This is the practical, plain-English version. It is also the actual behavior of the code (the extension and backend are MIT-licensed at github.com/Preprompt-ai/preprompt). If the code and this page ever disagree, file an issue and we’ll fix both.
Two extension features are user-controlled from the popup: outcome telemetry (default on, opt-out — logs your accept/revert/reject verdict per rewrite, never the prompt text) and conversation-aware rewrites (default off, opt-in — when on, reads recent visible conversation turns to help the rewriter resolve back-references). See §4 below for exactly what each one does and how to control them.
1. What PrePrompt does, on data
2. What we collect, and when
- Prompt text— only the text in the chat textarea, only when you click Rewrite. Stored against your account if you’re signed in (so it shows on your dashboard). For anonymous users, stored briefly for IP-level rate limiting only.
- Account email— if you sign up. Used to send the confirmation email and any billing notices. We do not market to you.
- Usage counts— how many rewrites you’ve done this month, per site (so we can show you a dashboard).
- Outcome events— after a rewrite is shown, we record what you did with it (accepted, reverted, rejected, edited, or abandoned), and if you reject one you can optionally pick a reason from a short list, so we can measure whether our rewrites are actually useful. The events do not contain your prompt text or the rewritten text— just the verdict, the route taken, an anonymous ID linking back to the rewrite, and (for a rejection) the reason category you chose. On by default; can be turned off from the extension popup. See §4.
- Conversation context— only if you have turned on conversation-aware rewrites. When on, clicking Rewrite inside an existing chat also sends the recent visible turns from that thread, so the rewriter can resolve pronouns like “make it shorter”. Off by default. Read live from the page at click time; never stored on our servers between requests. See §4.
- Error events— if the extension or backend errors, we log it to Sentry with all PII keys (prompt text, email, IPs) scrubbed before send. Used to keep the product working.
- Product analytics— we send anonymous events to PostHog when you sign up, complete a rewrite, or hit a limit. No prompt text leaves with these events.
3. What we don't collect
- No browsing history. The extension does not read your tabs, your URLs, or anything outside the prompt textarea on supported sites.
- No conversation history by default.We do not read what the LLM said back to you unless you have explicitly turned on conversation-aware rewrites in the extension popup. When that switch is on, the recent visible turns are read live at the moment of click and sent only for that one rewrite — never stored on our servers between requests. See §4.
- No background scraping. The extension runs entirely on Rewrite-click. There is no background telemetry, no idle pings.
- No third-party analytics network on the marketing site beyond PostHog (product) and Vercel Analytics (page views).
- No selling, ever. We do not sell, license, or share your prompt data with anyone outside the third parties listed below.
4. Optional features — what they share and how to control them
Two features in the extension extend the default behaviour above. Both are user-controlled from the extension popup, both ship with their own protections, and you can turn either on or off at any time without losing data.
4a. Outcome telemetry (default on, opt-out)
After a rewrite is shown in your chat textarea, the extension records what happened next, so the team can measure whether rewrites are actually adding value:
- accepted— you sent the rewritten version.
- reverted— you clicked Undo on the post-rewrite toast.
- rejected— after undoing, you optionally picked a reason the rewrite didn’t work (e.g. “changed what I meant”, “too long”, “wrong tone”) from a short list. This step is always optional — dismiss it and nothing extra is recorded. When you do pick one, we store only the category you tapped, never free text.
- edited— you modified more than ~10% of the rewrite before sending. (We treat this rate as directional only — the 10% threshold can mis-fire on small edits with big meaning, and on big edits that don’t change intent.)
- abandoned— you didn’t send within 30 seconds while the page was still in focus. (We don’t fire this if you tabbed away — that’s interruption, not abandonment.)
Each event contains: the verdict (one of the five above), the route the rewriter took, an anonymous ID that links the event back to the rewrite it came from (the before/after quality score lives on that rewrite record, not on the event itself), and — for a rejection — the reason category you picked from the list. None of these events contain your prompt text or the rewritten text.
You can turn outcome telemetry off entirelyfrom the extension popup → Settings → “Track rewrite outcomes.” When off, no outcome events fire at all. Turning it off doesn’t affect any rewrite you’ve done before, and the rewriter still works exactly the same way.
