> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abv.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing Personal Data

> Tools and best practices for managing personal data in ABV

As an AI observability platform, ABV processes data from your LLM applications—data that may contain personal information. You have complete control over what personal data is sent to ABV, how it's stored, and when it's deleted.

# Your Control Over Personal Data

ABV provides powerful tools to help you manage personal data responsibly:

<CardGroup cols={2}>
  <Card title="Data Masking" icon="eye-slash" href="/developer/basic-features/masking-sensitive-data">
    Automatically redact PII before it's stored
  </Card>

  <Card title="Data Deletion" icon="trash" href="/developer/platform/administration/data-deletion">
    Delete personal data on demand
  </Card>

  <Card title="Data Retention" icon="calendar" href="/developer/platform/administration/data-retention">
    Control how long data is stored
  </Card>

  <Card title="User Tracking" icon="user-tag" href="/developer/basic-features/user-tracking">
    Associate data with specific users for easy deletion
  </Card>
</CardGroup>

# Understanding Personal Data

Personal data is any information that can identify an individual, including names, email addresses, phone numbers, IP addresses, user IDs, and location data. In ABV, personal data typically appears in:

* **LLM prompts and responses** containing user information
* **Trace metadata** like user IDs, session IDs, and IP addresses
* **Evaluation datasets** with sample personal data

When you use ABV, **you** control what personal data is sent—you decide what goes into prompts, configure masking rules, set retention periods, and respond to data subject requests. ABV is your data processor; we provide the tools, you make the decisions.

[Learn more about GDPR roles](/security/privacy/gdpr-compliance#abvs-role-under-gdpr)

# Best Practices

<Steps>
  <Step title="Enable Data Masking" icon="eye-slash">
    Prevent personal data from being stored by configuring automatic PII masking. ABV can detect and redact emails, phone numbers, credit cards, SSNs, and custom patterns using regex. Masking happens at ingestion time—masked data is permanently redacted, not just hidden.

    [Learn how to configure data masking](/developer/basic-features/masking-sensitive-data)
  </Step>

  <Step title="Use User IDs" icon="user-tag">
    Associate traces with user identifiers to enable efficient data management. This allows you to bulk delete all data for a specific user, quickly respond to data subject requests, and filter data by user.

    ```python theme={null}
    from abv import observe

    @observe()
    def generate_response(user_id, prompt):
        # ABV automatically captures the user_id
        return llm.generate(prompt)
    ```

    [Learn about user tracking](/developer/basic-features/user-tracking)
  </Step>

  <Step title="Configure Retention Policies" icon="calendar">
    Set appropriate retention periods based on your needs: 7-30 days for development, 30-90 days for production, or minimum necessary for compliance-sensitive projects. This ensures automatic compliance with GDPR's "storage limitation" principle.

    [Learn about data retention](/developer/platform/administration/data-retention)
  </Step>

  <Step title="Minimize Data Collection" icon="filter">
    Only send data to ABV that you actually need. Avoid logging passwords, credit cards, medical records, or government IDs. Prefer anonymized user IDs, non-identifying metadata, and masked prompts/responses.
  </Step>
</Steps>

# Handling Data Subject Requests

When individuals exercise their GDPR rights, use ABV's tools to respond:

**Right to Access (DSAR):** Search ABV for traces associated with the user, export the data, and provide it in readable format (CSV, JSON) within 30 days. [Learn how to export data](/developer/platform/api-data-platform/export-data-from-ui)

**Right to Erasure:** Identify all traces containing their personal data and delete using ABV's deletion tools—by user ID if tagged, or specific traces manually. [Learn how to delete data](/developer/platform/administration/data-deletion)

**Right to Rectification:** Since traces are immutable, delete inaccurate traces and create corrected versions if needed. For observability data, deletion is often more appropriate than rectification.

**Right to Data Portability:** Export data as JSON (machine-readable format) including all personal data related to the individual.

# Compliance

ABV provides tools for GDPR, HIPAA, and other privacy regulations:

* **GDPR**: Data Processing Agreement, EU data region, transparent sub-processor list, security measures
* **HIPAA**: Business Associate Agreement, dedicated infrastructure, enhanced security controls
* **Other regulations**: CCPA/CPRA, LGPD, PIPEDA, APP—ABV's tools support most privacy regulations

[Learn more about GDPR compliance](/security/privacy/gdpr-compliance) | [Learn more about HIPAA compliance](/security/compliance/hipaa-compliance)

# Related Topics

<CardGroup cols={2}>
  <Card title="Configure Data Masking" icon="eye-slash" href="/developer/basic-features/masking-sensitive-data">
    Set up automatic PII redaction
  </Card>

  <Card title="Set Retention Policies" icon="calendar" href="/developer/platform/administration/data-retention">
    Configure how long data is kept
  </Card>

  <Card title="Enable User Tracking" icon="user-tag" href="/developer/basic-features/user-tracking">
    Associate traces with user IDs
  </Card>

  <Card title="Data Deletion Guide" icon="trash" href="/developer/platform/administration/data-deletion">
    Learn how to delete personal data
  </Card>
</CardGroup>
