Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Clawctl, Inc. ("Clawctl," "Company," "we," "us," or "our") collects, uses, discloses, and protects personal data when you use our platform, services, website, APIs, and documentation (collectively, the "Service").

This Policy applies to:

• Visitors to our website
• Users who register for or use the Service
• Individuals whose data may be processed by AI agents running on our platform
• Business contacts and prospective customers

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller and Contact Information

Clawctl, Inc. is the data controller responsible for your personal data under applicable data protection laws.

2.1 EU/EEA Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), we have appointed a representative in the European Union for data protection matters:

2.2 UK Representative

Pursuant to Article 27 of the UK GDPR, we have appointed a representative in the United Kingdom:

3. Data We Collect

3.1 Information You Provide Directly

3.2 Information Collected Automatically

3.3 Agent Audit Data

Note: Audit logs may contain personal data if your agents process such data. You are responsible for ensuring appropriate legal basis exists for processing personal data through your agents.

3.4 Information from Third Parties

We may receive information from:

• Identity providers: When you use SSO (name, email, organization)
• Payment processors: Transaction confirmations and fraud prevention data
• Analytics providers: Aggregated usage insights
• Public sources: Business contact information for sales purposes

3.5 Sensitive Personal Information (State Laws)

Under laws such as the CCPA/CPRA and other state privacy laws, certain categories of data are classified as "sensitive" personal information. The following table describes whether we collect these categories:

Residents of certain U.S. states may have the right to limit our use of sensitive personal information. To exercise that right or for more information, see Section 11 (Your Rights) or contact us at privacy@mg.clawctl.com.

4. How We Use Your Data

We process your personal data for the following purposes:

4.1 Service Delivery

• Providing, operating, and maintaining the Service
• Processing transactions and managing your account
• Enabling agent deployment and execution
• Generating and storing audit logs
• Providing technical support and responding to inquiries
• Decrypting and injecting your third-party integration credentials into your agent's secure runtime environment to enable MCP Integrations
• Configuring network egress rules to allow your agent to communicate with connected third-party services
• Running diagnostic commands, health checks, and monitoring operations on your tenant infrastructure to maintain service reliability, detect issues, and perform incident response
• Collecting system-level telemetry, container metrics, resource utilization data, and diagnostic logs from your tenant environment for capacity planning and service improvement
• Executing automated and manual maintenance operations including container restarts, redeployments, security patching, and recovery routines

4.2 Security and Compliance

• Detecting and preventing fraud, abuse, and security threats
• Enforcing our Terms of Service and Acceptable Use Policy
• Complying with legal obligations and responding to legal requests
• Conducting security audits and vulnerability assessments
• Performing health monitoring, diagnostics, and maintenance on tenant infrastructure, including executing commands within your tenant environment to investigate and resolve service issues (see Terms of Service Section 2.1)

4.3 Improvement and Analytics

• Analyzing usage patterns to improve the Service
• Conducting research and developing new features
• Generating aggregated, anonymized insights

4.4 Communications

• Sending service-related notifications (security alerts, updates, billing)
• Providing customer support
• Sending marketing communications (with consent where required), including product announcements, blog digests, educational content, promotional offers, and event invitations

4.5 Email Marketing Practices

We may use your email address to send marketing communications. Our email marketing practices comply with the CAN-SPAM Act, GDPR, CASL, and other applicable laws:

• Consent: We obtain consent before sending marketing emails where required by law. In the EU/EEA/UK, we rely on opt-in consent. In the US, we provide clear opt-out mechanisms in every marketing email.
• Opt-out: Every marketing email includes an unsubscribe link. Opt-out requests are honored within 10 business days. Opting out of marketing emails does not affect transactional service communications.
• Data collected: We may collect email open rates, click-through data, and engagement metrics to improve our communications. You may disable email tracking by configuring your email client to block remote images.
• Third-party processors: Marketing emails are sent through third-party email service providers who are bound by data processing agreements. See Section 6.1.
• No content selling: We do not sell, rent, or share your email address with third parties for their marketing purposes.

