Built so your admins see patterns, never prompts.
Palindrome’s privacy layer is modeled on Anthropic’s published Clio methodology. It’s the architecture, not a policy.
Content-free summaries
Prompts are summarized with PII and proper nouns stripped before anything downstream sees them.
The 5-person rule
Clusters surface only with ≥5 distinct users; below that, nothing is shown.
Auditor pass
A final model review removes any cluster that still carries private information.
Short-TTL raw store
Raw content auto-deletes in ~14 days; dashboards never query it directly.
Tenant isolation
Per-org keys, fail-closed org matching at ingest, org-scoped row policies in storage.
Your data, exportable & deletable
Full export, account deletion, and individual-user erasure (GDPR-style).
If your company uses Palindrome, here’s what it means for you
Admins literally cannot read your prompts. The pipeline strips content before they ever see it.
Anything an admin sees is aggregated across at least five people. Nothing singles you out.
You get your own dashboard with full transparency into your individual usage.