Privacy and Data Retention

Data boundaries

Users should avoid placing API keys, payment details, credentials, private customer data, or unreviewed logs into prompts. When customer, order, or support context is needed, keep the workflow bounded and approved for that purpose.

Retention review

Review SophMate retention settings alongside WordPress privacy practices and business requirements. Support teams should know what can be exported, erased, retained, and redacted before using AI-generated replies. The privacy policy explains public-site data handling, while diagnostics and support explains safe support evidence.

Operational privacy

Use Knowledge Base citations, approval gates, and audit records to avoid hidden decision-making. If a workflow touches sensitive customer, legal, refund, payment, or safety topics, escalate before execution.

Owner and cadence

• Primary owner: account owner, agency lead, privacy owner, or operations lead depending on risk area.
• Review cadence: monthly, after incidents, after staff changes, and before client or stakeholder reporting.
• Escalate when ownership, approval, privacy, backup, audit, or client-reporting decisions are unclear.

Production checklist

• Define what users may place in prompts, what support evidence may include, and who owns export, erase, retention, and redaction decisions.
• Review privacy expectations before using customer, order, refund, legal, payment, or support context.
• Assign owners for approval policy, audit review, retention, privacy handling, backup validation, and support escalation.
• Keep governance decisions visible in onboarding notes so agencies, developers, support leads, and store owners do not invent separate rules.

Acceptance checks

• Sensitive data handling rules are visible to operators before they use customer-facing workflows.
• Support bundles and diagnostics are reviewed before leaving the organization.
• A reviewer can identify the accountable owner for customer, commerce, theme, privacy, and provider decisions.
• The team has a repeatable monthly review for budgets, audit events, permissions, retention, and unresolved incidents.

Common mistakes

• Treating governance as a one-time setup task instead of a recurring review of roles, budgets, approvals, retention, and audit records.
• Sharing diagnostics, screenshots, or client reports before removing secrets and unrelated private data.

Related operations

• Read the public privacy policy.
• Use Diagnostics and Support for support-safe evidence.
• Use Backup and Staging Workflow before high-risk changes.
• Use Regulated Claims and Legal Review before publishing sensitive claims.
• Use Access Offboarding and Seat Review after staff, contractor, or agency changes.
• Use Privacy and Data Retention before sharing support evidence.
• Use Privacy Export and Erase Requests before handling requester data.
• Use WooCommerce High-Risk Actions before store-changing work.
• Use Personalization Privacy Review before visitor targeting launches.
• Use Storefront Panel Consent Review before launching visitor-facing panels.