> For the complete documentation index, see [llms.txt](https://docs.toucanai.cloud/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.toucanai.cloud/govern/security-model/pii-and-personal-data.md). # PII & personal data {% hint style="info" %} **Target Audience**: Developers and privacy stakeholders integrating Toucan AI, especially in embed and AI chat scenarios. {% endhint %} ### TL;DR * Toucan AI stores **account and session data** for users of the Toucan platform (for example email, name, session metadata). * **Your end-user data** in embed mode is mostly under **your control**: what you put in tokens and chat. * **AI conversations can persist** what users type — treat chat as potentially storing personal data. * **Minimize** what you send: pseudonymous IDs, only the attributes needed for security, no unnecessary context in AI clues. *** ### When to use this Use this page before going to production with embed or AI features, or when answering privacy questionnaires about where personal data can appear. *** ### Where personal data can appear #### 1) Toucan platform accounts When users sign in to Toucan AI directly, the platform stores typical account information such as: * Email address and display name * Profile fields you provide at signup * Session metadata (for example IP address or browser information, when collected) This data supports authentication, billing, and product operation. #### 2) Embed integrations (your application) In embed mode, **you** define what identity and attributes are sent to Toucan AI inside the embed token, for example: * A stable user identifier (`distinctId`) * Optional attributes used for row-level security (region, department, role, etc.) * Optional free-text context for the AI (`aiContextClues`) Depending on what you send, these fields **may be personal data**. Toucan AI does not require email or legal name in embed tokens. #### 3) AI assistant chat Users may type personal data directly into chat. That content can be **stored** as part of conversation history and is necessary to run a conversation, as it will be the context used as input for the LLM answer. Query results shown in AI workflows may also appear in conversation state (for example summarized or sampled rows). See [Data storage & retention](/govern/security-model/data-storage-and-retention.md). *** ### Data you control vs Toucan controls | Area | Who controls content | Guidance | | ----------------------- | -------------------- | ------------------------------------------------------------- | | Embed token attributes | Your backend | Send only what RLS or product features require | | `distinctId` | Your backend | Use a technical ID, not email or name | | `aiContextClues` | Your backend | Avoid personal data; prefer non-identifying context | | Chat messages | End user | Train users; clear history when needed | | Connected database rows | Your database | Use RLS; Toucan queries on demand, does not bulk-copy your DB | *** ### Best practices (minimization) * Use a **pseudonymous** `distinctId` (never email, phone, or legal name). * Limit embed **attributes** to the minimum required for access control. * Do not pass personal data in **AI context clues** unless strictly necessary. * Apply **row-level security** on all sensitive tables. * Clear AI conversation history when your product workflow requires it. * Align with your privacy policy and DPA for subprocessors listed in [Third-party subprocessors](/govern/security-model/third-party-subprocessors.md). *** ### Related pages * [Data storage & retention](/govern/security-model/data-storage-and-retention.md) * [AI assistant data handling](/govern/security-model/ai-assistant-data-handling.md) * [Security boundaries (embed)](/embed/embedding-overview/security-boundaries.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.toucanai.cloud/govern/security-model/pii-and-personal-data.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.