Faro is the AI agent that powers Server Manager — the thing you chat with. Behind the scenes, Faro is a Large Language Model from OpenAI. Here's what that actually means for your data.
What gets sent to OpenAI on every message
Each time you send a message to Faro, the following is bundled and sent to OpenAI's API:
- Your message text — the prompt you just typed
- A system prompt — Server Manager's instructions to Faro (tool definitions, behavior guidelines, recipe knowledge). Same for everyone.
- The recent conversation history — your previous messages and Faro's responses, within the session
- Server context Faro has gathered, when relevant: - Output from the inventory script (running services, Docker containers, recent system events) - Contents of config files Faro has read (
/etc/nginx/sites-enabled/..., Caddyfile,.envfiles, etc.) — but only when needed for the specific task - Output from commands Faro ran on your server during this session - Inferred state about your server (distro, package manager, web engine, etc.)
OpenAI uses this to generate Faro's next response.
What OpenAI does with this
Per OpenAI's API data usage policy:
- They don't train on API data by default. Your messages aren't used to improve future models.
- They retain API request/response logs for up to 30 days for abuse-monitoring (then deleted), with some narrow exceptions if abuse is suspected.
- They have SOC 2 Type 2 and ISO 27001 certifications.
- For EU users, transfers to OpenAI (US) are covered by Standard Contractual Clauses (SCCs) under GDPR.
Server Manager uses OpenAI's standard API, not their consumer ChatGPT product. The terms above are the API terms.
What Faro can't see
- Your SSH credentials. Even though Faro runs commands on your server, the credentials live in process memory of Server Manager's session code, not in the prompt sent to OpenAI. Faro talks to your server through Server Manager; OpenAI doesn't get the keys.
- Other users' conversations or servers. Each chat session is isolated; nothing is shared between accounts at the prompt level.
- Your encryption passphrase (the one for saved server profiles). Never sent to OpenAI; not visible in the chat context.
What about secrets in config files?
Faro reads config files when needed (e.g., to diagnose why a domain isn't serving HTTPS, it might read your Caddyfile). If those files contain secrets — API keys, database passwords — those secrets are part of the prompt sent to OpenAI for that turn.
Two mitigations:
- Faro is instructed to never echo secrets back to you in plain text in its response. It uses placeholders like
<redacted>when summarizing. (This is a soft mitigation — LLMs can occasionally leak; treat any secret Faro saw as having transited OpenAI's API and apply your own policy.) - Server Manager's recipes always read secrets from secrets files, never from chat input. When a recipe needs to inject a value into a config, it generates one server-side and writes it to the appropriate file, not via prompting the user to type it.
If you're particularly concerned about a specific file, you can tell Faro "don't read /path/to/file" and it will respect that.
Chat history retention on our side
We don't persist chat history. Sessions are RAM-only by design — a JavaScript Map living on the running server process. Specifically:
- Your conversation is held in the session's memory while it's open
- Server reboots, deploys, or session timeouts → conversation is gone
- There's no database table holding chat messages
- "View past conversations" is not a feature today, deliberately
When you close the browser tab, the session continues briefly server-side (so you can reload and recover), then times out and is dropped. No long-term storage.
OpenAI's side: 30-day operational logs
OpenAI logs API requests for up to 30 days for abuse-prevention. After that, those logs are deleted per their policy. We don't have access to OpenAI's logs of your queries — that data is solely between you and OpenAI under their terms.
Will Server Manager ever use a different LLM provider?
Possibly. The architecture supports swapping providers (Anthropic Claude is wired but not the production default). If that changes, this page will be updated, and any material privacy difference will trigger a re-acceptance of the Terms of Service.
Summary
| What | Sent to OpenAI? | Stored by Server Manager? |
|---|---|---|
| Your chat messages | Yes | RAM only (session lifetime) |
| System prompt + tool definitions | Yes | Static in our code |
| Server inventory output | Yes (when relevant) | RAM only |
| Config file contents Faro reads | Yes (when relevant) | RAM only |
| Command outputs from your server | Yes (when relevant) | RAM only |
| SSH credentials | No | Encrypted (saved) or RAM-only (active) |
| Your encryption passphrase | No | Never stored anywhere |
| Card / payment info | No | Stripe handles; we store only opaque IDs |
| Email address | No | Yes (account record) |
For the legally-binding wording, see the Privacy Policy.