Privacy Policy

Passrail is trust infrastructure for AI agents. It sits between agents and the real-world tools they call, applying policies, pausing risky actions for human approval, returning deterministic instructions, and recording signed receipts and audit events for every request.

We collect the following to provide and secure the service:

• Account information, such as your email address and credentials.
• Waitlist email addresses submitted to request beta access.
• Organization and workspace data you create.
• Agent names, descriptions, and configuration.
• Action requests and the payloads agents submit for evaluation.
• Receipts generated for agent requests and decisions.
• Approval records, including who approved or denied an action.
• Audit events describing activity in your organization.
• Webhook endpoints and delivery metadata.
• Connection metadata for the tools you integrate.
• Encrypted tool credentials and other secrets you store.
• Usage, log, device, and security data (for example, IP address, request timestamps, and error logs).

We use the information above to:

• Provide and operate the service.
• Authenticate users and agents.
• Evaluate policies and route actions through approvals.
• Generate receipts and maintain audit logs.
• Deliver webhooks to systems you connect.
• Secure the platform and investigate abuse.
• Communicate with you about beta access and the service.

Tool credentials are encrypted at rest. Agent API keys are stored only as one-way hashes. Plaintext secrets are shown only once, at creation time, and are never displayed again afterward. We do not include secrets in receipts, audit logs, or webhook payloads. No method of storage or transmission is perfectly secure, and we cannot guarantee absolute security.

We do not sell personal information. We share information only in these limited cases:

• Service providers that help us run Passrail, such as hosting, database, and authentication providers (currently Supabase), and an email provider if one is added later. These providers process data on our behalf.
• Legal and security compliance, where disclosure is required by law or necessary to protect the platform, our users, or the public.

Receipts and audit logs are retained because they are core to how the product works and to maintaining a tamper-evident record. Beta users can request deletion of their organization’s data. Some logs and records may be retained for a limited period for security or legal reasons even after a deletion request.

You can contact us to request access to or deletion of your data. Where we send email and your address is on file, you can adjust your communication preferences or unsubscribe from non-essential messages.

We use encryption, row-level security and organization isolation, rate limiting, and audit trails to protect data. These measures reduce risk but no system is perfectly secure, and we cannot guarantee that unauthorized access will never occur.

Passrail is not intended for children and is not directed to anyone under the age required to form a binding contract in their jurisdiction.

We may update this policy as Passrail evolves during the beta. Material changes will be reflected by updating the date above.

Questions about this policy or your data? Email us at support@passrail.io.