Skip to main content
As an AI observability platform, ABV processes data from your LLM applications—data that may contain personal information. You have complete control over what personal data is sent to ABV, how it’s stored, and when it’s deleted.

​
Your Control Over Personal Data

ABV provides powerful tools to help you manage personal data responsibly:

Data Masking

Automatically redact PII before it’s stored

Data Deletion

Delete personal data on demand

Data Retention

Control how long data is stored

User Tracking

Associate data with specific users for easy deletion

​
Understanding Personal Data

Personal data is any information that can identify an individual, including names, email addresses, phone numbers, IP addresses, user IDs, and location data. In ABV, personal data typically appears in:
  • LLM prompts and responses containing user information
  • Trace metadata like user IDs, session IDs, and IP addresses
  • Evaluation datasets with sample personal data
When you use ABV, you control what personal data is sent—you decide what goes into prompts, configure masking rules, set retention periods, and respond to data subject requests. ABV is your data processor; we provide the tools, you make the decisions. Learn more about GDPR roles

​
Best Practices

Enable Data Masking

Prevent personal data from being stored by configuring automatic PII masking. ABV can detect and redact emails, phone numbers, credit cards, SSNs, and custom patterns using regex. Masking happens at ingestion time—masked data is permanently redacted, not just hidden.Learn how to configure data masking

Use User IDs

Associate traces with user identifiers to enable efficient data management. This allows you to bulk delete all data for a specific user, quickly respond to data subject requests, and filter data by user.
from abv import observe

@observe()
def generate_response(user_id, prompt):
    # ABV automatically captures the user_id
    return llm.generate(prompt)
Learn about user tracking

Configure Retention Policies

Set appropriate retention periods based on your needs: 7-30 days for development, 30-90 days for production, or minimum necessary for compliance-sensitive projects. This ensures automatic compliance with GDPR’s “storage limitation” principle.Learn about data retention

Minimize Data Collection

Only send data to ABV that you actually need. Avoid logging passwords, credit cards, medical records, or government IDs. Prefer anonymized user IDs, non-identifying metadata, and masked prompts/responses.

​
Handling Data Subject Requests

When individuals exercise their GDPR rights, use ABV’s tools to respond: Right to Access (DSAR): Search ABV for traces associated with the user, export the data, and provide it in readable format (CSV, JSON) within 30 days. Learn how to export data Right to Erasure: Identify all traces containing their personal data and delete using ABV’s deletion tools—by user ID if tagged, or specific traces manually. Learn how to delete data Right to Rectification: Since traces are immutable, delete inaccurate traces and create corrected versions if needed. For observability data, deletion is often more appropriate than rectification. Right to Data Portability: Export data as JSON (machine-readable format) including all personal data related to the individual.

​
Compliance

ABV provides tools for GDPR, HIPAA, and other privacy regulations:
  • GDPR: Data Processing Agreement, EU data region, transparent sub-processor list, security measures
  • HIPAA: Business Associate Agreement, dedicated infrastructure, enhanced security controls
  • Other regulations: CCPA/CPRA, LGPD, PIPEDA, APP—ABV’s tools support most privacy regulations
Learn more about GDPR compliance | Learn more about HIPAA compliance

​
Related Topics

Configure Data Masking

Set up automatic PII redaction

Set Retention Policies

Configure how long data is kept

Enable User Tracking

Associate traces with user IDs

Data Deletion Guide

Learn how to delete personal data