• What we store: agency rows + vault files + per-agency edits + LLM call metadata. No prompt / response bodies in the call log.
  • What we send out: only the prompt the active head needs, scrubbed per the PHI Rail, to your selected provider.
  • Where to inspect scrubs: phi-gateway's phi_audit_query tool returns every scrub event with timestamp, source, identifier counts.
  • Deletion: Settings → Privacy → Delete account. Wipes agency rows, vault, encryption keys, and credit ledger. Irreversible.