Legal

Privacy Policy

Last updated: March 17, 2026

1. Information We Collect

Account Information: When you create an account, we collect your email address, display name, and password hash. If you sign up via Google OAuth, we receive your name and email from Google.

Billing Information: Payment processing is handled by Paddle, our Merchant of Record. We do not store your full credit card number. Paddle acts as the seller of record for all transactions and handles payment routing, VAT/sales tax compliance, and invoicing on our behalf. We retain transaction records including amounts, dates, and plan details.

Usage Data: We collect aggregated usage metrics including API token counts, message volumes, and feature usage patterns. This data is used to improve the Service and for billing purposes.

Technical Data: We automatically collect IP addresses, browser type, device information, and access timestamps for security and analytics purposes.

2. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To process payments and manage subscriptions
  • To send transactional emails (account verification, password resets, billing receipts)
  • To detect and prevent fraud, abuse, and security threats
  • To provide customer support
  • To send product updates and announcements (with opt-out option)

3. AI Conversation Data

Your AI assistant conversations are processed through your deployed OpenClaw instance. We do not read, analyze, or train on your conversation data. When using the AI Model Proxy, conversations are forwarded to the selected AI provider (e.g., OpenAI, Anthropic, DeepSeek) subject to their respective privacy policies. We log only token counts for billing purposes, not conversation content.

4. Data Sharing

We do not sell your personal information. We share data only with:

  • Paddle: Merchant of Record for subscription billing, VAT/tax compliance, and payment processing
  • AI Providers: When using the AI Model Proxy (conversation data forwarded to selected provider)
  • Infrastructure Providers: Cloud hosting services that store your instance data
  • Law Enforcement: When required by valid legal process

5. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest (AES-256), regular security audits, and access controls. API keys are stored encrypted and never exposed in logs or analytics.

6. Data Retention

Account data is retained for the duration of your account. Usage logs are retained for 90 days. Billing records are retained for 7 years as required by tax regulations. Upon account deletion, personal data is purged within 30 days, with billing records anonymized and retained as required by law.

7. Your Rights

7.1 For All Users

Regardless of your location, you may:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and data
  • Export your data in a portable format
  • Opt out of marketing communications

7.2 European Economic Area (GDPR)

If you are in the EEA, UK, or Switzerland, you additionally have the right to:

  • Withdraw consent for optional data processing at any time
  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Lodge a complaint with your local Data Protection Authority
  • Request data portability in a machine-readable format

Our legal bases for processing are: (a) performance of contract (providing the Service), (b) legitimate interests (security, fraud prevention, service improvement), and (c) consent (analytics and marketing cookies).

7.3 California Residents (CCPA)

California residents have the right to:

  • Know what personal information is collected and how it is used
  • Request deletion of personal information
  • Opt out of the sale of personal information (we do not sell personal data)
  • Non-discrimination for exercising CCPA rights

To exercise any of these rights, contact us at support@clawserve.cloud. We will respond within 30 days (or sooner as required by law).

8. Cookies

We use cookies and similar technologies to operate the Service. You can manage your preferences via the cookie consent banner shown on your first visit.

8.1 Essential Cookies

Required for authentication, session management, security tokens, and basic site functionality. These cannot be disabled.

  • sb-* — Supabase authentication session
  • clawserve-cookie-consent — Stores your cookie preferences

8.2 Analytics Cookies

Help us understand how visitors interact with the site. Data is anonymized and aggregated. Only enabled with your consent.

  • _ga, _ga_* — Google Analytics (if enabled)

8.3 Marketing Cookies

Used to deliver relevant advertisements and measure campaign effectiveness. Only enabled with your consent.

8.4 Managing Cookies

You can change your cookie preferences at any time via your browser settings or by clearing the clawserve-cookie-consent entry from your browser's local storage (this will re-trigger the consent banner).

9. International Data Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU data transfers.

10. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will promptly delete the data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use after changes constitutes acceptance.

12. Contact

For privacy-related inquiries, contact our Data Protection Officer at support@clawserve.cloud.