Security & Privacy

Your knowledge base is your business. Here is exactly how it's isolated, encrypted, and — when you say so — deleted.

Row-level security

Every table that holds your content — projects, documents, chunks, conversations, messages, leads — is protected by database-level row security. Isolation is enforced by the database itself on every query, not by application code that could have a bug: a request scoped to one project is physically incapable of returning another project's rows. One customer's visitors can never see another customer's knowledge, and your data is never used to train or improve anyone else's chatbot.

Encryption in transit and at rest

All traffic — visitor chats, dashboard sessions, document uploads, API calls — travels over HTTPS. At rest, the database is encrypted by our infrastructure provider. Widget conversations run inside an isolated iframe on our origin, so your visitors' messages never pass through the host page's scripts.

BYOK key encryption

If you bring your own OpenAI key, it is encrypted before it is stored and is never displayed again after entry — not in the dashboard, not in API responses, not in logs. It is decrypted only in memory, per request, to call the provider on your behalf. You can replace or delete it at any time, which immediately revokes our ability to use it.

Data retention

Conversation retention is yours to set, per project, in Settings: keep conversations for 90 days (the default), a window you choose, or less. Expired conversations and their messages are deleted — not archived, not anonymized-and-kept. Deleting a project deletes its documents, chunks, embeddings, conversations, and leads with it.

GDPR and data rights

You control the data your chatbot collects. Visitor-side, the widget stores only a conversation identifier; lead capture is opt-in and configured by you. On request we support access and erasure for personal data held in your conversations — and because retention is configurable, most compliance postures can be enforced automatically instead of manually. Our Privacy Policy and Data Processing Addendum cover the formal commitments; for anything beyond them, contact hello@askorac.com.