1. Information We Collect
Information You Provide
- Account Information: Email address and name when you create an account
- Payment Information: Billing details processed securely by our third-party payment processor (we do not store full credit card numbers)
- Configuration Data: Settings and preferences for your OpenClaw instance
Information Collected Automatically
- Usage Data: Instance uptime, resource usage metrics, and service performance data
- Technical Data: IP address, browser type, and device information for security and troubleshooting
What We Do NOT Collect
- Conversation Content: We do not read, store, or analyze your conversations with your AI assistant
- API Keys in Plaintext: Your AI provider API keys are encrypted at rest and never stored in plaintext
- Third-Party Credentials: Any credentials you provide for integrations are encrypted and only used to provide the Service
2. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis |
|---|---|
| Account creation, service delivery | Contract Performance — Necessary to provide the Service you requested |
| Payment processing | Contract Performance — Necessary to fulfill our billing obligations |
| Security monitoring, fraud prevention | Legitimate Interest — To protect the Service and users |
| Product improvement, analytics | Legitimate Interest — To improve our Service |
| Marketing communications | Consent — Only with your explicit opt-in |
| Legal compliance, responding to lawful requests | Legal Obligation — Required by applicable law |
3. How We Use Information
We use the information we collect to:
- Provide the Service: Host and maintain your OpenClaw instance
- Process Payments: Handle subscription billing and invoicing
- Communicate With You: Send important updates about the Service, security notices, and support responses
- Improve the Platform: Analyze aggregate usage patterns to enhance performance and features
- Ensure Security: Detect and prevent fraud, abuse, and security threats
- Comply With Law: Meet legal obligations and respond to lawful requests
We do not sell your personal information to third parties.
4. Data Storage and Security
Isolated Infrastructure
Each ClawBase instance runs in a completely isolated container. Your data, configurations, and activities are separated from all other users on our platform.
Encryption
- All data is encrypted in transit using TLS/SSL
- Sensitive data, including API keys, is encrypted at rest
- We use industry-standard encryption algorithms
Secure Infrastructure
Our infrastructure is hosted on enterprise-grade cloud providers with robust security measures, including firewalls, intrusion detection, and regular security audits.
5. Third-Party Services
ClawBase integrates with and shares data with the following categories of third-party services:
| Service Category | Data Shared | Purpose |
|---|---|---|
| Payment Processor (Polar, Stripe) | Name, email, billing address, payment method | Subscription billing, fraud prevention |
| Cloud Infrastructure (Fly.io, AWS) | All data stored on servers (encrypted) | Hosting your OpenClaw instance |
| AI Providers (Anthropic, OpenAI, OpenRouter) | Conversation content (via your API key) | AI model inference |
| Chat Platforms (Telegram, Slack, Discord, WhatsApp) | Messages, user identifiers on those platforms | Enabling chat integrations |
AI Provider Data Handling: When you use your AI assistant, your conversations are processed by your chosen AI provider using your own API key. ClawBase does not store or access your conversation content. Each AI provider has their own privacy policies:
We Do Not Sell Your Data: ClawBase does not sell, rent, or trade your personal information to third parties for their marketing purposes.
6. International Data Transfers
ClawBase is based in the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our servers or service providers are located.
For EEA/UK Users: When we transfer personal data outside the EEA or UK, we implement appropriate safeguards to ensure your data remains protected, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfers to countries with adequacy decisions from the European Commission
- Other legally approved transfer mechanisms
You may request a copy of the safeguards we use by contacting us at privacy@clawbase.ai.
7. Data Retention
We retain your data only as long as necessary for the purposes described in this policy. Specific retention periods:
| Data Category | Retention Period |
|---|---|
| Account information (email, name) | Duration of account + 30 days after deletion request |
| Configuration data | Duration of account + 30 days after deletion |
| Billing/payment records | 7 years (legal/tax requirements) |
| Usage logs (IP, browser) | 12 months (security purposes) |
| Support communications | 3 years from last contact |
| Backups (disaster recovery) | 30 days rolling retention |
After Cancellation: When you cancel your account, we delete your OpenClaw instance and associated configuration within 30 days. Some data may be retained longer if required by law or for legitimate business purposes (such as resolving disputes).
Refunds: If you request a refund within the 7-day guarantee period, your account and data are deleted immediately upon processing the refund.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal information we hold about you
- Portability: Request an export of your data in a structured, machine-readable format
- Rectification: Update or correct inaccurate information
- Erasure: Request deletion of your account and associated data
- Restriction: Request that we limit how we use your data
- Object: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent for processing based on consent (such as marketing emails)
To exercise these rights, contact us at privacy@clawbase.ai. We will respond to verified requests within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.
