Privacy, in plain English.

For each AI request the SDK is wrapped around: your prompt, the model's response, tool calls (name, arguments, result), reasoning / chain-of-thought text when the model emits it (o1, Claude extended thinking, Gemini thinking), and metadata like model name, token counts, cost, finish reason, and timing. Your project ID travels with each event so the dashboard knows where to display it.

Common PII patterns — emails, phone numbers, SSNs, credit-card numbers, JWTs, and OpenAI/Anthropic/AWS/GitHub/Slack-shaped API keys — are replaced with placeholders before the SDK sends anything. The full pattern list is in packages/sdk/src/redact.ts. If your prompts can contain anything you wouldn't want us to see, use redact: "metadata-only" in the SDK options — token counts and detector verdicts only, zero text.

If your install came from one of the AI builder paths on /install (Lovable, Replit, Bolt, v0), the install prompt sets a WHOOPSIE_PLATFORM env var with that slug (e.g. lovable). The SDK attaches it as metadata.whoopsie_platform on each trace so we can monitor whether installs from a given platform start silently breaking after the platform changes its AI builder. The slug is install-source metadata at the same disclosure level as the model name — it contains no user-content text. You can unset the env var to drop the tag.

If you opt in to the contact-email field on /install, we keep the email so we can reach you about your project. That's the only piece of personal data we intentionally retain.

Trace events are stored in a single Neon Postgres database (us-east-1), provisioned through Vercel's Marketplace integration. The dashboard runs on Vercel Functions in the same region. No third-party analytics, no tag manager.

Even if a request reaches our server with PII somehow still attached — for example, a custom client that bypasses the SDK — the ingest endpoint runs the same redaction patterns again before anything is written to Postgres. We treat the SDK as a convenience, not a trust boundary.

Your project ID is the only auth on the ingest API in v0. It's not a secret in the cryptographic sense, but anyone who knows it can post events tagged as your project. Treat it like a low-sensitivity credential — don't paste it into public chat or commit it to a public repo.

Trace events are deleted 7 days after we receive them. The cleanup is a daily cron job; there's no UI to extend retention and no paid tier where it gets longer.

Send a messagewith your project ID and we'll delete your traces, your contact email, and your terms-acceptance row. Security reports go to security@whoopsie.dev; see SECURITY.md.

Both forms relay through Brevo (our email delivery sub-processor) to the maintainer's mailbox. If the relay is down, the form falls back to opening your mail client with the message preserved.