# PII Policy

Last updated: January 2026

This document describes what personally identifiable information (PII) Uniph.ai stores, where it lives, and optional masking guidance for logs and trace.

---

## 1. PII We Store

| Category | Fields | Location | Purpose |
|----------|--------|----------|---------|
| **User identity** | `email`, `name`, `avatarUrl`, `provider`, `providerAccountId` | `users` table | Authentication, profile, session resolution |
| **User preferences** | `preferences` (JSON: timezone, defaultModel, theme) | `users` table | App personalization |
| **Goals & tasks** | `name`, `description`, `title` | `goals`, `tasks` tables | User-created content |
| **Memory** | `content`, `key`, `tags` | `memory_entries` table | Long-term context; may include user preferences, facts, conversation snippets |
| **Intents & outcomes** | `rawInput`, outcome titles, descriptions | `intents`, `outcomes` tables | User goals and generated results |
| **Suggestions** | Suggestion titles, interactions | `user_suggestions` table | Recommendation history |
| **Integrations** | `config` (may include OAuth tokens, API keys) | `integrations` table | Encrypted or hashed where applicable |
| **Agent identities** | `emailAlias`, scopes, tokens | `agent_identities` table | Encrypted; used for provider OAuth |
| **Audit / ledger** | Action types, decisions, metadata | `decision_ledger`, `agent_identity_audits` | Operational audit; may reference user IDs |
| **Connection attempts** | Success/failure, service type, latency | `connection_attempts` | Friction metrics |

---

## 2. Retention

- **Memory:** Configurable per kind via `MEMORY_RETENTION_HOURS_JSON` (e.g. `conversation` 720h, `note` 2880h). Enforced by retention job.
- **Audit / ledger:** No automatic retention by default; consider adding configurable TTL for compliance.
- **User data:** Kept until account delete (see Export & Delete below).

---

## 3. Optional Masking in Logs and Trace

To reduce PII exposure in logs and trace:

- **Logs:** Avoid logging `email`, `name`, or `content` in plain text. Use `userId` or hashed identifiers when debugging.
- **Trace:** `GET /api/execution/trace` returns jobs, verifications, and decision ledger. Metadata may contain user IDs; consider redacting `email` and `content` in trace responses if you expose them to third parties.
- **Error responses:** API errors return `{ "error": "..." }`; avoid including user PII in error messages.

---

## 4. Export and Delete

- **Export:** `GET /api/users/me/export` (auth required) returns goals, tasks, and memory in JSON. See [API.md](API.md).
- **Delete:** `POST /api/users/me/delete` (auth required, body `{ "confirm": "DELETE_ACCOUNT" }`) deletes user and cascades all data. See [API.md](API.md). Optional: set `USER_DELETE_CONFIRM_TOKEN` env to customize the token.