Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Clawctl, Inc. ("Clawctl," "Company," "we," "us," or "our") collects, uses, discloses, and protects personal data when you use our platform, services, website, APIs, and documentation (collectively, the "Service").

This Policy applies to:

• Visitors to our website
• Users who register for or use the Service
• Individuals whose data may be processed by AI agents running on our platform
• Business contacts and prospective customers

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller and Contact Information

Clawctl, Inc. is the data controller responsible for your personal data under applicable data protection laws.

2.1 EU/EEA Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), we have appointed a representative in the European Union for data protection matters:

2.2 UK Representative

Pursuant to Article 27 of the UK GDPR, we have appointed a representative in the United Kingdom:

3. Data We Collect

3.1 Information You Provide Directly

3.2 Information Collected Automatically

3.3 Agent Audit Data

Note: Audit logs may contain personal data if your agents process such data. You are responsible for ensuring appropriate legal basis exists for processing personal data through your agents.

3.4 Information from Third Parties

We may receive information from:

• Identity providers: When you use SSO (name, email, organization)
• Payment processors: Transaction confirmations and fraud prevention data
• Analytics providers: Aggregated usage insights
• Public sources: Business contact information for sales purposes

4. How We Use Your Data

We process your personal data for the following purposes:

4.1 Service Delivery

• Providing, operating, and maintaining the Service
• Processing transactions and managing your account
• Enabling agent deployment and execution
• Generating and storing audit logs
• Providing technical support and responding to inquiries

4.2 Security and Compliance

• Detecting and preventing fraud, abuse, and security threats
• Enforcing our Terms of Service and Acceptable Use Policy
• Complying with legal obligations and responding to legal requests
• Conducting security audits and vulnerability assessments

4.3 Improvement and Analytics

• Analyzing usage patterns to improve the Service
• Conducting research and developing new features
• Generating aggregated, anonymized insights

4.4 Communications

• Sending service-related notifications (security alerts, updates, billing)
• Providing customer support
• Sending marketing communications (with consent where required)

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

6. Data Sharing and Disclosure

We do not sell your personal data. We may share data in the following circumstances:

6.1 Service Providers

We engage trusted third-party service providers who process data on our behalf:

All service providers are contractually bound by data processing agreements that require them to:

• Process data only on our documented instructions
• Implement appropriate technical and organizational security measures
• Notify us promptly of data breaches
• Delete or return data upon termination of services
• Allow for audits and inspections

6.2 LLM Providers

6.3 Legal Requirements

We may disclose your data when required by law or in good faith belief that disclosure is necessary to:

• Comply with legal obligations, court orders, or legal process
• Protect the rights, property, or safety of Clawctl, our users, or the public
• Enforce our Terms of Service
• Detect, prevent, or address fraud, security, or technical issues

6.4 Business Transfers

In connection with a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred to the acquiring entity. We will provide notice and, where required by law, obtain your consent.

6.5 With Your Consent

We may share your data with third parties when you have given explicit consent.

7. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) where applicable
• Other lawful transfer mechanisms recognized by applicable law

You may request a copy of the safeguards we use by contacting us at privacy@mg.clawctl.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law.

After the retention period, data is securely deleted or anonymized. We may retain aggregated, anonymized data indefinitely for analytics and research.

8.1 Data Retention After Account Termination

When your subscription is canceled:

Grace Period (30 days):

• Your account enters "suspended" status
• All running agents are stopped immediately (no compute charges)
• Your data remains accessible in read-only mode
• You may reactivate your subscription to restore full access

After Grace Period (30+ days):

• Tenant infrastructure is permanently deleted
• Agent configurations and workspace data are deleted
• Audit logs are deleted (or anonymized)
• Billing records retained 7 years (tax compliance)

Plan Downgrade:

• Excess agents are stopped immediately
• Stopped agent configurations retained for 7 days
• After 7 days, stopped agent infrastructure is deleted
• Agent configuration data is preserved for potential reactivation

Payment Failure:

• Agents are stopped but not deleted
• Data is fully preserved during the recovery period
• Service is automatically restored when payment succeeds

You may request data export before account deletion. See our Terms of Service for data export procedures.

