Security & Privacy: How AIWU Handles Your Data
AIWU is designed with security and privacy as defaults — your data stays on your server, API keys are encrypted, and no conversation data is sent to Anthropic or any third party without your explicit action.
In this article: What Data AIWU Stores · API Key Security · GDPR Compliance · Data Sent to AI Providers · Access Control · Deleting User Data
Before You Start
Related:
- All plugin settings explained (Plugin Settings: Complete Reference)
What Data AIWU Stores
In Your WordPress Database
| Data type | Table | What’s stored | Retention |
|---|---|---|---|
| Chat conversations | wp_aiwu_conversations |
Messages, timestamps, session IDs. No user passwords or payment data. | Configurable. Default: 90 days. |
| Embeddings (vectors) | wp_aiwu_embeddings |
Numerical vectors from your content. Not human-readable. No personal data. | Permanent until deleted or content changes. |
| Workflow logs | wp_aiwu_logs |
Workflow execution records, success/failure status, outputs. | Configurable. Default: 30 days. |
| Settings | wp_options |
Plugin configuration, including encrypted API keys. | Permanent until plugin uninstall. |
| Training datasets | wp_aiwu_datasets |
Your structured training examples (Q&A pairs, product data). | Permanent until manually deleted. |
What AIWU Does NOT Store
- User passwords or authentication tokens
- Payment card or banking data
- Sensitive user personal data beyond what you explicitly train or log
- Data from other WordPress plugins (AIWU only accesses what you configure)
API Key Security
API keys are the most sensitive data AIWU handles. Here’s how they’re protected:
- Encrypted at rest: API keys are encrypted before storage using WordPress’s encryption layer with a server-specific salt. They cannot be read directly from the database.
- Never exposed in browser: API keys are server-side only and never included in JavaScript or HTML output.
- Access restricted: Only WordPress users with the
manage_optionscapability (administrators) can view or modify API keys.
Data Sent to AI Providers
When a user sends a chat message or a workflow runs, AIWU sends data to the AI provider you’ve configured (OpenAI, Claude, etc.). Here’s exactly what gets sent:
| What’s sent | Why | Who receives it |
|---|---|---|
| User’s chat message | Required to generate a response | Your selected AI provider |
| Conversation history (recent messages) | Provides context for coherent responses | Your selected AI provider |
| System prompt / bot instructions | Defines the bot’s behavior | Your selected AI provider |
| Relevant knowledge base excerpts | Provides the AI with information from your site to answer accurately | Your selected AI provider |
| Workflow action inputs | Required for AI-powered workflow steps | Your selected AI provider |
What is NOT sent to AI providers:
- Full user profiles or account data
- Payment information or order payment details
- Your API keys or WordPress credentials
- Any data not directly needed for the AI response
Each AI provider has its own data retention and privacy policy. Relevant links:
- OpenAI: Privacy Policy — API data is not used for training by default
- Anthropic (Claude): Privacy Policy — API data is not used for training
- Google (Gemini): Privacy Policy — review API terms
GDPR Compliance
AIWU is designed to support GDPR compliance, but the plugin alone doesn’t make your site compliant — your configuration and processes matter too.
What AIWU Provides for GDPR
- Data minimization: Configure exactly what data is logged and for how long. Set short retention periods in AI Copilot → Settings → Advanced → Data Retention.
- Data deletion: Delete all conversation data for a specific user via AI Copilot → Conversations → [user] → Delete All.
- Privacy by default: Anonymous sessions are supported — chat works without requiring login or email.
- No third-party tracking: AIWU does not include analytics, tracking pixels, or third-party scripts.
Your Responsibilities
- Disclose AI chat usage in your privacy policy
- Inform users that messages may be processed by a third-party AI provider
- Handle subject access requests (data exports) — AIWU provides data in CSV format for each user
- If using Pinecone (external vector database), include them in your data processing register
Access Control
AIWU uses standard WordPress role capabilities to control access:
| WordPress Role | AIWU Access |
|---|---|
| Administrator | Full access: settings, API keys, all modules |
| Editor | Can manage training datasets and view conversation logs. Cannot change settings or API keys. |
| Author / Contributor | No admin access to AIWU. Can only use the chatbot as a regular user. |
| Subscriber / logged-out users | Can use the chatbot widget only (if enabled) |
You can customize these defaults in AI Copilot → Settings → Access Control.
Deleting User Data
To delete all AIWU data for a specific user:
- Go to AI Copilot → Conversations
- Search for the user by email or session ID
- Click Delete All Conversations for that user
This removes their conversation history. Embeddings generated from your content (not user-specific) are not affected.
To delete ALL plugin data (uninstall scenario):
- Go to AI Copilot → Settings → Advanced
- Click Reset Plugin Data → confirm
- Then deactivate and delete the plugin
What’s Next
- ⚙️ All plugin settings: Plugin Settings: Complete Reference Guide
- 🔌 MCP security: Claude.ai Remote MCP OAuth — OAuth 2.1 is more secure than token-in-URL
- 💬 Set up your first chatbot: Set Up First AI Chatbot
Last verified: AIWU v.4.9.2 · Updated: 2026-02-25