Overview

The Data Privacy (Custom) Policy enables organisations to create highly tailored protections around sensitive information by selecting specific data types to monitor and manage in AI interactions. Unlike the standard Data Privacy Policy, which focuses on regulatory frameworks like GDPR or HIPAA, this version empowers users to configure protections based on custom-sensitive entities that reflect their unique compliance, operational, or industry needs. This flexibility gives organisations granular control over what constitutes “sensitive information” allowing them to apply detection and prevention strategies across both prompts and AI-generated responses.

What the Policy Does

Purpose

The purpose of the Data Privacy (Custom) Policy is to protect custom-defined sensitive data by identifying and managing it in real time during LLM interactions. This policy is ideal for:

  • Organisations with internal data standards not covered by regulation.
  • Companies operating in niche industries with unique sensitivity requirements.
  • Teams wanting full control over entity-level filtering and monitoring.

Scope

Custom Entity Configuration

Users can select from a list of 52 predefined custom entities (e.g., email addresses, passport numbers, employee IDs, passwords, customer codes) to build a custom configuration.

Prompt & Response Configuration

The policy can be applied to:

  • Prompts: Preventing sensitive data from being shared with the LLM.
  • Responses: Ensuring that sensitive information is not surfaced back to the user.

Each setting can be enabled independently to reflect business priorities.

Operational Modes

  • Monitor Only: Records when sensitive entities are detected but does not block the interaction.
  • Monitor & Override: Blocks prompts or responses that contain custom-sensitive data.

Key Features

  • 52 Predefined Custom Entities: Covers a wide range of sensitive data types.
  • Full User Control: Select exactly which entities to monitor.
  • Independent Prompt/Response Filtering: Tailor enforcement across the full interaction flow.
  • Flexible Enforcement Modes: Monitor-only or full blocking.
  • Configurable to Any Environment: Supports internal governance or industry-specific standards.

Why Use This Policy?

Benefits

  • Delivers fine-grained control over sensitive data handling.
  • Addresses data categories not covered by standard regulatory frameworks.
  • Reduces the risk of exposure across niche or specialised business functions.
  • Strengthens internal governance through custom configuration.

Use Case: Global eCommerce Company

Scenario

An international eCommerce platform uses AI to generate customer service responses, product descriptions, and marketing content. Leadership wants to ensure that personally identifiable data (e.g., account numbers, internal codes, or order IDs) is not disclosed through AI interactions.

Challenge

The organisation needs to:

  • Define sensitive data types that are not strictly regulated.
  • Prevent their LLM from inadvertently generating or accepting content that includes internal identifiers.
  • Enable selective enforcement depending on team and workflow.

Solution: Implementing the Data Privacy (Custom) Policy

  1. Entity Configuration
    Users select from 52 predefined entities including order IDs, internal references, and contact information.

  2. Prompt & Response Filtering
    Enabled for both inputs and outputs.

  3. Operational Mode
    Initially set to Monitor Only for insight.
    Switched to Monitor & Override after analysis reveals frequent matches.

How to Use the Policy

Note: The steps below guide you through configuring the Data Privacy (Custom) Policy using the policy workflow interface.

Step 1: Navigate to the Policy Workflow

  1. From the Dashboard, open the Project Overview by selecting your project from the Project Table.
  2. In the Policy section of the Project Overview, click Edit Policy to launch the policy configuration workflow.

Step 2: Select and Enable the Data Privacy (Custom) Policy

  1. In the Configure Policies tab, a list of available policies will be displayed.
  2. Click on Data Privacy (Custom) to view its configuration options on the right-hand side.
  3. Toggle the Enable Policy switch to ON at the top of the panel to begin editing.

Step 3: Select Custom Sensitive Entities

  1. Under Entity Categories, you’ll see a set of expandable groups. Click on any group to reveal its entities:
    • Personal Identification & Demographic
    • Government and Legal Identifiers
    • Contact & Online Presence
    • Healthcare & Medical
    • Financial and Banking
    • Access Credentials & Security
    • Organisational & Professional
    • Temporal & Analytical
  2. Within each expanded category, check the boxes for the specific sensitive entities you want to monitor (e.g., email address, passport number, IP address).
  3. As entities are selected, they will appear as tags under the Selected Entities section for easy review and removal.

