diff --git a/gadget-code/src/services/chat-session.ts b/gadget-code/src/services/chat-session.ts
index ec7a522..d0cf008 100644
--- a/gadget-code/src/services/chat-session.ts
+++ b/gadget-code/src/services/chat-session.ts
@@ -5,12 +5,19 @@
 import { IChatSession, ChatSessionMode, GadgetId } from "@gadget/api";
 
 import { DtpService } from "../lib/service.js";
+import { PopulateOptions } from "mongoose";
 import ChatSession from "../models/chat-session.js";
 import ChatTurn from "../models/chat-turn.js";
 import Project from "../models/project.js";
 import AiProvider from "../models/ai-provider.js";
 
 class ChatSessionService extends DtpService {
+  private populateSession: PopulateOptions[] = [
+    { path: "user", select: "-passwordSalt -password" },
+    { path: "project" },
+    { path: "provider" },
+  ];
+
   get name(): string {
     return "ChatSessionService";
   }
@@ -75,7 +82,7 @@ class ChatSessionService extends DtpService {
       model: selectedModel,
     });
 
-    return session;
+    return session.populate(this.populateSession);
   }
 
   /**
@@ -83,7 +90,7 @@ class ChatSessionService extends DtpService {
    */
   async getById(chatSessionId: GadgetId): Promise<IChatSession> {
     const session = await ChatSession.findById(chatSessionId)
-      .populate("user")
+      .populate("user", "-passwordSalt -password")
       .populate("project")
       .populate("provider")
       .lean();
@@ -100,7 +107,7 @@ class ChatSessionService extends DtpService {
    */
   async getByProject(projectId: GadgetId): Promise<IChatSession[]> {
     const sessions = await ChatSession.find({ project: projectId })
-      .populate("user")
+      .populate("user", "-passwordSalt -password")
       .populate("project")
       .populate("provider")
       .sort({ createdAt: -1 })
@@ -114,7 +121,7 @@ class ChatSessionService extends DtpService {
    */
   async getByUser(userId: GadgetId): Promise<IChatSession[]> {
     const sessions = await ChatSession.find({ user: userId })
-      .populate("user")
+      .populate("user", "-passwordSalt -password")
       .populate("project")
       .populate("provider")
       .sort({ createdAt: -1 })
@@ -191,7 +198,7 @@ class ChatSessionService extends DtpService {
    */
   async getTurns(chatSessionId: GadgetId): Promise<any[]> {
     const turns = await ChatTurn.find({ session: chatSessionId })
-      .populate("user")
+      .populate("user", "-passwordSalt -password")
       .populate("project")
       .populate("provider")
       .sort({ createdAt: 1 })
diff --git a/gadget-code/src/services/contact.ts b/gadget-code/src/services/contact.ts
index 696ac20..6eccf6e 100644
--- a/gadget-code/src/services/contact.ts
+++ b/gadget-code/src/services/contact.ts
@@ -134,7 +134,9 @@ The ${env.site.name} Team
   }
 
   async verifyEmailCode(code: string): Promise<IEmailVerification> {
-    const verification = await EmailVerification.findOne({ code }).lean();
+    const verification = await EmailVerification.findOne({ code })
+      .populate(this.populateEmailVerification)
+      .lean();
     if (!verification) {
       const error = new Error("Invalid verification code");
       error.statusCode = 400;