Privacy Policy

Last updated: March 2026

1. Information We Collect

When you use ClawClaw, we collect certain information to provide and improve our services:

  • Account information: Email address and display name via Google OAuth.
  • Platform tokens: Telegram Bot Tokens provided by you. These are encrypted using AES-256-GCM before storage.
  • API Keys (BYOK only): If you use the BYOK plan, your API key is encrypted at rest using the same standard.
  • Usage data: Bot deployment status, creation dates, and LLM usage metrics for managed plans.

2. How We Use Your Information

We use your information exclusively to:

  • Deploy and maintain your AI assistants on messaging platforms.
  • Process payments and manage your subscription.
  • Provide customer support.
  • Improve the reliability and performance of our service.

We do not sell, rent, or trade your personal data or API keys to any third parties.

3. Data Security

We implement strict security measures to protect your data:

  • Encryption at rest: All sensitive tokens are encrypted using AES-256-GCM with random IVs.
  • Two-layer encryption: Per-deployment encryption keys are themselves wrapped with a master key.
  • Encryption in transit: All communications use HTTPS/TLS and SSH.
  • Row Level Security: Database access is restricted so users can only access their own data.
  • Server hardening: Deployed VPS instances use UFW firewalls, Fail2ban, and Docker security constraints.

4. Cookies

We use essential cookies only for authentication session management (Supabase session tokens). We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

5. Third-Party Services

We integrate with the following third-party services to operate ClawClaw:

  • Supabase: Authentication and database (hosted in EU).
  • Hetzner Cloud: VPS infrastructure for bot hosting (EU data centers).
  • Lemon Squeezy: Payment processing (PCI DSS compliant).
  • OpenRouter: LLM API key management (managed plan only).
  • Google OAuth: Authentication provider.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account or request data deletion, we will remove all your personal data, bot configurations, and encrypted tokens within 30 days. Server infrastructure (VPS instances) are terminated immediately upon bot or account deletion.

7. Your Rights

You have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate personal data.
  • Erasure: Request deletion of your account and all associated data.
  • Data portability: Receive your data in a machine-readable format.
  • Objection: Object to processing of your data.

To exercise any of these rights, please contact us at the addresses listed below.

8. KVKK Uyumluluğu (Turkish Data Protection)

As a company operating in Turkey, we comply with the Turkish Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu — KVKK, Law No. 6698). In accordance with KVKK:

  • Your personal data is processed lawfully and in good faith.
  • Data is collected only for specific, explicit, and legitimate purposes.
  • Data processing is proportionate and limited to what is necessary.
  • Your data is kept accurate and up to date.
  • Data is retained only for the period required by law or its purpose.

Under KVKK, you have the right to: learn whether your data is processed, request information about data processing, learn the purpose of processing and whether it is used in accordance with its purpose, know third parties to whom your data is transferred, request correction of incomplete or inaccurate data, request deletion or destruction of your data, and object to adverse outcomes arising from automated data processing.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on our website. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy, data security, or wish to exercise your data rights:

  • Privacy & Security: security@masslabs.tech
  • General Inquiries: support@masslabs.tech
  • KVKK Requests: kvkk@masslabs.tech