Step 4: Set Application Scope

  1. Under the Apply Policy To section, select where you want the policy enforced:
    • Prompt – User inputs only
    • Response – AI-generated outputs only
    • Both – Full bidirectional coverage

Step 5: Configure Enforcement Behaviour

  1. Under Behaviour, choose how the policy should respond to detected sensitive data:
    • Log Only – Capture and log entity violations without interruption.
    • Log and Override – Block the interaction and return a smart, policy-aware response.

Step 6: Save, Test, and Apply the Policy

  1. Click Save Changes to store your selected entities and configuration.
  2. (Optional) Go to the Test Policies tab to evaluate how the policy behaves in real time with a chatbot.
  3. Return to the Configure Policies tab and click Apply Policies to enforce your changes across the project.
  4. A confirmation message will notify you that the policy has been successfully applied.

The Data Privacy (Custom) Policy provides precise, entity-level protection for sensitive information unique to your organisation—ensuring total control over data handling and policy enforcement.

Custom Entity Groups and Entities

GroupEntityDescription
Personal Identification & DemographicsNameNames of individuals, not including personal titles such as ‘Mrs.’ or ‘Mr.‘
First NameNames given to an individual, usually at birth; often first / middle names in Western cultures and middle / last names in Eastern cultures
Family NameNames indicating a person’s family or community; often a last name in Western cultures and first name in Eastern cultures
GenderTerms indicating gender identity or sexual orientation, including slang terms
Date of BirthDates of birth
AgeNumbers associated with an individual’s age
Place of OriginTerms indicating nationality, ethnicity, or provenance
CountryCountry names
StateState, province, territory, or prefecture names
CityMunicipality names, including villages, towns, and cities
Post CodeZip codes (including Zip+4), postcodes, or postal codes
Street NameA subclass of “Address”, covering building number and street name, plus unit numbers, office numbers, floor numbers and building names
AddressFull or partial physical mailing addresses
LocationMeta-class for any named location reference
Geographical CoordinatesGeographic positions referred to using latitude, longitude, and/or elevation coordinates
LanguageNames of natural languages
Marital StatusTerms indicating marital status
ReligionTerms indicating religious affiliation
Political AffiliationTerms referring to a political party, movement, or ideology
Physical AttributeDistinctive bodily attributes, including terms indicating race
UsernameUsernames, login names
Government & Legal IdentifiersPassport NumberPassport numbers, issued by any country
Social Security NumberSocial Security Numbers or international equivalent government identification numbers
Driving License NumberDriver’s permit numbers
NHS NumberHealthcare numbers and health plan beneficiary numbers
IP AddressInternet IP address, including IPv4 and IPv6 formats
Vehicle ID NumberVehicle identification numbers (VINs), vehicle serial numbers, and license plate numbers
Contact & Online PresenceE-mailEmail addresses
Contact NumberTelephone or fax numbers
URLInternet addresses
Healthcare & MedicalBlood GroupBlood types
Medical ConditionNames of medical conditions, diseases, syndromes, deficits, disorders
MedicationMedications, vitamins, and supplements
Medical ProcedureMedical processes, including treatments, procedures, and tests
InjuryBodily injuries, including mutations, miscarriages, and dislocations
DosageMedically prescribed quantity of a medication
Medical CodeCodes belonging to medical classification systems such as SNOMED, ICD-10, NDC, etc.
Professional Medical NameFull names, including professional titles and certifications, of medical professionals
Healthcare FacilityNames of medical facilities, such as hospitals, clinics, pharmacies, etc.
Financial & BankingBank Account NumberBank account numbers and international equivalents, such as IBAN
Credit Card NumberCredit card numbers
Credit Card Expiry DateExpiration date of a credit card
CVV3- or 4-digit card verification codes and equivalents
Cardholder NameName on the front (or sometimes the back) of credit card or debit card
Card PINA four- or six-digit number that the cardholder sets up when opening their account
One-time PINOne-time Password or OTP sent to Registered Mobile Number for online transactions
Account NumberCustomer account or membership identification number
Swift codeRouting number associated with a bank or financial institution
MoneyNames and/or amounts of currency
Access Credentials & SecurityPasswordAccount passwords, PINs, access keys, or verification answers
Organisational & ProfessionalOrganisationNames of organisation or departments within an organisation
Temporal & AnalyticalDateSpecific calendar dates, which can include days of the week, dates, months, or years
Date RangeBroader time periods, including date ranges, months, seasons, years, and decades
StatisticsMedical statistics
FilenameNames of computer files, including the extension or filepath (if used in data analysis or reports)