- What we store: agency rows + vault files + per-agency edits + LLM call metadata. No prompt / response bodies in the call log.
- What we send out: only the prompt the active head needs, scrubbed per the PHI Rail, to your selected provider.
- Where to inspect scrubs: phi-gateway's
phi_audit_querytool returns every scrub event with timestamp, source, identifier counts. - Deletion: Settings → Privacy → Delete account. Wipes agency rows, vault, encryption keys, and credit ledger. Irreversible.
Settings
Privacy
What Ambrose stores, what it sends out, and how to inspect every PHI scrub.