related information for a subset of users | Subset of active users during the incident window | Bug in an open-source Redis client library | Yes — genuine but contained user-data exposure |
| DeepSeek ClickHouse exposureDiscovered Jan 29, 2025 | Plaintext chat history, API keys, backend operational metadata in open log streams | 1,000,000+ log entries, found “within minutes” by Wiz Research | Fully open, unauthenticated public database | Yes — openly accessible until responsible disclosure |
Read as a set, the table cuts both ways. Against Anthropic: the company asking enterprises to accept mandatory retention had a packaging error expose its own internals three months earlier — controls fail in boring ways, and a retained user corpus raises the stakes of every future boring failure. For Anthropic: its incident is categorically different from the two genuine user-data exposures in the record, and its own retained-data protections — default-inaccessible storage, logged access — are precisely the controls DeepSeek’s wide-open database lacked. The precedent record argues for taking retention seriously; it does not, on its own, convict anyone.
07 — The DecisionWhat teams should actually do with this.
The trend beneath the policy is worth naming. For years, the frontier-model market treated privacy terms as a negotiable enterprise perk — the more you paid, the less the vendor kept. Fable 5 inverts that at the top of the capability curve: the most capable tier now carries the least negotiable data terms, on the argument that capability itself is what creates the safety obligation. If that framing holds, retention stops being a pricing lever and becomes a property of the model class — something you architect around rather than negotiate away.
Projecting forward, the likeliest equilibrium is stratification. Frontier tiers carry safety-driven retention and, increasingly, metered access; the previous generation holds ZDR as its differentiator; and open-weight or locally deployed models become the trailing-but-private floor — the on-device alternative to metered, retained frontier access. None of those positions is wrong; they are different answers to how much capability a given workload is worth trading for control.
Enable retention, use Fable 5
Right when the capability delta materially changes outcomes and the workload contains no regulated or client-confidential data. Document the Console opt-in, the 30-day window, and the flagged-content exception in your data-processing records first.
Stay on Opus 4.8 / Sonnet 4.6
Existing ZDR agreements still cover every non-Mythos Claude model. For most enterprise workloads the prior generation remains strong — and it keeps your zero-retention posture intact without changing vendors.
OpenAI approved ZDR
OpenAI's ZDR is approval-gated but not scoped by model tier once granted. Remember the January 2026 order: courts can compel data that exists anywhere — ZDR's real value is minimizing what exists to compel.
Open-weight / on-device
Trailing capability, but prompts never leave infrastructure you control — no retention policy to read, no vendor toggle to audit. Strongest fit for sovereignty-bound and highly regulated workloads.
Whichever posture fits, the operational work is the same: inventory which of your vendors can route traffic to Mythos-class models, read the retention terms as they apply to your contracts rather than as headlines describe them, and decide per-workload instead of per-vendor. That vendor-exposure inventory is exactly the kind of governance exercise our AI transformation engagements run for enterprises — mapping where frontier models touch your data, under which terms, and what the switch costs actually are.
08 — ConclusionThe price of the frontier?
Zero retention didn't end — it moved down a tier.
Strip away the inaccurate headlines and the facts are these: Anthropic revoked zero data retention for one model class, stated a safety rationale, paired it with real but self-attested protections, and left the flagged-content ceiling specified only by press reporting. Enterprises responded rationally — Microsoft paused, GitHub made it opt-in — and the previous Claude generation keeps ZDR intact.
The questions that remain open are the honest ones. Can a no-training promise for retained data be independently verified, and would Anthropic submit that specific claim to a named external audit? Will the “rare cases” exception acquire a stated ceiling in Anthropic’s own text? And if mandatory retention plus metered access is becoming the price of the frontier, how many workloads are willing to pay it — versus settling for trailing capability that never leaves their own hardware?
We don’t claim to know the answers. We do claim the framing matters: this is not a story about a company harvesting everyone’s data, and it is not nothing. It is a unilateral redefinition of what enterprise privacy terms mean at the top of the capability curve — and the most useful response is neither outrage nor shrug, but a workload-by-workload decision made with the actual policy text in hand.