Redact on ingest (Presidio). Never store raw in the audit log; store the redacted version. Hash any PII you must keep for joins; never log it. Users who want to see “what we stored” see the redacted form so they can’t infer anything sensitive.
Pre-LLM: Presidio anonymize scrubbed user_msg.
Audit log: store scrubbed_msg plus hash(user_id) for traceability.
Retrieval: store metadata with redacted/redacted-hash PII fields.
user_input -> Presidio -> scrub -> audit(hashed_id, scrub)
LLM gets scrubbed only
Redact at the boundary, never raw. The audit trail is your defense when regulators ask.