> ## Documentation Index
> Fetch the complete documentation index at: https://docs.visceralai.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy & data

> Visceral records metadata about your LLM traffic — never the prompts, responses, or PII.

Visceral is designed so that the sensitive parts of your traffic never have to
leave your control. This isn't a setting — it's how the system is built.

## Events are metadata only

Every LLM call is recorded as an **event** containing hashes, token counts, costs,
model names, and timing. Events never contain prompt or response text, and never
contain PII. Content is stripped at the source, in the SDK, before anything is
exported.

## Your provider keys stay yours

Your LLM-provider API keys (OpenAI, Anthropic, and so on) live in your own
environment or secrets manager. Visceral never stores them.

## Isolation and encryption

<CardGroup cols={2}>
  <Card title="Per-workspace isolation" icon="table-cells-lock">
    Customer data is isolated per workspace at the database level, so one
    workspace can never read another's.
  </Card>

  <Card title="Encrypted at rest" icon="lock">
    Any payloads Visceral caches are encrypted at rest with a per-workspace key
    derived from a server-only master key.
  </Card>
</CardGroup>

<Note>
  If you ever need Visceral to see less, the safe default is already the one in
  place: metadata, hashed, isolated, encrypted.
</Note>