4.6 Website and Blog Analytics

When you visit our website, read our blog, or interact with our Published Content (as defined in our Terms of Service), we may collect:

• Pages viewed, time on page, and navigation paths (for content improvement)
• Referring URLs and search terms that led you to our content
• Device and browser information (for compatibility and optimization)
• Aggregated, anonymized engagement data (for content strategy)

Where practicable, this data is collected using privacy-preserving analytics that minimize or avoid the use of cookies and personally identifiable information. Blog and website analytics data is used solely to improve our content and user experience, not for advertising or profiling purposes.

4.7 Automated Security Assessment Processing

We periodically assess your agent configuration to generate security posture reports. This automated processing analyzes your policy settings, tool configurations, egress rules, and sandbox mode to identify potential security improvements. The resulting assessments are:

• Sent to your account email (unless you opt out in alert settings)
• Logged as audit events in your tenant's event history
• Not shared with third parties
• Not used for profiling or automated decision-making that produces legal effects

You can disable security assessment emails at any time via Settings → Alerts → Security Assessment Reports, or by contacting support@mg.clawctl.com.

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

6. Data Sharing and Disclosure

We do not sell your personal data. We may share data in the following circumstances:

6.1 Service Providers

We engage trusted third-party service providers who process data on our behalf:

All service providers are contractually bound by data processing agreements that require them to:

• Process data only on our documented instructions
• Implement appropriate technical and organizational security measures
• Notify us promptly of data breaches
• Delete or return data upon termination of services
• Allow for audits and inspections

A current list of our subprocessors is available at clawctl.com/subprocessors. We will notify you via email at least 30 days before engaging a new subprocessor that processes personal data.

6.2 LLM Providers

6.3 Third-Party Services via MCP Integrations

Regarding MCP Integration data practices:

• Credential storage: Your third-party service credentials are stored encrypted (AES-256-GCM, per-field encryption with unique initialization vectors). Credentials are only decrypted within your agent's isolated runtime environment at deployment time.
• Credential masking: Our API never returns actual credential values — only boolean indicators of whether a credential field has been configured.
• OpenClaw execution: Once credentials are injected into the container, the OpenClaw framework (open-source software not developed or maintained by Clawctl) handles all MCP tool execution, including how credentials are used, what data is sent to third-party services, and how responses are processed. Clawctl does not warrant or assume responsibility for OpenClaw's handling of your credentials or data within the container runtime.
• No content inspection: Clawctl does not inspect, log, or store the content of data your agents or OpenClaw exchange with connected third-party services via MCP. We log metadata only (service identifiers, timestamps, tool invocation names) for audit and security purposes.
• Credential deletion: When you disconnect a third-party service, your encrypted credentials for that service are soft-deleted (disabled) and removed from your agent's runtime on the next redeployment.
• Your responsibility: You are responsible for understanding the privacy practices of each third-party service you connect and for ensuring that any personal data your agents or OpenClaw process through those services complies with applicable data protection laws.

6.4 Legal Requirements

We may disclose your data when required by law or in good faith belief that disclosure is necessary to:

• Comply with legal obligations, court orders, or legal process
• Protect the rights, property, or safety of Clawctl, our users, or the public
• Enforce our Terms of Service
• Detect, prevent, or address fraud, security, or technical issues
• Cooperate with law enforcement authorities investigating suspected illegal activity conducted through or in connection with the Service, including preserving and disclosing account data, usage logs, and agent activity records as permitted or required by applicable law

6.5 Business Transfers

In connection with a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred to the acquiring entity. We will provide notice and, where required by law, obtain your consent.

6.6 With Your Consent

We may share your data with third parties when you have given explicit consent.

7. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) where applicable
• Other lawful transfer mechanisms recognized by applicable law

You may request a copy of the safeguards we use by contacting us at privacy@mg.clawctl.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law.

After the retention period, data is securely deleted or anonymized. We may retain aggregated, anonymized data indefinitely for analytics and research.

