PII and privacy settings
Configure how PII is stored and redacted in conversations, including storage policy, redaction rules, and safe saving behavior.
Understand PII and privacy controls
PII and privacy settings control whether the system stores personally identifiable information in client records and how it redacts sensitive data from AI prompts and logs.
Redaction runs independently of storage. Even if you disable PII storage, configured redaction rules still apply to AI prompts and internal processing.
When you change any toggle in this section, the app updates local state only. Changes take effect for your tenant after you select Save PII Settings and the save request completes.
Workflow: configure and apply PII settings
Use this workflow whenever you adjust your PII policy for the tenant.
Choose a storage policy
Decide whether to store PII in client records by using the Enable PII Storage toggle.
- Turn it on to allow PII fields (for example, phones, emails, addresses) to be stored with client records according to your retention policies.
- Turn it off to avoid storing PII in client records while still redacting sensitive data from AI prompts and logs using the redaction rules below.
When you change this toggle, nothing is written to the backend until you save. The UI reflects your pending choice immediately.
Configure redaction rules
Under PII redaction configuration, enable or disable redaction for each PII type and choose whether to allow first and last names in prompts.
- Enable redaction toggles for data you do not want to appear in AI prompts or logs; matching values are replaced with placeholders such as
[SSN]or[EMAIL]. - Disable redaction for fields that your policy allows the AI to see in clear text, understanding they may still be stored if PII storage is enabled.
You can adjust multiple toggles in a single session before saving.
Save PII settings
After you finish configuring storage and redaction:
- Select Save PII Settings.
- Wait for the loading spinner on the button to complete.
When the spinner disappears without an error, the backend has persisted your new PII configuration for the tenant.
Validate behavior
Validate that the system behaves as expected:
- Start a test conversation and enter sample PII (for example, a phone number, email address, or SSN-like value).
- Confirm that the UI, AI prompts, and logs show placeholders where redaction is enabled and raw values where it is disabled.
- Check a client record to verify whether PII fields are stored according to the Enable PII Storage setting.
If the behavior does not match your expectations, return to PII & Privacy settings, adjust toggles, and save again.
Before disabling PII storage or loosening redaction, confirm with your legal, security, and compliance teams that the new configuration aligns with your data handling and retention obligations.
Settings reference
Use this section as a reference for each toggle and its impact.
Storage policy
Enable PII Storage. When true, the system stores PII in client records and other persistent data structures according to your retention policies. When false, the system avoids storing PII in client records, but PII redaction rules still apply to AI prompts and logs, and redacted values appear as placeholders such as [EMAIL] or [PHONE].
Redaction rules
All of these settings live under the pii_redaction_config structure and control how the system redacts PII from AI prompts and internal text.
Redact Social Security numbers and similar national identifiers. When enabled, detected SSN-like patterns in text are replaced with a placeholder such as [SSN] before sending content to AI models or storing logs.
Redact payment card numbers. When enabled, detected credit card patterns (for example, 16-digit sequences that pass basic validation) are replaced with a placeholder such as [CREDIT_CARD] in AI prompts and logs.
Redact phone numbers. When enabled, phone-like strings are replaced with a placeholder such as [PHONE] in text sent to models and stored in logs.
Redact email addresses. When enabled, email-like strings are replaced with a placeholder such as [EMAIL] before content reaches AI models or is written to logs.
Redact physical mailing addresses. When enabled, street address patterns are replaced with a placeholder such as [ADDRESS] in prompts and logs.
Redact dates of birth. When enabled, detected birthdate values are replaced with a placeholder such as [DOB] in prompts and logs.
Name handling in prompts
Use these toggles to control whether first and last names remain visible to AI models and logs, even when other PII is redacted.
Allow first names to pass through without redaction. When true, the system does not replace detected first names with placeholders, even if other PII types are redacted. When false, first names may be removed or generalized according to your broader redaction configuration.
Allow last names to pass through without redaction. When true, detected last names remain visible in AI prompts and logs. When false, last names are handled according to your redaction policy and may be removed or replaced.
Safe change management
Treat changes to PII & Privacy settings as policy changes. Record who changed what and when, and pair configuration updates with internal approvals where required.
For high-assurance environments:
- Test changes in a lower-risk tenant before applying them to production.
- Capture screenshots or change logs of your settings before and after updates.
- Re-validate behavior after any major product, compliance, or integration changes that might affect data flows.
Last updated 2 weeks ago
Built with Documentation.AI