Clawy

Legal

Privacy Policy

This policy explains what data Clawy collects, how it's used, and what rights you have over it. We aim for the minimum collection necessary to operate the service.

Template notice. This document is a starting template based on what the platform actually does, not formal legal advice. You should have it reviewed by a privacy lawyer (or use a managed service like Termly, iubenda, or Vanta) before relying on it for a public launch.

1. Who we are

Clawy is operated by the entity identified at contact (the "Company", "we", "us"). For questions about this policy, email privacy@clawy.io.

2. What we collect

2.1 Account data

  • Email address — required if you sign up via magic link, used to log you in and notify you about your account.
  • Wallet address — required if you sign in with Sign In With Ethereum.
  • Display name — derived from your email by default; you can edit it in Settings.
  • Account timestamps — when you signed up, last updated, when you accepted these terms.

2.2 Payment data

Card payments are processed by Stripe. We do not see, store, or transmit your card number, CVV, or expiration. Stripe returns us a customer ID and metadata about each completed payment (amount, timestamp, payment intent ID).

Crypto top-ups are settled on Base mainnet. We record the transaction hash, sender wallet address (visible on-chain), and the amount credited. Wallet-address data on-chain is public by design.

2.3 Bot configuration

  • Bot tokens (Telegram, Discord, Slack, WhatsApp) — stored AES-256-GCM encrypted at rest, decrypted only at runtime, never logged.
  • Bot metadata — name, platform, status, message counts.

2.4 Conversations

  • Inbound messages from your bot's end-users — stored in our database for delivery and audit.
  • Session context — cached in Redis with a 7-day TTL, then automatically deleted.
  • Usage events — token counts and cost per request, kept for billing and quotas.

2.5 Operational data

  • Server logs (request paths, status codes, timestamps), retained for up to 30 days.
  • Distributed traces (OpenTelemetry) — sampled, no payload bodies.
  • API keys you generate — stored as SHA-256 hashes; we never see the plaintext after creation.

3. Why we collect it

Lawful bases under GDPR Art. 6:

  • Performance of contract — to deliver the service you signed up for (account, billing, bot routing).
  • Legitimate interest — security monitoring, fraud prevention, debugging.
  • Legal obligation — tax records, payment retention requirements.
  • Consent — for any optional analytics or marketing emails (separate opt-in).

4. Who we share data with

We share the minimum necessary with the following processors:

  • Stripe — card payment processing.
  • Resend — sending transactional emails (magic links, receipts).
  • Anthropic / OpenAI — LLM inference for your bot's responses (each message you send to a bot is forwarded to the LLM provider you've chosen).
  • Cloud hosting — server provider hosting our infrastructure.
  • Base mainnet — public blockchain for USDC top-ups; transactions are inherently public.

We never sell your personal data.

5. How long we keep data

  • Account data — until you delete your account, then immediately scrubbed (subject to a 30-day grace period during which you can cancel deletion).
  • Bot conversations — message records kept while the bot is active; cached session context auto-expires after 7 days.
  • Payment records — kept for 7 years to satisfy tax and accounting laws.
  • Server logs — 30 days.

6. Your rights

If you're in the EU, UK, or California, you have the right to:

  • Access your data — download a JSON export from Settings.
  • Rectify inaccurate data — edit your profile in Settings.
  • Delete your account — request from Settings; we hard-delete within 30 days.
  • Restrict or object to processing — contact privacy@clawy.io.
  • Portability — the JSON export above is machine-readable.
  • Lodge a complaint with your local data protection authority.

7. Security

  • HTTPS for all traffic, enforced via HSTS.
  • Bot credentials encrypted at rest with AES-256-GCM.
  • API keys stored as SHA-256 hashes only.
  • Stripe-hosted card vault — we never touch raw card data.
  • Per-tenant runtime isolation for AI workloads.
  • Strict Content Security Policy on the dashboard.

8. Cookies

We set only strictly necessary cookies (your session token, CSRF token). These are required for the service to function and don't require consent under EU ePrivacy rules. We do not use analytics or advertising cookies.

9. Children

Clawy is not directed at anyone under 16. If we learn we've collected data from a child under 16 without parental consent, we'll delete it.

10. Changes to this policy

Material changes will require you to re-accept the policy on next sign-in. Minor changes will be announced via the dashboard.

11. Contact

Privacy queries: privacy@clawy.io
General support: support@clawy.io

Last updated: 2026-04-25. Version: 2026-04-25.