8.1 Data Retention After Account Termination

When your subscription is canceled:

Grace Period (30 days):

• Your account enters "suspended" status
• All running agents are stopped immediately (no compute charges)
• Your data remains accessible in read-only mode
• You may reactivate your subscription to restore full access

After Grace Period (30+ days):

• Tenant infrastructure is permanently deleted
• Agent configurations and workspace data are deleted
• Audit logs are deleted (or anonymized)
• Billing records retained 7 years (tax compliance)

Plan Downgrade:

• Excess agents are stopped immediately
• Stopped agent configurations retained for 7 days
• After 7 days, stopped agent infrastructure is deleted
• Agent configuration data is preserved for potential reactivation

Payment Failure:

• Agents are stopped but not deleted
• Data is fully preserved during the recovery period
• Service is automatically restored when payment succeeds

You may request data export before account deletion. See our Terms of Service for data export procedures.

9. Data Security

We implement comprehensive security measures to protect your data:

9.1 Technical Safeguards

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Per-field AES-256-GCM encryption with unique initialization vectors for all third-party integration credentials (MCP), ensuring each credential is independently encrypted and authenticated
• Secure secrets management with hardware security modules (HSM)
• Network segmentation and firewall protection
• Egress filtering for MCP Integrations — agent containers can only communicate with explicitly declared API domains for each connected third-party service
• Regular security assessments and penetration testing
• Intrusion detection and monitoring systems
• Automated vulnerability scanning

9.2 Organizational Safeguards

• Role-based access controls with least-privilege principle
• Employee background checks and security training
• Incident response procedures
• Vendor security assessments
• SOC 2 Type II certification (targeted)

9.3 Data Isolation

Tenant data is logically isolated within the Service. Workspace content (agent-generated files, uploaded documents) is stored in per-tenant directories. API credentials and third-party integration secrets are encrypted on a per-tenant basis using AES-256-GCM with unique initialization vectors.

The Service operates on shared infrastructure with logical isolation controls. Physical separation of tenant environments is not guaranteed. While we implement reasonable technical measures to enforce tenant boundaries, absolute isolation cannot be guaranteed on shared infrastructure.

9.4 Data Categories and Protection Levels

We distinguish between the following categories of tenant data, each subject to different isolation and encryption measures:

• Account data (email address, billing information): Stored in a shared database with row-level tenant isolation. Billing data is processed by our third-party payment processor (Stripe).
• Configuration data (API keys, channel settings, MCP integration credentials): Encrypted at rest using per-tenant AES-256-GCM encryption. Decrypted only within the tenant's isolated runtime environment at deployment time.
• Workspace data (agent-generated files, uploaded documents, knowledge base content): Stored in per-tenant directories with logical access controls. Subject to tenant isolation measures described in Section 9.3.

9.5 User-Configurable Security Settings

The Service provides user-configurable security settings, including Sandbox Mode, that affect the security posture of your agent runtime environment. When you reduce sandbox protections (e.g., changing Sandbox Mode from "always" to "non-main" or "never"), your agents may operate with broader access to system resources, including but not limited to network access, file system operations, code execution, and environment variables that may contain secrets or personal data.

Your security configuration choices may affect the level of data protection within your agent environment. You are responsible for selecting security settings appropriate for the sensitivity of the data your agents process. The Service displays warnings within the dashboard when you reduce security protections. These in-product notices supplement but do not replace your obligation to independently evaluate the data protection implications of your configuration choices. Clawctl does not monitor or override your security configuration choices and is not responsible for data exposure or security incidents resulting from your chosen configuration. See our Terms of Service (Section 4.6) for full details on Security Configuration Settings responsibilities.

9.6 Breach Notification and Incident Response

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Report to relevant supervisory authorities as required by law
• Provide details about the breach and recommended protective actions

The 72-hour notification window applies to confirmed unauthorized access to personal data, as defined by applicable data protection law (including GDPR Article 33). It does not apply to infrastructure events (such as configuration errors, service disruptions, or isolation defects) that are detected and remediated before any confirmed unauthorized access to personal data occurs. We maintain internal incident response procedures to evaluate, contain, and remediate infrastructure events promptly, regardless of whether they meet the threshold for breach notification.

Limitation of liability for security incidents, including data breaches, is set forth in our Terms of Service.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service.

Where practicable, we use first-party, privacy-preserving analytics that avoid or minimize cookies and do not collect personally identifiable information, in line with our commitment to GDPR-friendly practices.

We obtain your consent for non-essential cookies (such as analytics) through a cookie banner or consent preferences when you first visit our website, where required by law. Essential cookies necessary for authentication, security, and core site functionality are used without consent where permitted by applicable law.

