Does Privian store raw prompts?

No. Raw prompts exist only in request memory and are discarded when the request ends. They are not logged, not written to the observability outbox, and not echoed in response metadata.

Does Privian store rehydrated responses?

No. Rehydrated responses are streamed back to the caller and not persisted.

Only sanitized operational telemetry: counts, timings, error categories, request IDs, model and provider names. Strings that look like emails or phone numbers are redacted by the sanitizer before any sink ever sees them.

Zero retention — Concept

Not stored

Raw prompts.
Raw entity values (the contents that were masked).
The per-request token map.
Rehydrated responses.
Provider API key plaintext.
Gateway API key plaintext (only sha256(key) is stored).

Stored

API key metadata: prefix, last 4 characters, hash, status, owner.
BYOK provider credentials as ciphertext + IV + key version + last 4.
Sanitized observability events: request ID, org ID, model, provider, status class, latency, error category, counts (e.g. entitiesDetected).
Rollup metrics for usage and analytics — never raw content.

How it is enforced

The orchestrator never writes the prompt to telemetry. Event payloads carry promptBytes (a count), not the prompt.
Every event envelope passes through a sanitizer that redacts email- and phone-shaped substrings and clips overly long strings before any sink receives it.
The default production sink is a no-op; the optional Supabase outbox sink receives only sanitized envelopes.

Limitations

Downstream providers (OpenAI, Anthropic, Google) have their own retention policies for the masked traffic they receive. Privian masks before egress; it does not control the provider's logging.
Sanitized observability events themselves are retained for operational debugging and rollups. They contain counts and timings, not content.

Not stored

Stored

How it is enforced

Limitations

Related