Privacy

Privacy and Action Data

Runmote connects a user's ChatGPT or GPT Actions workflow to their Runmote account and, in future, their trusted local devices. The current fixed endpoint API-key mode is private testing only; dynamic direct local sessions remain supported.

Runmote Actions Action data OAuth future

Runmote GPT Actions

Two setup modes stay separate.

Fixed endpoint private API-key mode

Schema
https://action.runmote.com/openapi.api-key.json
Auth
Authorization: Bearer ACTION_API_KEY
Key management
/settings/action-keys

Current behavior is readiness plus disabled/noop requests only. It does not perform real dispatch, relay mutation, queue work, or Codex execution.

Dynamic direct mode

Dynamic direct mode remains supported for a local session or reservation started by the user. It uses values printed by the local command, not Web Action keys.

  • Command: runmote action-info --show-token
  • Schema placeholder: ACTION_SCHEMA_URL
  • Header: X-Runmote-Agent-Token
  • Value placeholder: ACTION_AUTH_TOKEN

Data ChatGPT may send

  • Action operation name.
  • Bounded user intent or instructions.
  • Optional safe metadata.
  • Readiness or request parameters.
  • No need to include credential values in chat.

Data Runmote stores today

  • Account/profile data needed for login.
  • Paired device metadata.
  • Heartbeat, session, and reservation summaries.
  • ActionInvocation ledger rows.
  • Action API key hashes, prefixes, scopes, and metadata.
  • Audit events and release/update-check metadata.

Data Runmote does not store today

  • Raw Action API keys after one-time display.
  • Dynamic ACTION_AUTH_TOKEN or X-Runmote-Agent-Token values.
  • Raw device credential tokens.
  • Raw instructions in noop fixed endpoint acceptance.
  • APP_KEY, database, or admin-only configuration values in reports or docs.

Local devices

What is sent to local devices?

Current fixed endpoint private API-key mode does not call relay/client/agent or local devices. Dynamic direct mode can route through relay/client/agent to the local runtime when the user starts local Runmote. Future OAuth/official Action flow will still require device routing and safety gates.

OAuth future

Account linking is planned, not live.

OAuth/account linking will map a GPT caller to a Runmote user. Callback URL handling comes from GPT Builder, and consent, scopes, revocation, and connected-GPT settings will be documented before any public launch.

Artifacts and previews

Future artifacts are deferred.

Screenshots, artifacts, logs, preview URLs, retention windows, revoke controls, and deletion behavior are future scope. They are not part of the current fixed endpoint private testing mode.

Revocation and deletion

Controls stay account-owned.

  • Revoke Action API keys at /settings/action-keys.
  • Revoke paired devices from the authenticated device detail pages.
  • OAuth connected GPT revocation is planned for a future settings page.
  • Account and data deletion support will be documented on runmote.com when available.