> For the complete documentation index, see [llms.txt](https://docs.toucanai.cloud/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.toucanai.cloud/govern/security-model/data-storage-and-retention.md).

# Data storage & retention

{% hint style="info" %}
**Target Audience**: Developers, security reviewers, and compliance stakeholders evaluating how Toucan AI handles data.
{% endhint %}

### TL;DR

* **Your business data stays in your databases.** Toucan AI does not maintain a separate copy of your warehouse or tables as a downloadable dataset.
* **Query results are fetched on demand** for each chart view or AI action, then held only for the duration of that operation (and related UI/AI workflows).
* **Toucan AI stores platform data** (accounts, Dashboard JSON configuration file refering the different components WITHOUT the related data, chart JSON Configuration including the query but not the underlying data, AI conversation history) in its PostgreSQL database.
* **Database connection credentials** are stored encrypted at rest on the platform.
* **There is no dedicated long-term cache of query result rows** on the platform; see [Query data flow & caching](#query-data-flow-and-caching) below.

***

### When to use this

Use this page to understand what Toucan AI persists versus what it processes transiently, and how that relates to retention and deletion.

***

### What Toucan AI stores (platform data)

| Category                         | Examples                                               | Stored by Toucan AI?                                      |
| -------------------------------- | ------------------------------------------------------ | --------------------------------------------------------- |
| Account & organization           | Users, memberships, invitations                        | Yes                                                       |
| Product configuration            | Dashboards, charts, themes, variables, access policies | Yes                                                       |
| Chart definitions                | Query pipeline, chart type, visualization config       | Yes (definition only — not a snapshot of all result rows) |
| Database credentials             | Connection secrets for your connected databases        | Yes, encrypted                                            |
| AI conversation history          | Chat messages and related assistant state              | Yes                                                       |
| Your table rows / warehouse data | Sales records, HR data, etc.                           | **No** — remains in your database                         |

***

### Query data flow & caching

This section answers: *Does Toucan download my data? Is there a cache? Is that cache encrypted?*

#### Does Toucan copy or download my database?

**No.** Toucan AI does not ingest or replicate your connected database into a Toucan-owned data lake.

When a user opens a chart, runs a filter, or asks the AI assistant a data question, Toucan AI:

1. Builds a query from the chart definition or AI workflow.
2. Applies your security rules (row-level and column-level policies).
3. Sends the query to your database **through a dedicated query execution service**.
4. Receives the result for that request only.
5. Uses the result to render the visualization or answer the question.

Your data remains the system of record in **your** database.

#### Is there a query result cache?

**There is no separate, platform-wide cache of query result datasets** (for example, no shared Redis or disk store of “all rows returned from customer DB X”).

| Layer                        | What happens                                                            | Persisted?                                                                                   |
| ---------------------------- | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
| **Connected database**       | Source of truth for your rows                                           | Yes — in your infrastructure                                                                 |
| **Query execution**          | Runs the pipeline against your DB for each request                      | No copy kept after the operation completes                                                   |
| **Application memory**       | Holds the result while building a response (chart data, AI tool output) | No — scoped to the request/worker lifecycle                                                  |
| **Chart / dashboard config** | Stores the *query definition* and visualization settings                | Yes — not the resulting dataset                                                              |
| **AI conversation**          | May retain messages and tool outputs from a session                     | Yes — see [AI assistant data handling](/govern/security-model/ai-assistant-data-handling.md) |

Charts are **re-executed** when data is needed again (for example when a user refreshes a dashboard or changes a filter), rather than served from a long-lived Toucan cache of your rows.

#### Encryption of “cached” data

Because query results are **not stored in a dedicated Toucan query cache**, there is no separate “cache encryption” layer for result rows.

Protection instead relies on:

* **Encryption in transit** between Toucan services and your database (TLS as configured for your connection).
* **Encryption at rest** for **connection credentials** stored on the platform (see [Secrets & encryption](/govern/security-model/secrets-and-encryption.md)).
* **Encryption at rest** for the Toucan platform database.
* **Access control** on every query (tokens, permissions, RLS/CLS) and roles (ADMIN, MAKER or EXPLORER).

#### What about Redis?

Redis is used for **background job queues** (asynchronous tasks such as AI message processing), not as a long-term store of your query results. Job metadata is kept for a short period, then removed automatically.

***

### AI and conversation data

AI assistant conversations (including text you type and outputs from data tools) can be **persisted** so users can continue a thread across sessions.

* Clearing a conversation removes that thread’s stored history through the product API.
* Automatic time-based purge of all conversations is a **product/policy** topic — confirm current behavior with Toucan AI support if you need a specific retention period.

See [AI assistant data handling](/govern/security-model/ai-assistant-data-handling.md) and [PII & personal data](/govern/security-model/pii-and-personal-data.md).

***

### Retention & deletion (overview)

| Data type                    | Typical retention                     | Deletion                                                  |
| ---------------------------- | ------------------------------------- | --------------------------------------------------------- |
| Platform account data        | While the account/organization exists | Contact Toucan AI support for organization-level requests |
| Chart & dashboard config     | Until deleted in the product          | User/admin deletion in product                            |
| AI conversation (per thread) | Until cleared or org removed          | Clear conversation in product                             |
| Query result rows            | Not retained as a platform dataset    | N/A — not stored as a bulk copy                           |
| Connection credentials       | Until database connection removed     | Delete connection in product                              |

For third parties that may also hold data (LLM providers, analytics), see [Third-party subprocessors](/govern/security-model/third-party-subprocessors.md).

***

### Best practices

* Treat Toucan as a **query-and-visualize layer**, not a second database for your raw data.
* Use **row-level security** so every query is scoped to the end user.
* Avoid typing sensitive personal data into AI chat unless you accept it may be stored in conversation history.
* For embed integrations, use **pseudonymous identifiers** in tokens rather than email or legal name (see [PII & personal data](/govern/security-model/pii-and-personal-data.md)).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.toucanai.cloud/govern/security-model/data-storage-and-retention.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.