Privacy Policy

This Privacy Policy explains what data PrivateClaw ("we," "us," or "our") collects, how we use it, who we share it with, and what rights you have. We have written this policy to be specific and honest — including about the places where our technical privacy guarantees have current limitations.

1. What We Collect

Account data

Email address — collected during the signup flow (used for transactional emails and account management).
SSH public key — used as your identity on the platform and provisioned to your CVM.
Stripe customer ID and subscription state — stored in our database to manage your billing relationship.
Signup source — how you found PrivateClaw (e.g., referral code or campaign tag), if provided.

Usage metadata

Egress byte counts — measured per CVM via Azure Monitor. We track outbound traffic in bytes, not content.
Inference request counts — the number of requests made to the inference proxy per user per period.
Token counts per request — input and output token counts for each inference call, used to calculate cost. We do not store the content of the request.
Cost per request — derived from token counts and per-token rates, stored in dollars.
Timestamps and HTTP status codes — for each inference call, stored alongside token counts.

Logs

Orchestrator access logs — standard web server request logs (IP address, path, status code, timestamp). Retained for approximately 30 days.
CVM provisioning logs — records of CVM creation and deletion events, including Azure resource IDs. Retained for approximately 30 days.
Stripe webhook receipts — event payloads received from Stripe (subscription created, payment succeeded, etc.). Retained for approximately 30 days.

Analytics

We use Plausible Analytics on our web frontend. Plausible is a privacy-friendly analytics provider that does not use cookies and does not track individuals across sites. Your IP address is forwarded to Plausible for country-level geolocation; Plausible does not store raw IP addresses. We receive aggregated, anonymized page view and event data. We do not perform session recording or behavioral tracking.

2. What We Do NOT Collect

We want to be explicit about what we do not collect:

Inference prompts or completions. Inference prompts and completions are not stored by the PrivateClaw orchestrator. Our database records only token counts, request costs, and timestamps.
Files inside your CVM. We do not access, read, or copy files stored inside your Confidential VM. We do not maintain standing administrative access to your CVM (see Section 3).
SSH session contents. SSH traffic to your CVM is end-to-end encrypted between your client and the CVM; the PrivateClaw orchestrator routes encrypted bytes and does not decrypt or record session contents.
Messaging channel content. OpenClaw connects to third-party channels (such as Telegram or Discord) directly from your CVM. These payloads are handled inside the CVM and are not routed through the PrivateClaw orchestrator.

3. Infrastructure Operator Access

Infrastructure operator access. PrivateClaw operates the infrastructure that routes your inference requests to our upstream inference provider. Like any SaaS operator, we have operational access to logs, metrics, and system state necessary to run the service. We do not routinely log, inspect, or store the content of your inference requests or responses — our database only records token counts, request costs, and timestamps. Each user's Confidential VM is cryptographically isolated via AMD SEV-SNP hardware attestation, which you can verify yourself by running privateclaw verify inside your CVM.

Upstream inference provider

Upstream inference is handled by Confidential AI, which runs its own Confidential VMs with AMD SEV-SNP attestation. Their privacy practices govern what happens inside their infrastructure — we forward requests to them and they process them inside their Trusted Execution Environment. We are not party to what they can or cannot access within their own infrastructure.

CVM access

We do not maintain standing administrative access to your Confidential VM. Once your CVM is provisioned, only SSH keys you register will have access. If you request support that requires us to log into your CVM, we will provide clear instructions for temporarily granting us access via a support key, and you can revoke that access at any time.

4. Third Parties We Share Data With

Stripe — our payment processor. Stripe receives your email address, Stripe customer ID, card payment method data (card last four digits, fingerprint for deduplication), and subscription state. Stripe's privacy policy governs their data handling.
Resend — our email delivery provider. Resend receives recipient email addresses and email content for transactional emails (verification codes, welcome emails, billing notices). Resend is based in the United States.
Cloudflare — our web traffic proxy. Cloudflare fronts all web traffic to privateclaw.dev, provides Turnstile CAPTCHA during signup, and applies rate limiting. Cloudflare sees your IP address and HTTP request metadata. Cloudflare's privacy policy governs their data handling.
Plausible Analytics — our web analytics provider. Plausible receives anonymized page view and event data as described in Section 1. Plausible is based in the EU; see their privacy policy for their data processing practices.
Confidential AI — our upstream inference provider. When you make inference calls, your request content is forwarded to their infrastructure for processing. See also Section 3.
Microsoft Azure — our infrastructure hosting provider. Azure hosts all CVMs, the orchestrator, and associated network infrastructure in the US East region. Azure processes data subject to Microsoft's data processing agreement and applicable privacy laws.

