// the inventory — exactly what Sage stores about you#
Discord user ID (snowflake). The 17–20 digit numeric ID that uniquely identifies your Discord account. This is your primary key in Sage's data.
Display name + avatar URL. Copied from Discord at sign-in + refreshed on JWT rotation. Used to render your name + picture on /account.
Tier set. The list of Discord roles you held at the most recent role-cache refresh, mapped to the dashboard's tier vocabulary.
Telegram chat ID (if linked). A numeric chat identifier — not your username, not your phone number.
Paper ticket and signed-intent metadata. The venue, market, side, size, action, signature state, and audit references for Sage-created tickets.
Your signals (if you're a caller). Every signal you fire, including the thesis text.
Your positions when you choose to track them. Open + closed positions on the venues may be mirrored to Sage's PnL service once that integration is enabled.
Your follows + subscriptions. Which callers you follow, which markets you watch.
Audit log entries. Every link/unlink, every signal fire, every notification preference change, every config edit.
// what Sage does NOT store#
Your Discord OAuth token after the session ends. The token is held only in your encrypted session cookie + the JWT on the server; nothing persists.
Your Telegram username or phone number. The bot stores only the chat ID.
Your wallet private key. Sage does not ask for it, import it, or store it.
Your IP address (in long-term storage). Source IPs land on audit rows for the 90-day retention window, then drop.
Behavioural tracking. Sage doesn't run a tracker, doesn't share data with ad networks, doesn't sell anything.
// retention windows#
Audit log — 90 days for most event kinds. Paper-ticket, signed-intent, config, and operator rows are retained for ops review.
Signals — indefinite as part of the public caller history + leaderboard math. Caller-deleted signals (within the 1-minute grace window) are scrubbed.
Positions — indefinite as part of your PnL history. You can request a wipe via /leave; see below.
Session cookies — TTL is 10 minutes for the negative-cache path, 10 hours for the positive path. Cookies are httpOnly + secure + SameSite=Lax.
// how to leave#
In Discord, run /leave. The bot acknowledges + queues the wipe.
On the next nightly job (within 24 hours), Sage purges: your follows, your subscriptions, your telegram link record, and user-owned preference records where retention policy allows.
Two categories of data survive the wipe: (1) signals you fired as a caller — they're part of the public history + can't be selectively removed; (2) audit log entries within their retention window — required for ops investigations.
If you want even those removed (rare — GDPR-style erasure request), email ops@sagefnf.com with your Discord user ID. Manual ops review + 30-day fulfillment window.
// audits + the audit log#
Every state change on Sage lands on /ops/audit: link / unlink, signal fire, signal delete, follow / unfollow, broadcast, config edit, caller verification, paper-ticket creation, intent signing, and operator action.
The actor on every row is the Discord user ID + tier-at-time. Anyone with oracle/admin access can review.
The audit log is append-only — nothing is ever edited or removed in place. Corrections happen via new rows (kind: 'correction' with a reference to the original).