Privacy & security
A narrow route.
A clear boundary.
This policy explains what the PromptRail plugins for Codex and Claude Code process, what stays local, and what goes directly to your model provider.
Last updated July 10, 2026Scope
This policy applies to the open-source PromptRail Codex and Claude Code client integrations. It supplements the main PromptRail Privacy Policy, which governs the hosted PromptRail service and account information.
Data sent to PromptRail
The UserPromptSubmit hook sends the latest user-submitted prompt to PromptRail’s hosted routing service so it can select an effort grade. It also sends a separate PromptRail access token.
Codex routing requests include the selected Codex model identifier. Claude Code routing requests do not send the Claude session ID or model identifier to PromptRail.
Data that stays local
Provider OAuth tokens, provider account identifiers, system and developer instructions, full conversation transcripts, attachments, tool definitions, and model responses are not sent to PromptRail.
Claude Code uses its session identifier only on your machine to match a hook decision with the corresponding local model request.
Local proxy and logs
The local proxy forwards provider requests directly from your machine to OpenAI or Anthropic. It binds only to 127.0.0.1, restricts forwarded paths, and does not log prompts or provider credentials. Operational logs contain only the selected grade, effort, and routing latency.
Local files and removal
Router configuration is stored under ~/.codex/promptrail-router or~/.claude/promptrail-router with user-only permissions. Uninstall removes the local router credential and restores the provider configuration when it is safe to do so.
Security and user responsibility
PromptRail access tokens must be treated as secrets. Do not commit a token, paste it into an issue, or share router configuration files. The clients reject provider API-key traffic on their subscription-only routes and do not follow upstream redirects automatically.
Questions and security reports
For privacy questions or data requests, email support@promptrail.ai. Do not open a public issue for a credential, authentication, local proxy, or cross-user data vulnerability; email us with the subject “Security report.”
