Trust & Governance · Updated 2026-04-24

The intelligence is artificial. The accountability is not.

Every number a WhiteSpace agent cites is traceable to your own data — not industry averages, not hallucinated benchmarks. This page documents exactly what we store, who we share it with, and how you take it back.

Our principles

Grounded in your data

Agents never answer without citing the dataset they drew from. Every reply in the console carries a footer showing the period, review count, and sync age behind it.

Never trained on your data

Your POS exports, chat transcripts, and reviews never enter a model-training dataset. Anthropic and Google process each request stateless; no data retention for training.

Human in the loop

Agents advise, they never act. They surface trade-offs instead of prescribing. Removing a menu item, calling a supplier, changing a price — those remain your call.

What we store

Two categories:

Static data (git-tracked)

data/{client}/latest.json — the structured snapshot of your KPIs, menu items, outlets, reviews, and procurement.
data/{client}/YYYY-MM-DD.json — dated archives of daily sales snapshots.
data/{client}/config.json — your POS type + sync method. Never raw credentials.

Runtime data (Upstash Redis)

Preferences: your goals, targets, communication style, agent behaviour rules.
Menu & recipes: items, prices, categories, recipe-costing spreadsheet output.
Chat history: last 200 exchanges with your agents (plus global aggregate for quality monitoring).
Feedback: thumbs-up/down signals on agent replies.
Review connections: your Google Business / TripAdvisor public URLs.
Recommendations state: which agent suggestions you've marked done or dismissed.
Context notes: standing facts about your business (closed days, price changes, renovations).

Sub-processors

To deliver the service we rely on the following third parties. Each handles a specific slice of functionality and is bound by their own privacy / security commitments.

Sub-processor	Purpose	Region
Anthropic	Claude — the language model that powers every agent reply. Runs stateless; no training on inputs.	US
Google (Gemini)	Image-to-text OCR when you photograph your menu. Runs stateless; no training on inputs.	US
Upstash	Redis — stores your preferences, menu, recipes, chat history, feedback, recommendations. Encrypted at rest.	EU + US multi-region
Vercel	Hosting, serverless functions, edge delivery, auth token issuance.	Global edge
Resend	Transactional email — briefings, monthly reviews, magic links.	US
OpenWeather	Weather lookups for morning briefings. No personal data transmitted.	Global
Microsoft (Graph API)	Used only for clients who sync POS reports via email inbox. OAuth refresh tokens held by WhiteSpace; never stored on a third party beyond Microsoft itself.	Global
GitHub	Static data files are git-tracked. Source-of-truth for per-client JSON archives. Private repository.	US

Your controls

Download everything

From any console: Settings → Your data → Download my data (JSON). Returns a single JSON file containing every Redis key scoped to your console plus a snapshot of your latest data file. Takes ~2 seconds.

Delete everything

From any console: Settings → Your data → Delete my data. Wipes every Redis key scoped to your console — preferences, chat history, feedback, menu, recipes, recommendations, review connections. Static data files (POS archives) require an emailed request; see below.

Scrub PII before AI requests

From any console: Settings → Your data → Scrub PII before AI requests. When enabled, emails and phone numbers are stripped from your chat input before it leaves your browser. Useful if you paste content from guest messages or supplier emails.

Full off-boarding

To remove your static data files (POS archives, dated snapshots), reset your auth env var, and wipe anything git-tracked, email marc@whitespacefb.com. Turnaround ≤ 5 business days.

Retention

Chat history — last 200 exchanges per console rolling window.
Global chat log — last 999 across all tenants (used for quality + abuse monitoring; client-scoped entries pruned on deletion request).
Feedback signals — last 500 per console, last 999 global.
POS archives — kept indefinitely while you're a customer; removed within 30 days of off-boarding request.
Auth tokens — 30-day expiry, HMAC-signed, stateless (no server-side token storage).

Security posture

All credentials stored via vercel env add --sensitive — excluded from third-party dashboard integrations.
Client passwords never logged, never echoed, verified server-side only.
HTTPS-only delivery across whitespacefb.com and all consoles.
Redis encrypted at rest. REST endpoint access gated by Upstash token held only in Vercel env vars.
No client data transmitted to Anthropic or Google beyond what's needed for that individual request — no batch uploads, no training pipelines.

Breach response

In the event of a credential or data exposure affecting your console, we notify the registered console owner within 72 hours of confirmation, rotate affected credentials immediately, and publish a post-incident note on this page. The latest status always appears in the changelog below.

Governance changelog

2026-04-24

Added client-facing data export + deletion endpoints. Added PII scrubber toggle in console Settings. Source footer with provenance metadata now rendered under every agent reply. Published sub-processor list.

2026-04-22

Rotated auth pattern to mandate --sensitive flag on vercel env add following the Vercel / Context AI OAuth breach. Updated CLAUDE.md.

2026-04-18

Deployed PRINCIPLES block to api/agent.js — enforces source citation, no fabricated benchmarks, analytical (not prescriptive) tone across every agent prompt.

Contact

Marc Martinez · marc@whitespacefb.com · WhatsApp +66 82 281 6582