Discord user ID (snowflake). The 17–20 digit numeric ID that uniquely identifies your Discord account. This is your primary key in Sage's data.

Display name + avatar URL. Copied from Discord at sign-in + refreshed on JWT rotation. Used to render your name + picture on /account.

Tier set. The list of Discord roles you held at the most recent role-cache refresh, mapped to the dashboard's tier vocabulary.

Telegram chat ID (if linked). A numeric chat identifier — not your username, not your phone number.

Custodial wallet address (if generated, phase 5). Your on-chain address on Polygon. Public information by design — anyone can see what an address holds.

Your signals (if you're a caller). Every signal you fire, including the thesis text.

Your positions (when execution ships). Open + closed positions on the venues, mirrored to Sage's PnL service.

Your follows + subscriptions. Which callers you follow, which markets you watch.

Audit log entries. Every link/unlink, every signal fire, every notification preference change, every config edit.

Your Discord OAuth token after the session ends. The token is held only in your encrypted session cookie + the JWT on the server; nothing persists.

Your Telegram username or phone number. The bot stores only the chat ID.

Your wallet private key. The custodial wallet (phase 5) uses a KMS envelope — the raw key never lives in Sage's database or in plaintext anywhere.

Your IP address (in long-term storage). Source IPs land on audit rows for the 90-day retention window, then drop.

Behavioural tracking. Sage doesn't run a tracker, doesn't share data with ad networks, doesn't sell anything.

Audit log — 90 days for most event kinds. Fund-move audit rows (when execution ships) retain longer per regulatory requirement (typically 5 years).

Signals — indefinite as part of the public caller history + leaderboard math. Caller-deleted signals (within the 1-minute grace window) are scrubbed.

Positions — indefinite as part of your PnL history. You can request a wipe via /leave; see below.

Session cookies — TTL is 10 minutes for the negative-cache path, 10 hours for the positive path. Cookies are httpOnly + secure + SameSite=Lax.

In Discord, run /leave. The bot acknowledges + queues the wipe.

On the next nightly job (within 24 hours), Sage purges: your follows, your subscriptions, your telegram link record, your custodial wallet record (if any).

Two categories of data survive the wipe: (1) signals you fired as a caller — they're part of the public history + can't be selectively removed; (2) audit log entries within their retention window — required for ops investigations.

If you want even those removed (rare — GDPR-style erasure request), email ops@sagefnf.com with your Discord user ID. Manual ops review + 30-day fulfillment window.

Every state change on Sage lands on /ops/audit: link / unlink, signal fire, signal delete, follow / unfollow, broadcast, config edit, caller verification, wallet generation (phase 5), trade execution (phase 5).

The actor on every row is the Discord user ID + tier-at-time. Anyone with oracle/admin access can review.

The audit log is append-only — nothing is ever edited or removed in place. Corrections happen via new rows (kind: 'correction' with a reference to the original).