Information the service processes
Account data: authenticated email, display name, workspace identifiers, plan, settings, and connection status.
User-directed content: captures, panel configuration, project metadata, and files only when the user chooses cloud-backed features. Local-only features should keep content on the device.
Provider data: repository, thread, run, or billing metadata requested through an authorized connection. Provider tokens must be encrypted, access-controlled, and revocable.
Payment data: checkout, refund, dispute, tax, creator-account, and payout receipts. Full card details are handled by the payment provider, not stored by Codex Panels.
The paid-panel telemetry contract
An entitlement check may process only the panel slug, panel version, signed grant/license identifier, a client-generated pseudonymous installation hash, and a UTC day bucket. The application does not include prompts, outputs, captures, chats, filenames, file contents, repository contents, project names, or workflow purpose in that event.
Paid-panel entitlement checks are required to enforce the license and calculate creator usage rewards. Optional product diagnostics must be separately controllable and must not be bundled into the entitlement event.
Agent imports and frontier-model connections
Supported agent setup and recent work should enter ChatGPT through OpenAI’s native import flow or through a user-supplied export. CodexPanels may retain an import status and provenance receipt, but should not request a frontier-model consumer password, scrape a private conversation sidebar, or claim continuous synchronization where a provider does not publish that capability.
Model requests routed through Vercel AI Gateway may disclose the prompt and necessary context to the selected model provider. The interface must identify the selected provider, connection mode, applicable retention controls, and cost boundary before use. Provider credentials must be encrypted, server-side, locally held, or managed through a supported authorization flow; they must never be exposed to marketplace panels or creators.
Purposes and legal bases
Data is used to provide the service and purchased features; secure accounts and providers; fulfill contracts and licenses; process payments; calculate creator shares; prevent fraud and abuse; comply with law; respond to support; and improve the product using aggregated or appropriately de-identified information.
The final notice must map each purpose to the lawful basis required in each launch market, including contract, legitimate interests, consent, and legal obligation where applicable.
Retention and deletion
Target policy: raw paid-panel active-license events expire after 30 days; aggregate creator-usage and financial records remain only as needed for payout reconciliation, accounting, fraud prevention, and legal obligations; captures and project records remain until the user deletes them or the account; security logs use a documented short retention unless an incident requires preservation.
Deletion requests should propagate to active systems and scheduled backups subject to security, tax, dispute, and legal-retention exceptions. The production retention schedule must be verified before launch.
Disclosure and subprocessors
Data may be disclosed to infrastructure, identity, AI, repository, payment, email, analytics, support, and security vendors only for documented service purposes; to creators only as aggregate or transaction information needed for their sales and payouts; and to authorities or parties when legally required or necessary to protect rights and safety.
Codex Panels does not sell panel contents or use paid-panel telemetry to build advertising profiles.
User choices and rights
Users can review connection status, disconnect providers, disable optional diagnostics, export supported workspace data, inspect license receipts, and request access, correction, deletion, or restriction where applicable. A paid entitlement check cannot be disabled while continuing to use that licensed panel, but the 30-day offline grace window limits forced connectivity.
Requests may be sent to [email protected] once operational. Identity verification and response procedures must be completed before launch.
Security and international use
Planned controls include scoped authorization, encryption in transit and at rest, secret rotation, webhook verification, signed license grants, separate ledgers, audit receipts, secure file handling, dependency review, rate limiting, backups, and incident response. No security program can guarantee zero risk.
International transfers, regional hosting, standard contractual clauses, representative requirements, children’s privacy, and state-specific disclosures require counsel review based on actual launch markets.