# Privacy & DSR

> Handle GDPR / CCPA data subject requests — search a visitor's data, delete it, and manage controlled anonymization workflows.

import Screenshot from "../../../components/docs/Screenshot.astro";

If you operate in jurisdictions covered by GDPR (EU/UK), CCPA (California), or similar privacy laws, visitors have rights over the data your agent collects about them. The Privacy page in Settings is where you fulfill those requests.

## What visitor data Owlish stores

Each session captures:

- Messages exchanged with the agent.
- Channel metadata (which widget origin, which Slack workspace, etc.).
- Optional prechat fields the visitor filled in (name, email, etc.).
- Citations and any tool calls the agent made.

Conversation transcripts persist for the duration set by your plan (Starter 30 days, Growth 90 days, Scale 365 days), then auto-delete.

## Handle a DSR

In **Settings → Privacy**, use the **Visitor Data Subject Requests** flow:

1. **Search** by visitor identifier — typically an email or a session-prechat field. The page returns every session and event tied to that visitor across all agents in the workspace.
2. Pick the action:
   - **Delete** — removes the sessions and events entirely, including transcripts. Use this for full erasure requests.
   - **Anonymize and retain** — a controlled workflow for cases where transcripts must remain available for reporting. It requires DLP review to be enabled before use.
3. Confirm in the DSR dialog. The action is logged to the workspace audit trail with the operator who performed it.

<Screenshot src="/screenshots/settings-privacy.webp" alt="Privacy settings page with visitor data request search and data-subprocessor information." label="Console · Settings · Privacy" description="Privacy page with a search input for visitor identifier, results list showing matched sessions, and a confirmation dialog for the selected DSR action." />

## Audit trail

Every DSR action logs: who performed it, when, the visitor identifier searched, the action type, and how many sessions/events were affected. Useful for compliance reporting.

## Other privacy considerations

- **Conversation retention** is plan-tier based and runs automatically. You don't need to manually purge old data.
- **Workspace deletion** removes all visitor data unconditionally. See [General settings](/docs/settings/general) → Danger Zone.
- **Source data** (your KB content) is your own; DSR flows here only cover visitor data the agent generated.

## Next steps

- **[General settings](/docs/settings/general)** — workspace-level controls including deletion.
- **[Plans](/docs/billing/plans)** — retention windows per tier.

---

Source: https://owlish.bot/docs/settings/privacy