A server-side cap (100 outcome events per IP per hour) protects the database from a runaway content script.
4b. Conversation-aware rewrites (default off, opt-in)
Today the rewriter sees only the text in your chat textarea. If you turn on conversation-aware mode, clicking Rewrite inside an existing chatalso reads the recent visible turns from that thread, so the rewriter can resolve back-references (“make it shorter,” “do that in Python instead”) instead of guessing.
Five things are true any time conversation-aware mode is on, whether or not we’ve recommended you enable it:
- The conversation context is read live from the page DOM at the moment you click Rewrite. It is never stored in the extension, never synced anywhere, and never carried between chats.
- The conversation context goes to our backend only for that one rewrite. It is sent on to Anthropic to generate the rewrite, then discarded server-side. It is not added to your dashboard history.
- We run our secret scanner on the full assembled payload— draft plus context — before sending anything. If a secret (API key, token, password pattern) is detected, the context is dropped entirely and the rewriter runs on the draft alone. We never display the matched secret back to you, and we never tell the server about it.
- After every rewrite in this mode, the post-rewrite toast has an “Inspect what was sent” link that opens a panel showing exactly which turns from the conversation were included. Trust through visibility, not promises.
- A new chat (no prior turns yet) behaves identically to the default mode — only the textarea is sent.
Conversation-aware mode is off by default. The switch lives in the extension popup → Settings → “Context-aware rewrites.” You can turn it on or off at any time. When off, the extension behaves exactly as described in §1–§3 above.
We monitor an aggregate “context attached rate” per site (Sentry alert if it drops sharply — usually means a site redesign broke our reader, not anything you did). No individual user data is in that metric.
5. Third parties (subprocessors)
To run PrePrompt, your data passes through these providers:
- Anthropic— runs Claude Haiku 4.5, which generates the rewrite. Your prompt text is sent to Anthropic per their privacy policy. Anthropic does not train on API traffic.
- Supabase— stores your account, plan, and rewrite history. Hosted in their managed environment.
- Railway— runs the PrePrompt backend.
- Vercel— serves this marketing site and the dashboard.
- Sentry— receives scrubbed error events. PII keys are stripped before send.
- PostHog— receives anonymous product events. Prompt text is never sent.
- Resend— sends welcome and billing emails.
- Stripe— processes payments and subscriptions. We don’t store card data — Stripe handles it.
6. How long we keep your data
- Prompts— kept as long as your account is active, so your dashboard history works. Delete your account and they’re purged within 30 days.
- Account email— kept while you’re signed up.
- Usage events— aggregated monthly buckets; raw rows pruned after 90 days.
- Sign outclears the auth token and any cached usage from your browser. Sign back in and it’s restored.
7. Your rights
- See your data — everything we have on you is on your dashboard.
- Export your prompt history — email hello@preprompt.org and we’ll send you a JSON dump within 7 days.
- Delete your account— same email. Purged within 30 days. We’ll confirm when it’s done.
- Correct anything wrong— reach out by email.
We treat GDPR and CCPA rights as the floor, not the ceiling, no matter where you live.
8. Cookies and local storage
The marketing site uses no third-party cookies. The dashboard sets a single Supabase auth cookie so you stay signed in. The Chrome extension stores your auth token and settings inchrome.storage.local— not in any cloud or sync layer.
9. Security
All traffic between the extension, backend, and Supabase is TLS. Your prompt data is row-level-secured in Supabase so only your account can read it. Service-role credentials are server-side only. We don’t store payment data — Stripe handles all of that.
10. Children
PrePrompt is not directed at children under 13 and we don’t knowingly collect their data. If you believe a child has signed up, email hello@preprompt.org and we’ll delete the account.
11. Changes to this policy
When this changes materially, we’ll bump the “Last updated” date at the top and email signed-up users for any change that affects what we collect or who we share it with.
12. Contact
Questions, requests, or concerns: hello@preprompt.org.
See also: our Terms of Service, the open-source code at github.com/Preprompt-ai/preprompt, and the on-page summary of our privacy story.