Forensic GDPR Case · United Kingdom · FC-OPENAI-2026

OpenAI used my therapy
conversations to train AI.
The network traffic proves it.

This is the forensic case file for Fauzia Chaudhry v OpenAI Inc. Network captures, browser cache extractions, and OpenAI's own data export confirm that special-category health data was processed by Scale AI annotators for RLHF training — without explicit consent, without disclosure, and with the opt-out flag set to false after stated withdrawal. 160+ days. No compliant data response.

160+Days since DSAR
no compliant response
124Segment.io tracking
events per session
7Human annotation
reviews confirmed
18GDPR violations
documented
9Implicit RLHF calls
zero user action
7Undisclosed
sub-processors
ICO: IC-474334-N1W1
noyb: #8336742
OpenAI cases: 04911377 · 05024844 · 05261783 · 05988760 · 06092624
Status: Active — awaiting compliant DSAR response
What was exposed: A "Psychotherapy mode questions" session was submitted to Scale AI human annotators without explicit consent under Art. 9 UK GDPR. The RLHF trigger fired at turn 30. OpenAI's own export confirms the actual model was gpt-5-2, while the UI displayed gpt-4o.
The Core Findings
What the forensic evidence proves
01
RLHF triggered on mental health content without consent. A Conversation Rating Shown event fired at turn 30 — submitting the psychotherapy session to Scale AI annotators without Art. 9(2)(a) explicit consent.
02
124 Segment.io telemetry events per session. Every message triggered a POST to chatgpt.com/ces/v1/t transmitting userId, plan type, clipboard metadata, keystroke method, and conversation title to a third-party platform. None disclosed.
03
Model identity concealed. UI displayed gpt-4o. OpenAI's own export shows model_slug: gpt-5-2 on Turn 1. Art. 5(1)(a) accuracy violation from OpenAI's own data.
04
7 human annotation reviews confirmed. Chrome IndexedDB binary contains "reviewed" repeated seven times plus label=MICROSOFT/AZURE confirming the annotation infrastructure.
05
DSAR non-compliant for 160+ days. Six case numbers issued. Zero RLHF records. Zero reviewer notes. Zero Art. 28 DPAs. Opt-out flag remains false after stated withdrawal.
06
7 undisclosed sub-processors identified. Cloudflare, Microsoft Azure, Statsig, Segment.io, Scale AI, Mixpanel, GrowthBook — all receiving personal data. No Art. 28 DPA produced.
Case Files
Explore the evidence
HAR Evidence

Network Traffic Analysis

205 requests decoded. 124 Segment.io events. 3 implicit RLHF calls.

Art. 9 Violation

RLHF and Scale AI Evidence

How the RLHF trigger works and what Scale AI did with the session data.

Legal

18 GDPR Violations

Each violation mapped to the article, evidence, and argument.

Sub-Processors

The 7-Processor Chain

Seven companies received your data. None disclosed. No DPAs produced.

Case History

Complete Timeline

Every date and filing from Lyon July 2025 to ICO and noyb submissions.

Deep Dive

Full Technical Analysis

IndexedDB extraction, JWT decoding, sonic classifier, gpt-5-2 identification.

Verify It

Verify the Evidence Yourself

Step-by-step using your browser and the Google HAR analyser.

Take Action

File Your Own DSAR

Template letter, specific field demands, ICO and noyb escalation steps.

Index

Document Index

All evidence files with SHA-256 hashes and RFC 3161 timestamps.

Active Regulatory Proceedings
Where the case stands

🏛 ICO — IC-474334-N1W1

Formal complaint filed 18 March 2026. Primary UK enforcement track covering Art. 9 and DSAR non-compliance.

⚖️ noyb — #8336742

Three specific breaches submitted with server IPs and exact search terms. Joakim Söderberg assigned.

📋 DSAR — 160+ Days Overdue

Six OpenAI case numbers. Zero RLHF records. Zero DPAs. Deadline missed by 41+ days.

Contact
Direct inquiries and press

For legal queries, researcher collaboration, or press access, reach out directly.

General inquiries
[email protected]
Secure correspondence
[email protected]
Case reference
FC-OPENAI-2026
ICO: IC-474334-N1W1noyb: #8336742Art. 9 UK GDPRDSAR non-complianceSHA-256 hashedRFC 3161 timestamped