10.1 Types of Cookies

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality. We honor "Do Not Track" browser signals where technically feasible.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

11.1 GDPR Rights (EEA, UK, Switzerland)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format (JSON and/or CSV)
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time (where applicable)
• Automated Decisions: Not be subject to solely automated decision-making with legal effects (see Section 11.5)
• Complaint: Lodge a complaint with your supervisory authority

11.2 CCPA/CPRA Rights (California Residents)

• Know: What personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of the sale or sharing of personal information (we do not sell data)
• Non-Discrimination: Not be discriminated against for exercising your rights
• Correct: Request correction of inaccurate information
• Limit Use: Limit use of sensitive personal information

California "Shine the Light" Disclosure: California Civil Code Section 1798.83 permits California residents to request information regarding disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Authorized Agents: California residents may designate an authorized agent to make requests on their behalf. Authorized agents must provide proof of authorization (such as a power of attorney or signed written permission) and we may require identity verification from both the agent and the consumer.

11.3 Virginia, Colorado, Connecticut, Texas, and Other State Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPA), and other U.S. states with comprehensive privacy laws may have similar rights including:

• Right to access, correct, and delete personal data
• Right to data portability
• Right to opt out of targeted advertising, sale of personal data, and profiling
• Right to appeal our decisions regarding your privacy requests

To appeal a decision regarding your privacy request, contact privacy@mg.clawctl.com with the subject line "Privacy Request Appeal."

11.4 Nevada Privacy Rights

Nevada residents have the right to opt out of the sale of their personal information. While we do not currently sell personal information as defined under Nevada law (NRS 603A), you may submit an opt-out request to privacy@mg.clawctl.com with the subject line "Nevada Opt-Out Request."

11.5 Automated Decision-Making and Profiling

We do not currently use fully automated decision-making (including profiling) that produces legal effects or similarly significant effects on you without human involvement. Our Service enables you to deploy AI agents, but these agents operate under your control and direction.

If we implement automated decision-making in the future that affects your rights, we will:

• Provide clear notice before such processing
• Implement appropriate safeguards
• Provide a mechanism to request human review of decisions

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@mg.clawctl.com.

13. AI Agent Data Processing Notice

13.1 Your Responsibilities as Data Controller

When your agents process personal data, you are responsible for:

• Establishing a lawful basis for processing
• Providing privacy notices to data subjects
• Responding to data subject requests
• Conducting data protection impact assessments where required
• Ensuring appropriate safeguards for sensitive data
• Complying with all applicable data protection laws

13.2 Data Processing Agreement

Customers whose agents process personal data may request a Data Processing Agreement (DPA) that complies with GDPR Article 28 requirements. Contact legal@mg.clawctl.com to request a DPA.

13.3 User Breach Notification Obligation

You must notify Clawctl within 24 hours of becoming aware of any personal data breach involving data processed by your agents on our platform, to enable us to fulfill our obligations under applicable data protection laws. Notification should be sent to privacy@mg.clawctl.com.

13.4 Audit Log Considerations

Audit logs capture data processed by your agents, including potentially personal data. You should consider:

• Whether audit log retention aligns with your data minimization obligations
• How to respond to data subject access requests for audit log data
• Implementing appropriate access controls for audit log data

14. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Notify you via email or prominent notice on our website at least 30 days before material changes take effect
• Where required by law, obtain your consent to material changes
• Maintain archived versions of previous policies available upon request

Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy. If you do not agree with changes, you should stop using the Service before the changes take effect.

15. Do Not Track Signals

Some web browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to have your online activity tracked. There is currently no universally accepted standard for how companies should respond to DNT signals. We currently respond to DNT signals by limiting non-essential tracking when technically feasible, but some features may require cookies to function.

We also recognize the Global Privacy Control (GPC) signal where required by applicable law. When we detect a GPC signal, we will treat it as a valid opt-out request for the sale/sharing of personal information under applicable state laws.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EEA/UK residents, you have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns. A list of EU data protection authorities can be found at:https://edpb.europa.eu/about-edpb/about-edpb/members_en

For UK residents, you may contact the Information Commissioner's Office (ICO) at:https://ico.org.uk