Your data, your call.

Every chat turn writes one row in conversations, one in messages (your prompt), one more in messages (the model's response), and one in api_calls (model id, token counts, latency, cost in cents). Plus an entry in visitor_signals when notable events fire (rate limit hit, jailbreak attempt, etc).

Tied together by a 1-year visitor_uuid cookie (httpOnly, SameSite=Lax). No email. No name. No IP retained, only the country.

The purge endpoint deletes everything tied to your cookie: conversations, messages, api_calls, visitor_signals. Cascade is enforced at the DB level, so if a row references your visitor row, it goes too.

If you decline the cookie at the banner (when the banner ships), the chat still works. We just do not retain anything past the page session. No row in visitors, no row in conversations. The trade-off is the model has no history of your prior turns within the same session.