Privacy & data handling

Retention

Conversations expire 30 days after creation by default. A daily PruneExpiredConversations job deletes rows past expires_at and cascades to queries, feedback, unanswered_questions, and prompt_injection_signals tied to those queries.

Right to be forgotten

POST /v1/deletion-requests with a subject_user_external_id queues a deletion job. The processor sweeps queries, feedback, unanswered_questions, and conversations belonging to that subject, recomputes affected gap clusters on the next nightly run, and writes the affected query IDs to deletion_requests.affected_query_ids for audit.

Encryption at rest

Connector OAuth tokens are stored with Laravel encrypted cast — the encryption key derives from APP_KEY at portfolio scale. The production upgrade path is envelope encryption with KMS or Vault. Documented as a self-hosted upgrade; not implemented in this demo.

Audit

audit_events records connector + admin + token-use mutations. The plan partitions by created_at monthly; the public demo runs unpartitioned. Token-use events are sampled at 1:100 for high-frequency sync calls, always-on for write/admin endpoints.

What the public demo stores

The public demo at almanac.philiprehberger.com/demo writes your queries and the chosen role into the public fixture workspace. Queries inherit the 30-day retention. Pasting sensitive data into the public demo is discouraged; the audit log is visible to the portfolio operator.