Privacy Policy

1. Introduction

ClawHQ ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have regarding your data. By using ClawHQ, you consent to the practices described in this policy.

2. Data We Collect

We collect only the minimum data necessary to provide and improve the Service:

Account Data

• Full name
• Email address
• Password (stored as a cryptographic hash — we never store or have access to your plaintext password)
• Account creation date and subscription tier

Payment Data

All payment processing is handled by Razorpay. We receive confirmation of payment status and transaction IDs, but we never store, process, or have access to your credit card numbers, bank account details, or other payment instrument information. Please refer to Razorpay's Privacy Policy for details on how they handle your payment data.

Usage Data

• Login timestamps and IP addresses
• Feature usage metrics (e.g., which dashboard pages you visit, which actions you perform) — collected in anonymized, aggregated form
• Browser type and operating system (for compatibility purposes)

Support Data

• Support ticket content and any attachments you provide
• Communication history with our support team (email, in-app tickets)

3. Data We Do NOT Collect or Access

• Chat conversations — All messages between your users and your AI agents are stored on your VPS. We have no access to message content.
• Knowledge base documents — Any files, URLs, or text you upload to your knowledge base remain on your VPS. Embeddings are generated and stored locally.
• Agent configurations — Your agent prompts, personalities, model selections, and routing rules are stored on your VPS.
• Webhook payloads — Incoming and outgoing webhook data is processed and stored on your VPS.
• Audit logs — Activity logs generated by your OpenClaw instance stay on your VPS.
• API keys for third-party services — Any API keys you configure (e.g., OpenAI, Anthropic) are written directly to your VPS configuration and are not stored in our systems.

4. How We Use Your Data

We use the data we collect for the following purposes:

• Providing the Service: Creating and managing your account, provisioning your VPS, processing subscription payments.
• Service communications: Sending transactional emails (payment receipts, password resets, service alerts, maintenance notifications). We will never send marketing emails without your explicit opt-in consent.
• Support: Responding to your support tickets and troubleshooting issues.
• Improving the Service: Analyzing anonymized, aggregated usage patterns to improve features and user experience.
• Security: Detecting and preventing fraud, abuse, and unauthorized access.

5. Data Sharing

We share your personal data only when necessary to provide the Service:

• Payment processor (Razorpay): To process your subscription payments securely.
• Infrastructure provider: To provision and manage your dedicated VPS. We share only the minimum information required (e.g., server configuration parameters).
• DNS provider (Cloudflare): To configure your subdomain and SSL certificate.

We do not sell, rent, or trade your personal data to any third party. Ever.

We may disclose your data if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Cookies

We use only essential cookies required for the Service to function:

• Authentication cookies: To keep you signed in and maintain your session.
• Security cookies: To prevent cross-site request forgery (CSRF) and other attacks.

We do NOT use:

• Third-party tracking cookies
• Analytics cookies (e.g., Google Analytics)
• Advertising or retargeting cookies
• Social media tracking pixels

7. Data Retention

• Account data: Retained for as long as your account is active. After account deletion, your account data is permanently deleted within 30 days.
• VPS data: Upon account deletion or cancellation, your VPS and all data on it are permanently wiped within 48 hours.
• Support tickets: Automatically deleted 48 hours after ticket resolution. Active tickets are retained until resolved.
• Payment records: Transaction records may be retained for up to 7 years as required by applicable tax and financial regulations.
• Server logs: Access logs and error logs are retained for 30 days for security and debugging purposes, then automatically purged.

8. Your Rights

Regardless of where you are located, we provide the following rights to all users, consistent with GDPR, CCPA, and other applicable privacy regulations:

• Right to access: View all personal data we hold about you from your Account settings in the dashboard.
• Right to export: Download a copy of your data via Account → Data Export in the dashboard.
• Right to delete: Permanently delete your account and all associated data via Account → Delete Account. This action is irreversible.
• Right to correct: Update your name, email, and other personal information from Account settings at any time.
• Right to object: If you object to any specific data processing, contact us at support@clawhq.tech and we will address your concern promptly.
• Right to restrict processing: You may request that we limit the processing of your data in certain circumstances.

We will respond to all privacy-related requests within 30 days. No fee is charged for exercising these rights.

9. Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (SSL/TLS).
• Password hashing: Passwords are hashed using bcrypt with appropriate salt rounds. We never store plaintext passwords.
• Encrypted VPS credentials: SSH credentials and other sensitive VPS configuration data are encrypted at rest in our database.
• Regular updates: Security patches are applied to both the ClawHQ platform and customer VPS instances promptly.
• Isolated environments: Each customer runs on a dedicated VPS with its own firewall rules, ensuring complete isolation from other customers.

If you discover a security vulnerability, please report it responsibly to support@clawhq.tech. We appreciate responsible disclosure and will work to address any confirmed vulnerabilities promptly.

10. Children

ClawHQ is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@clawhq.tech.

11. International Data Transfers

Your account data is stored on servers managed by our infrastructure providers, which may be located in various regions globally. Your dedicated VPS may also be provisioned in a data center outside your country of residence. By using the Service, you consent to the transfer of your data to these locations. We ensure that all data transfers comply with applicable data protection laws and that adequate safeguards are in place.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email to the address associated with your account and a prominent notice on the dashboard. Non-material changes (e.g., clarifications, formatting) may be made without advance notice. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions, concerns, or requests, please contact us at:

support@clawhq.tech