We do not sell your personal data to any third party, and we do not share your data with advertisers or data brokers.

5. Data Retention

Active account. Account data and usage metadata are retained for the lifetime of your active subscription.
Cancellation. Upon cancellation, your CVM and all data inside it are destroyed immediately (or at the end of your billing period, if not requested earlier). Account metadata and usage records for billing reconciliation are retained for as long as needed to operate the Service and meet legal and accounting obligations.
Refund or chargeback. Accounts terminated due to a refund dispute or chargeback are deleted immediately, including the CVM and all associated data. Stripe will retain payment dispute records separately per their own retention policy.
Logs. Orchestrator logs and webhook receipts are retained subject to standard system log rotation and operational needs.
Disaster recovery. Backups and snapshots may retain data for 7 to 30 days after deletion, after which they are also destroyed.

6. Your Rights

Regardless of your location, we honor the following data rights for all users. To exercise any of these rights, contact us at support@privateclaw.dev.

Right to access. You can request a copy of the personal data we hold about you. We will provide a data export in JSON format.
Right to deletion. You can request deletion of your account and all associated data. We will process deletion requests within 30 days. Note that your CVM and all files inside it will be destroyed as part of this process.
Right to correction. If any data we hold about you is inaccurate, you may request that we correct it.
Right to portability. You may request a machine-readable export of your personal data in JSON format.
Right to object. You may object to processing for marketing purposes. We do not send marketing emails; all emails we send are transactional (billing notices, verification codes, operational alerts).
Right to lodge a complaint. If you believe we have violated your data protection rights, you have the right to lodge a complaint with a relevant data protection authority in your jurisdiction.

7. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child, we will delete it promptly. If you believe a minor has created an Account, contact us at support@privateclaw.dev.

8. International Transfers

International data transfers. Your data may be transferred and processed internationally by the service providers we use (listed above). We select providers that maintain reasonable data protection standards and publicly document their security practices. If you have specific data residency requirements, contact support@privateclaw.dev.

9. Security Measures

We implement the following technical and organizational security measures to protect your data:

AMD SEV-SNP Confidential VMs. Each CVM runs inside a hardware Trusted Execution Environment where memory is encrypted by the CPU with keys the hypervisor does not hold.
vTPM-backed disk encryption. CVM disk storage is encrypted and the keys are bound to the TPM state of the specific CVM instance.
Per-CVM Network Security Groups. Each CVM has its own isolated network perimeter. Cross-CVM network traffic is blocked by default by per-CVM NSG rules.
TLS 1.3. Connections between your computer and the PrivateClaw infrastructure and between Service components use TLS 1.3 or higher.
Attestation verification. You can run privateclaw verify at any time to cryptographically verify the integrity of your CVM and the inference chain.
SSH key-only access. CVM access uses SSH key-based authentication; password authentication is disabled.

Despite these measures, no system is completely secure. We cannot guarantee absolute security of your data.

10. Cookies and Tracking

The PrivateClaw web frontend uses the following minimal tracking technologies:

Session cookie (signup flow). A short-lived session cookie is set during the signup flow to maintain state between steps. This cookie is necessary for the signup process and expires at the end of the session.
Plausible tracker. Plausible uses a first-party script to count page views and events. It does not set cookies and does not track users across sessions or sites. No persistent identifier is stored.
Cloudflare Turnstile. During signup, Cloudflare Turnstile CAPTCHA sets a cookie to verify you are not a bot. This cookie is controlled by Cloudflare and subject to Cloudflare's cookie policy.

We do not use advertising cookies, third-party tracking pixels, or behavioral analytics.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to the address associated with your Account. Continued use of the Service after the effective date of the updated policy constitutes acceptance.

12. Contact

For privacy-related questions, to exercise your rights, or for general support, contact us at support@privateclaw.dev.