Privacy Policy

Last updated: February 9, 2026

ClawStaff (“we,” “us,” or “our”) operates the clawstaff.ai platform. This Privacy Policy describes how we collect, use, store, and share information when you use our services.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Name and email address — required for account creation and communication.
• Profile image — optionally provided by you or your OAuth provider.
• Password — stored in hashed form only. We never store or have access to your plaintext password.

1.2 Organization Data

When you create or join an organization, we store your organization name, a URL-safe slug, an optional logo, and your membership role (owner, admin, or member).

1.3 Session and Security Data

For each authenticated session, we collect:

• IP address — for security monitoring and abuse prevention.
• User agent — browser and device information for session management.
• Session tokens — encrypted tokens to maintain your authenticated state.

1.4 Payment Information

Payment processing is handled entirely by Stripe. We store only your Stripe customer ID to link your account to your billing information. We never store credit card numbers, bank account details, or other payment credentials on our servers. All payment data is subject to Stripe’s Privacy Policy.

1.5 Integration Credentials

When you connect third-party services (Slack, Notion, Jira, etc.), we store OAuth tokens and provider-specific identifiers necessary to maintain the connection. These credentials are stored encrypted and are scoped to the permissions you explicitly grant during the OAuth flow.

1.6 BYOK (Bring Your Own Key) API Keys

If you provide your own API keys for AI providers (OpenAI, Anthropic), these keys are stored encrypted and used solely to execute requests on your behalf through your deployed Claws (AI agents). We do not use your API keys for any other purpose.

1.7 Agent (Claw) Data

Data processed by your Claws — including messages, files, and workflow outputs — is handled within isolated containers (ClawCages). We do not access, read, or analyze the content of your agent interactions. Each team’s data is isolated at the infrastructure level.

1.8 Waitlist Information

If you join our waitlist, we collect your email address for the purpose of notifying you about product availability and updates.

1.9 Automatically Collected Information

We collect standard server logs including request timestamps, URLs accessed, HTTP status codes, and referrer information. We do not use third-party analytics or tracking services on our marketing pages.

2. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve the ClawStaff platform.
• Authenticate your identity and manage your sessions securely.
• Process payments and manage your subscription through Stripe.
• Connect your Claws to third-party services you have authorized.
• Send transactional emails, including organization invitations and account notifications.
• Detect, prevent, and address security incidents and abuse.
• Comply with legal obligations and respond to lawful requests.

3. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

• Service providers — We use third-party services to operate our platform. These include Stripe (payments), Amazon Web Services (email delivery via SES, object storage via S3), Hetzner (server infrastructure), Cloudflare (DNS and security), and Tailscale (network connectivity). Each provider processes only the minimum data necessary for its function.
• OAuth providers — When you authenticate via Google or connect integrations (Slack, Notion, Jira), data is exchanged per the OAuth protocol. We receive only the scopes you approve.
• AI providers (BYOK) — When your Claws execute tasks, data is sent to the AI provider associated with your API key (OpenAI or Anthropic). This data is governed by your agreement with that provider, not by ClawStaff. We do not control how those providers process your data.
• Legal requirements — We may disclose information if required by law, court order, or governmental regulation.

4. Data Storage and Security

• Account and organization data is stored in PostgreSQL databases with encryption at rest.
• Integration credentials and API keys are encrypted before storage.
• Each team’s Claws run in isolated containers (ClawCages) with dedicated storage, ensuring complete separation between tenants.
• Sessions use HTTP-only, secure, SameSite cookies with limited lifetimes.
• All data in transit is encrypted via TLS.

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Data Retention

• Account data is retained for the duration of your account. Upon account deletion, your personal data is removed within 30 days.
• Session data is retained until session expiration or logout.
• Agent data within ClawCages is retained for the duration of the agent’s deployment. Data is deleted when the agent or organization is removed.
• Waitlist data is retained until you unsubscribe or we no longer need it.
• Server logs are retained for up to 90 days.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing activities.
• Withdraw consent where processing is based on consent.

To exercise these rights, contact us at privacy@clawstaff.ai.

7. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Session cookies are HTTP-only and secure.

8. Children’s Privacy

ClawStaff is not directed at individuals under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

9. International Data Transfers

Our infrastructure is hosted in the European Union (Hetzner, Germany). If you access ClawStaff from outside the EU, your data may be transferred to and processed in the EU. We ensure appropriate safeguards are in place for any international data transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Continued use of the platform after changes constitutes acceptance of the revised policy.

11. Contact

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: privacy@clawstaff.ai