9. Data Security

We implement comprehensive security measures to protect your data:

9.1 Technical Safeguards

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Secure secrets management with hardware security modules (HSM)
• Network segmentation and firewall protection
• Regular security assessments and penetration testing
• Intrusion detection and monitoring systems
• Automated vulnerability scanning

9.2 Organizational Safeguards

• Role-based access controls with least-privilege principle
• Employee background checks and security training
• Incident response procedures
• Vendor security assessments
• SOC 2 Type II certification (targeted)

9.3 Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Report to relevant supervisory authorities as required by law
• Provide details about the breach and recommended protective actions

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service.

10.1 Types of Cookies

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality. We honor "Do Not Track" browser signals where technically feasible.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

11.1 GDPR Rights (EEA, UK, Switzerland)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time (where applicable)
• Automated Decisions: Not be subject to solely automated decision-making with legal effects (see Section 11.5)
• Complaint: Lodge a complaint with your supervisory authority

11.2 CCPA/CPRA Rights (California Residents)

• Know: What personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of the sale or sharing of personal information (we do not sell data)
• Non-Discrimination: Not be discriminated against for exercising your rights
• Correct: Request correction of inaccurate information
• Limit Use: Limit use of sensitive personal information

California "Shine the Light" Disclosure: California Civil Code Section 1798.83 permits California residents to request information regarding disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Authorized Agents: California residents may designate an authorized agent to make requests on their behalf. Authorized agents must provide proof of authorization (such as a power of attorney or signed written permission) and we may require identity verification from both the agent and the consumer.

11.3 Virginia, Colorado, Connecticut, and Other State Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws may have similar rights including:

• Right to access, correct, and delete personal data
• Right to data portability
• Right to opt out of targeted advertising, sale of personal data, and profiling
• Right to appeal our decisions regarding your privacy requests

To appeal a decision regarding your privacy request, contact privacy@mg.clawctl.com with the subject line "Privacy Request Appeal."

11.4 Nevada Privacy Rights

Nevada residents have the right to opt out of the sale of their personal information. While we do not currently sell personal information as defined under Nevada law (NRS 603A), you may submit an opt-out request to privacy@mg.clawctl.com with the subject line "Nevada Opt-Out Request."

11.5 Automated Decision-Making and Profiling

We do not currently use fully automated decision-making (including profiling) that produces legal effects or similarly significant effects on you without human involvement. Our Service enables you to deploy AI agents, but these agents operate under your control and direction.

If we implement automated decision-making in the future that affects your rights, we will:

• Provide clear notice before such processing
• Implement appropriate safeguards
• Provide a mechanism to request human review of decisions

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@mg.clawctl.com.

13. AI Agent Data Processing Notice

13.1 Your Responsibilities as Data Controller

When your agents process personal data, you are responsible for:

• Establishing a lawful basis for processing
• Providing privacy notices to data subjects
• Responding to data subject requests
• Conducting data protection impact assessments where required
• Ensuring appropriate safeguards for sensitive data
• Complying with all applicable data protection laws

13.2 Data Processing Agreement

Enterprise customers may request a Data Processing Agreement (DPA) that complies with GDPR Article 28 requirements. Contact legal@mg.clawctl.com to request a DPA.

13.3 Audit Log Considerations

Audit logs capture data processed by your agents, including potentially personal data. You should consider:

• Whether audit log retention aligns with your data minimization obligations
• How to respond to data subject access requests for audit log data
• Implementing appropriate access controls for audit log data

14. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Notify you via email or prominent notice on our website at least 30 days before material changes take effect
• Where required by law, obtain your consent to material changes
• Maintain archived versions of previous policies available upon request

Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy. If you do not agree with changes, you should stop using the Service before the changes take effect.

15. Do Not Track Signals

Some web browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to have your online activity tracked. There is currently no universally accepted standard for how companies should respond to DNT signals. We currently respond to DNT signals by limiting non-essential tracking when technically feasible, but some features may require cookies to function.

We also recognize the Global Privacy Control (GPC) signal where required by applicable law. When we detect a GPC signal, we will treat it as a valid opt-out request for the sale/sharing of personal information under applicable state laws.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EEA/UK residents, you have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns. A list of EU data protection authorities can be found at:https://edpb.europa.eu/about-edpb/about-edpb/members_en

For UK residents, you may contact the Information Commissioner's Office (ICO) at:https://ico.org.uk