# What Data Does Kachi Ingest, Store, and Delete - and How Is PII Handled?

Kachi is built on a strict principle: **your server logs are yours alone.** They are never shared with third parties, never used to train models, and never cross-referenced outside your account. The platform ingests only what is necessary to detect AI bot activity - request metadata, page references, and traffic signals - and handles all of it with encryption at rest and in transit, role-based access controls, and full auditability.

PII is treated as a liability, not an asset. Kachi does not store names, emails, or any user-submitted personal data. IP addresses are used transiently for bot identification and traffic attribution only, then aggregated so no individual user can be identified. You retain full control: data can be scoped, reviewed, and deleted on demand, and retention policies are reviewed continuously against evolving privacy regulations.

Kachi collects the minimum necessary to measure AI bot activity and attribute its impact on your traffic and revenue:

| Data Type | What's Captured | What's Excluded |

|---|---|---|

| **Bot activity logs** | AI platform, bot identity, visit frequency, pages accessed | Page content itself |

| **Request metadata** | HTTP headers, timestamps, IP addresses | Form inputs, cookies, session tokens |

| **Content references** | Which URLs were crawled or cited by AI systems | The content at those URLs |

| **Traffic attribution** | Sessions, referrals, and engagement tied to AI-driven visits | Individual user identities |

Kachi does **not** collect user-submitted content, form data, or any personal information beyond what is required to measure bot activity and site performance.

All ingested data is stored in encrypted databases with the following controls applied by default:

**Encrypt all data in transit and at rest**

- TLS enforced on all data ingestion pipelines

- AES-256 encryption applied to all stored records

**Restrict access by role**

- Access controls limit data visibility to authorized account users only

- Audit logs record all data access events

**Retain only what's needed**

- Historical AI activity and bot logs: retained for trend analysis and benchmarking

- Aggregated traffic metrics: retained for long-term performance reporting

- Raw request-level data: aggregated promptly to prevent individual identification

Kachi treats PII exposure as a risk to be eliminated, not managed. The approach follows three steps:

1. **Strip identifying fields at ingestion** - IP addresses and request headers are used only to classify bot vs. human traffic, then discarded or hashed before storage

2. **Aggregate before storing** - traffic attribution data is stored at the session/cohort level, never at the individual user level

3. **Audit residual data regularly** - any data that could indirectly identify a user is flagged in periodic privacy reviews and purged if not strictly necessary

Kachi never stores:

- Names, email addresses, or user-submitted personal information

- Raw IP addresses linked to individual user profiles

- Any data sourced from your users' form submissions or account activity

You have full control over what Kachi retains. To remove data:

1. Navigate to **Settings -> Data Management** in your Kachi dashboard

2. Select the website and date range you want to remove

3. Submit a deletion request - primary and backup systems are cleared automatically

4. Confirmation is provided once deletion is complete across all storage layers

Retention policies can also be configured per property under **Settings -> Retention Policy**.

- Your logs are never shared with any third party

- PII is not stored - data is aggregated before persistence

- All storage is encrypted at rest (AES-256) and in transit (TLS)

- You can delete any data, at any time, on demand

- Retention policies are reviewed continuously against current privacy regulations (GDPR, CCPA, and equivalents)