Privacy notice

# Exige Search — Privacy notice

_Last updated: 2026-05-10_

Exige Search is a small hobby project that runs an AI-powered search
over the Lotus Exige V6 workshop manuals. This page describes what
personal data the service collects, why, where it lives, and how you
can have it deleted.

## What we collect

When you sign up and use the service we store:

| Data | Purpose | How long |
|---|---|---|
| Username + email | Account identity, password reset | Until account deletion |
| Password (bcrypt hash, not the password itself) | Authentication | Until account deletion |
| Session cookies (HttpOnly, server-side hash only) | Keeping you signed in | 30 days from issue |
| Login attempt log (IP + username) | Brute-force throttle | Cleared on success or after 5 minutes |
| Chat threads, messages, feedback votes | The actual conversational history with the AI | Until you delete or your account is deleted |
| Bug reports + admin conversations | Support | Until you delete or your account is deleted |
| LLM audit log (your prompts + the model output) | Diagnosing model behaviour | Up to ~6 months (rolled at ~50MB per file × 5 retained) |
| Application Insights telemetry | Crash diagnostics + performance | 90 days (Azure default) |
| Daily SQLite backup | Disaster recovery | Indefinitely (until manually deleted) |

We do **not** collect tracking IDs, advertising identifiers, location
data, or anything outside the workshop-manual chat use case.

## Where it lives

- The application + database run on a Microsoft Azure VM in the UK
  (North Europe region).
- Backups go to the same storage account, encrypted at rest by Azure
  defaults, accessible only via the VM's managed identity.
- We do not share data with third parties **except** that chat
  prompts + completions are sent to **Azure OpenAI** (Microsoft) for
  the AI to generate responses. Azure OpenAI does **not** train on
  this data; see Microsoft's
  [Azure OpenAI data privacy documentation](https://learn.microsoft.com/azure/ai-services/openai/concepts/data-privacy)
  for specifics.

## Your rights (UK GDPR)

You can ask us to:

- **Show you** a copy of your data
- **Correct** mistakes (e.g. wrong email)
- **Delete** your account and all associated data (right to erasure)
- **Object to / restrict** further processing

To exercise any of these rights, email the admin at
**chris@local.dev** (replace with the address on the support
page if you signed up via WhatsApp). We aim to respond within 30
days as required by UK GDPR.

When you request erasure we run `tools/erase-user.ps1` against your
username, which permanently deletes:
- Your user row
- Your chat threads + every message in them
- Your conversations with admins (and the messages within)
- Your bug reports
- Your feedback votes
- Your notification dismissals + reads + per-user-deletes
- Your sessions + outstanding password-reset tokens

Audit-log rows referencing your username are **not** deleted — they
are anonymised by replacing the username with the literal string
`[deleted user]` so the operational audit trail is preserved.

LLM audit log entries (prompts + completions) and Application
Insights telemetry are best-effort: they roll/expire on their own
schedule (months, not years) and we will scrub the active files
where feasible.

## Security

- All traffic uses HTTPS (HSTS preload-eligible).
- Passwords are bcrypt-hashed (cost ≥12).
- Sessions are server-side, with HttpOnly + SameSite=Lax cookies.
- The app server is not directly internet-reachable; only the
  reverse-proxy gateway is.
- See `security-review.md` for the most recent independent audit.

## Children

The service is not directed to or marketed to children under 13.

## Changes

We will update this page if how we handle data changes.

← Back to sign in