Categories of Information Collected
In the past 12 months, we have collected the following categories of personal information:
- Identifiers: Name, email address, IP address, account ID
- Commercial Information: Subscription records, billing history
- Internet Activity: Browsing history on our site, interaction with our Service
- Geolocation: Approximate location based on IP address
Your California Rights
- Right to Know: Request information about what personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt out of the “sale” or “sharing” of personal information
- Non-Discrimination: We will not discriminate against you for exercising your rights
We Do Not Sell Your Personal Information. ClawBase does not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
Sensitive Personal Information
Under the CPRA, “sensitive personal information” includes data like Social Security numbers, precise geolocation, racial or ethnic origin, and health information. ClawBase does not knowingly collect sensitive personal information as defined under the CPRA. If you believe we have inadvertently collected sensitive personal information, please contact us immediately.
How to Exercise Your Rights
California residents may submit requests using any of these methods:
- Email: privacy@clawbase.ai
- Account Dashboard: Submit a request through your account settings
Authorized Agents
You may designate an authorized agent to submit requests on your behalf. To do so, the authorized agent must provide: (a) written permission signed by you authorizing the agent to act on your behalf, and (b) verification of their own identity. We may contact you directly to verify the request. If the authorized agent has power of attorney under California Probate Code sections 4000-4465, we may require the agent to provide proof of such power of attorney.
10. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).
Your GDPR Rights
In addition to the rights listed in Section 8, you have the right to:
- Object to Processing: Object to processing based on our legitimate interests, including direct marketing
- Automated Decision-Making: We do not engage in automated decision-making with legal or similarly significant effects
- Lodge a Complaint: File a complaint with your local data protection supervisory authority
Data Controller
Flame Lab LLC (d/b/a ClawBase) is the data controller for personal data collected through the Service. You can contact us at:
Flame Lab LLC (Data Controller)
1204 Main St #906
Branford, CT 06405, United States
Email: privacy@clawbase.ai
Supervisory Authority
If you are not satisfied with how we handle your data or respond to your requests, you have the right to lodge a complaint with your local data protection authority. A list of EEA data protection authorities can be found at https://edpb.europa.eu.
11. Brazil Privacy Rights (LGPD)
If you are located in Brazil, the Lei Geral de Proteção de Dados (“LGPD”) provides you with specific rights regarding your personal data.
Your LGPD Rights
Under the LGPD, you have the right to:
- Confirmation: Confirm whether we process your personal data
- Access: Access your personal data
- Correction: Correct incomplete, inaccurate, or outdated data
- Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data
- Portability: Request data portability to another service provider
- Deletion: Request deletion of data processed with your consent
- Information: Receive information about third parties with whom we share your data
- Consent Revocation: Revoke consent at any time
- Opposition: Object to processing that violates the LGPD
- Automated Decisions: Request review of decisions made solely based on automated processing
Legal Basis for Processing
We process your personal data based on the following legal bases under the LGPD: (i) performance of a contract; (ii) compliance with legal obligations; (iii) legitimate interests; and (iv) your consent, where applicable.
To exercise your LGPD rights, contact us at privacy@clawbase.ai. We will respond to your request within the timeframe required by applicable law.
13. Marketing Communications
We may send you marketing communications about our products, services, and updates. However, we will only do so with your explicit consent (opt-in).
Types of Communications
- Transactional Emails: Account confirmations, password resets, billing receipts, and service announcements. These are necessary for the Service and cannot be opted out of while your account is active.
- Marketing Emails: Product updates, newsletters, and promotional content. These require your explicit opt-in and you can unsubscribe at any time.
How to Opt Out
You can opt out of marketing communications at any time by:
- Clicking the “unsubscribe” link at the bottom of any marketing email
- Updating your preferences in your account settings
- Contacting us at privacy@clawbase.ai
We will process your opt-out request within 10 business days. Please note that opting out of marketing emails will not affect transactional emails related to your account.
14. Children's Privacy
ClawBase is not intended for use by children under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information as quickly as possible.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@clawbase.ai, and we will delete such information promptly.
15. Changes to Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:
- Sending an email to your registered address
- Posting a prominent notice on our website or within the Service
- Updating the “Last Updated” date at the top of this policy
Your continued use of the Service after any changes constitutes acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service.
We review and update this Privacy Policy at least annually to ensure accuracy and compliance with applicable laws.
16. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using any of the methods below:
Flame Lab LLC (d/b/a ClawBase)
1204 Main St #906
Branford, CT 06405
United States
Privacy inquiries: privacy@clawbase.ai
General support: support@clawbase.ai
Account dashboard: Submit privacy requests through your account settings
We aim to respond to all privacy-related inquiries within 30 days (or sooner where required by applicable law).
Response Timeframes by Jurisdiction
| Jurisdiction | Response Time |
|---|---|
| California (CCPA/CPRA) | 45 days (extendable by 45 days) |
| EU/UK (GDPR) | 30 days (extendable by 60 days) |
| Brazil (LGPD) | 15 days |