Privacy Policy

Effective: 28 April 2026

This Privacy Policy explains what personal data we (Claw64, operated by Claw 64 Limited) collect, why we collect it, how we use it, and the choices you have. It applies to claw64.com and the Service we provide there. If you don’t want to be bound by this policy, please don’t use the Service.

This policy is written to comply with the UK GDPR, the EU GDPR, and the Data Protection (Bailiwick of Guernsey) Law 2017. We are the “data controller” for personal data we hold about you in connection with the Service.

Service status — early access. Claw64 is in pre-launch. While in early access, the only personal data we currently hold about prospective customers is what is needed to take and reserve your spot: your Telegram chat ID and the messages you send to our bot, the email address Stripe captures at sign-up, and the Stripe authorisation reference (no funds are captured). We do not yet provision per-user virtual machines or mint per-user model API keys.

The data described in the rest of this policy — VM provider IDs, OpenRouter sub-keys, routing metadata, snapshots and so on — applies once your VM is activated and not before.

1. A note on what your VM holds

Most of the data your OpenClaw handles never reaches us. When you chat with your agent, it stores conversations, memories, workspace files, and any data you give it on your dedicated VM. That VM’s contents are not visible to us in normal operation. We do not read, index, or back up the working data inside your OpenClaw.

The data described in this policy is the data we, as the operator of the routing and provisioning service, necessarily handle to deliver the Service.

2. What we collect

Account & billing data

Field	Why we have it
Email address	Account, transactional email, support, legal notices.
Telegram chat ID	To route messages to and from your VM via the brand bot.
Telegram username (if set)	Display only. Not load-bearing.
Country/region (inferred from IP)	Tax and consumer-rights compliance.
Stripe customer ID, subscription ID, last-4 of card	Billing reconciliation. Full card details are stored by Stripe, not by us.

Service operations data

Field	Why we have it
VM provider IDs (Hetzner server ID, IP, snapshot ID)	To provision, manage and recover your VM.
Per-user API keys we issue (router callback key; OpenRouter sub-key when applicable)	To authenticate VM↔router calls and meter LLM credit.
Server logs (timestamps, error codes, request paths, user-agent, IP)	Operational debugging, abuse detection, security.
Routing metadata for messages flowing through us (chat ID, message ID, size, type, timestamp)	To route the message and to investigate failures. We do not log message bodies in normal operation.

Marketing & analytics data

If you arrived from an ad we ran on Meta, we may receive Meta-Pixel attribution information (a Meta-issued click ID and event metadata). On purchase we send Meta a server-side Conversion (CAPI) event so the ad system can attribute the conversion. We do not transmit your email or other directly-identifying data to Meta unless you have explicitly consented to do so via a clear cookie banner.

Things you send us

Anything you choose to put in support emails, contact forms, or feedback channels.

3. What we do not collect or have access to

The contents of conversations between you and your OpenClaw agent;
The memory, workspace, and skill state stored on your VM;
Any API keys, OAuth tokens, passwords, or credentials you place on your VM yourself;
Files, documents, or media stored on your VM that haven’t been routed through us;
Your full payment-card number or CVC (handled by Stripe).

We may, in narrow circumstances, gain access to VM contents: where required by a lawful order, where investigating a credible abuse report, or where necessary to protect the Service or other users (see Terms of Service Section 8). Any such access is logged.

4. Why we use your data (lawful bases)

Purpose	Lawful basis
Provisioning your VM, routing messages, providing the Service	Performance of contract (the Terms).
Billing, refunds, dispute handling	Performance of contract; legal obligation (tax, accounting).
Logging for security, debugging, abuse prevention	Legitimate interests in operating a stable, secure service.
Sending transactional email (provisioning, payment receipts, security alerts)	Performance of contract.
Sending marketing email (if you have opted in)	Consent. You can withdraw at any time via the unsubscribe link.
Server-side Conversions API to ad platforms	Legitimate interests in measuring marketing, where allowed; consent where required by your jurisdiction.
Complying with court orders, law enforcement requests, regulatory obligations	Legal obligation.

5. Who we share data with

We share personal data only with the parties below, and only to the extent strictly necessary:

Stripe — payment processing.
Telegram — you are messaging us via Telegram’s service; the platform itself sees the messages you send and receive.
Hetzner Online GmbH — hosts your dedicated VM and our routing infrastructure.
Cloudflare — DNS for our domains.
OpenRouter — where used to issue or meter the per-user model sub-key.
Anthropic, OpenAI, and other model providers — for any prompts or messages your agent sends to those providers using the API key configured on your VM.
Meta — conversion events, where consented to.
Email service provider for transactional and (where opted in) marketing email.
Professional advisers (lawyers, accountants) under duties of confidentiality.
Law enforcement, regulators, or courts where legally compelled.

We do not sell your personal data, and we do not share it for the targeted advertising of unrelated third parties.

6. Where data is processed

Our primary infrastructure is operated in the European Economic Area (Germany). Some service providers (notably Stripe, Meta) may process data outside the EEA/UK. Where transfers happen, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision, as applicable.

7. How long we keep data

Data	Retention
Account & billing records	Active account + 6 years after closure (tax/accounting requirements).
VM disk snapshot after cancellation	30 days, then permanently deleted.
Server access logs	30 days rolling, except entries flagged as relating to abuse or a security incident, which are kept until resolution + 12 months.
Routing metadata	30 days rolling.
Marketing-list email address	Until you unsubscribe, then suppressed.

8. Cookies & analytics

The claw64.com marketing site uses a small number of cookies and similar technologies. Where required by law, we will ask for your consent before any non-essential cookies are set.

Strictly necessary — session management, CSRF protection, payment flow with Stripe. These cannot be turned off without breaking the Service.
Analytics & advertising — if enabled, the Meta Pixel will be loaded after consent. It sets cookies on your device that allow Meta to attribute conversions and measure ad performance.

You can clear cookies in your browser at any time. Withdrawing analytics consent does not affect the lawfulness of any processing that occurred while consent was active.

9. Your rights

Subject to limits set out in the applicable data protection law, you have the right to:

Access the personal data we hold about you;
Rectify data that is inaccurate or incomplete;
Erase data we no longer have a lawful basis to hold;
Restrict our processing in certain circumstances;
Port data you provided to us in a structured, machine-readable form;
Object to processing based on legitimate interests, including direct marketing;
Withdraw consent for any processing based on consent;
Not be subject to a decision based solely on automated processing that produces legal effects on you (we do not use such automated decision-making).

To exercise any of these rights, email us at support@claw64.com. We will respond within one month. We may need to verify your identity before acting.

10. Children

The Service is not directed at people under 18, and we do not knowingly process personal data of children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Security

We use industry-standard technical and organisational measures to protect personal data, including encryption of data in transit, access controls, separation of duties, and per-user credential boundaries between your VM and our routing layer (so that a compromise of one user’s VM cannot reach another’s).

No internet service is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority within the legally required timeframes.

12. Changes to this policy

We may update this policy from time to time. The “Effective” date at the top reflects the latest version. For material changes, we will notify you by email or in-product before the new version takes effect.

13. Contact & complaints

Data controller: Claw 64 Limited, St Peter Port, Guernsey, Channel Islands.

Contact: support@claw64.com.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with a supervisory authority. The relevant authority depends on where you live; for residents of:

The Bailiwick of Guernsey: the Office of the Data Protection Authority (ODPA);
The United Kingdom: the Information Commissioner’s Office (ICO);
The European Economic Area: your national data protection authority.