This paper addresses the risk of sensitive data leakage in retrieval-augmented generation (RAG) systems under multi-turn queries, proposing a differentially private RAG framework that balances privacy and utility. Methodologically, it introduces MURAG and MURAG-ADA—algorithms enabling personalized, document-level privacy filtering and adaptive threshold release. Crucially, privacy loss grows linearly with the number of times a document is retrieved, rather than with the total number of queries, thereby overcoming the traditional bottleneck of cumulative privacy budget exhaustion. The approach integrates dynamic privacy budget allocation with a privatized threshold mechanism. Extensive evaluation across multiple LLMs and datasets demonstrates that, under practical privacy budgets (ε ≈ 10) over hundreds of queries, the framework achieves significantly higher question-answering accuracy than single-query baselines—validating both theoretical soundness and engineering viability.

Retrieval-augmented generation (RAG) enhances large language models (LLMs) by retrieving documents from an external corpus at inference time. When this corpus contains sensitive information, however, unprotected RAG systems are at risk of leaking private information. Prior work has introduced differential privacy (DP) guarantees for RAG, but only in single-query settings, which fall short of realistic usage. In this paper, we study the more practical multi-query setting and propose two DP-RAG algorithms. The first, MURAG, leverages an individual privacy filter so that the accumulated privacy loss only depends on how frequently each document is retrieved rather than the total number of queries. The second, MURAG-ADA, further improves utility by privately releasing query-specific thresholds, enabling more precise selection of relevant documents. Our experiments across multiple LLMs and datasets demonstrate that the proposed methods scale to hundreds of queries within a practical DP budget ($varepsilonapprox10$), while preserving meaningful utility.