Semurg is designed for privacy-first operation. All PII is tokenised by the Shield pipeline before reaching any external model provider. Raw PII never leaves your instance unmasked.
Data We Collect
- Account data — session identifiers (anonymous by default).
-
Usage telemetry
— request counts, latency metrics, error rates (no PII).
-
Documents you upload
— stored in your knowledge graph; PII is tokenised on ingestion.
- Conversation history — stored with PII tokens, not raw PII.
-
Third-party API keys
— stored encrypted in your vault; used only for model calls you request.
International Transfers
Where data is processed outside the EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46). UK transfers use UK Addendums to the International Data Transfer Agreement.
Your Rights (EU/UK GDPR)
- Access (Art. 15) — request a copy of data we hold about you.
-
Erasure (Art. 17)
— request deletion of your data. We respond within 30 calendar days.
-
Portability (Art. 20)
— receive your data in machine-readable format.
-
Rectification (Art. 16) — request correction of inaccurate data.
-
Object (Art. 21)
— object to processing based on legitimate interests.
You have the right to lodge a complaint with the ICO (ico.org.uk) or your local data protection authority (GDPR Art. 77).
DSAR Response Timeframe
We will respond to all data subject requests within 30 calendar days of receipt, in compliance with GDPR Art. 12.
Retention Periods
- PII token maps — 90 days (configurable), then swept.
- Conversation history — retained until you delete it or request erasure.
- Operational logs — 30 days, then rotated.
- Billing records — legally required period (typically 7 years).
Contact
Privacy enquiries:
privacy@aigos.org