Semurg is designed for privacy-first operation. All personally identifiable information (PII) is tokenised by the Shield pipeline before reaching any external model provider. Raw PII never leaves your instance unmasked.
Data We Collect
- Account data — email address, hashed password, session identifiers.
- Usage telemetry — request counts, latency metrics, error rates (no PII).
- Documents you upload — stored in the knowledge graph; PII within documents is tokenised on ingestion.
- Conversation history — stored with PII tokens, not raw PII. Originals exist only in the token map keyed to your session.
- Third-party API keys — stored encrypted in your user vault; used only for model calls you request.
Retention Periods
- PII token maps — retained for 90 days (configurable via PII_RETENTION_DAYS), then swept by the MetabolicSweeper.
- Conversation history — retained until you delete it or request account erasure.
- Operational logs — retained for 30 days, then rotated.
- Billing records — retained for the legally required period in the applicable jurisdiction (typically 7 years).
How to Request Erasure
You can request complete deletion of your data through any of these methods:
- Use the Delete My Data button in Settings → Account.
- Send a verified request to privacy@aigos.org.
- Call
DELETE /api/user/data with your authentication token.
Erasure removes all ETS entries keyed to your user_id, invalidates active sessions, and purges all PII token maps. We respond within 30 days.
EU / UK — GDPR & UK GDPR
If you are in the European Economic Area or United Kingdom, you have rights under the General Data Protection Regulation:
- Right of Access (Art. 15) — request a copy of the personal data we hold about you.
- Right to Erasure (Art. 17) — request deletion of your data.
- Right to Portability (Art. 20) — receive your data in a machine-readable format.
- Right to Object (Art. 21) — object to processing based on legitimate interests.
- Right to Restrict (Art. 18) — request limited processing in certain circumstances.
- Right to Rectification (Art. 16) — request correction of inaccurate data.
Breach notifications are delivered within 72 hours of detection where required by law.
Australia — Privacy Act / APPs
If you are in Australia, you have rights under the Privacy Act 1988 and the Australian Privacy Principles. You may request access to or correction of your personal information. Complaints: oaic.gov.au.
Singapore — PDPA
Your data is processed in accordance with the Personal Data Protection Act 2012. Data breach notifications to the PDPC and affected users are issued within 3 calendar days where required.
United States — CCPA / CPRA
California residents have rights under the CCPA and CPRA:
- Right to Know — categories and specific personal information collected.
- Right to Delete — request deletion of your personal information.
- Right to Correct — request correction of inaccurate data.
- Right to Opt-Out — we do not sell or share personal information for behavioural advertising.
Brazil — LGPD
If you are in Brazil, your data is processed in accordance with Lei Geral de Proteção de Dados. You have the right to confirmation of processing, access, correction, anonymisation, portability, and deletion. The ANPD is the supervisory authority.
Data Protection Contact
Privacy enquiries: privacy@aigos.org
AI-Generated Content
Semurg uses external AI model providers (large language models) to generate responses to your queries. All content you submit is processed through the Shield PII pipeline before reaching any external provider — personal identifiers are replaced with opaque tokens and restored on return.
- AI-generated responses are clearly labelled in the interface with an "AI-generated content" badge.
- The model and provider used for each response are displayed alongside the output.
- Semurg does not train AI models on your data. Your inputs and outputs are not used for model fine-tuning.
- We do not guarantee the accuracy, completeness, or suitability of AI-generated content for any particular purpose.