Infrastructure Abilities Pricing Blog
Legal

Privacy Policy

Last updated: January 1, 2026  ·  Effective: January 1, 2026

1. Overview

SuperClaw is an infrastructure service. We deploy and manage OpenClaw AI agent instances on virtual private servers on your behalf. This policy explains what data we collect, why we collect it, how it is stored and used, and your rights over it.

Important: Your AI agent conversations happen entirely on your own VPS. Messages between you (or your users) and your Telegram bot are processed by your OpenClaw instance running on your server — they do not pass through SuperClaw's servers and we cannot access them. This is a core architectural property of the service.

The data controller for the purposes of this policy is SuperClaw. For privacy inquiries, contact us at privacy@superclaw.io.

2. Data we collect

Account data (collected when you sign in):

  • Your Google account email address
  • Your Google display name (used to personalise your dashboard)
  • A Firebase user ID (UID) assigned at first sign-in

Service configuration data (collected as you set up and use the service):

  • Your Telegram bot token — submitted from the dashboard and stored on your VPS. It passes through our backend at submission time and is stored encrypted at rest
  • LLM API keys you add (OpenAI, Anthropic, etc.) — stored encrypted at rest using AES-256. We never log or transmit raw key values
  • Your selected VPS region and plan
  • Your account preferences (notification settings, auto-restart preference)
  • Your Telegram bot username (retrieved from Telegram's API at setup time)

Usage data (collected automatically during service operation):

  • LLM API spend this month and budget limit (sourced from OpenRouter's management API where applicable)
  • VPS uptime hours and online/offline status (sourced from your instance via our management layer)
  • Last active timestamp
  • VPS provisioning metadata: region, status, creation date

Technical data:

  • Server access logs (IP addresses, request paths, timestamps) — retained for 30 days then automatically deleted
  • Firebase authentication session tokens — managed by Google/Firebase

3. Data we do not collect

To be explicit:

  • Conversation content. Messages sent to your Telegram bot and responses from your AI agent are processed on your VPS, not on our servers. We cannot read them.
  • Payment card data. Handled entirely by Polar.sh. We never see or store card numbers, CVVs, or bank details.
  • Raw API keys. We accept your keys over HTTPS, encrypt them immediately, and store only the encrypted form. The raw key value is never written to logs.
  • Location data, device fingerprints, or advertising identifiers. We do not use any tracking, analytics, or advertising infrastructure.

4. How we use your data

  • To authenticate you and provide access to the dashboard (legal basis: contract performance)
  • To provision and manage your VPS and OpenClaw instance (legal basis: contract performance)
  • To deploy your Telegram bot token and LLM keys to your instance (legal basis: contract performance)
  • To display your usage statistics and instance status in the dashboard (legal basis: contract performance)
  • To send you transactional notifications — usage alerts at 80% quota, billing events from Polar.sh (legal basis: legitimate interests / contract performance)
  • To maintain server logs for security and debugging (legal basis: legitimate interests)

We do not sell your data, share it with advertisers, or use it to build profiles for any purpose outside of operating the service.

5. Third-party data processors

The following third parties process data on our behalf or in connection with providing the service:

ProcessorPurposeData shared
Google / Firebase Authentication and session management Email address, display name, UID
Polar.sh Payment processing and subscription management Email address, plan selection. Polar handles all payment card data directly.
VPS provider (e.g. DigitalOcean / Hetzner) Infrastructure hosting — your VPS runs on their hardware VPS configuration, region selection
OpenRouter LLM request routing when Claw Credits are used API requests from your agent (not conversation content visible to us)
Telegram Your bot runs on Telegram's platform Your bot token is submitted to Telegram's API. Bot interactions are subject to Telegram's own Privacy Policy.

6. Data retention

Your account data and service configuration is retained while your subscription is active.

When you delete your account via the dashboard Settings panel:

  • Your VPS is terminated within minutes
  • Your stored API keys, preferences, and configuration are purged from our database within 24 hours
  • Your Polar.sh subscription is cancelled
  • Firebase authentication data is deleted within 30 days per Firebase's deletion policies

Server access logs are retained for 30 days and then automatically deleted.

If your subscription lapses without account deletion, your VPS is shut down at the end of the billing period. Account data is retained for 90 days to allow reactivation, then purged.

7. Security

  • All API keys stored using AES-256 encryption at rest
  • All data in transit encrypted via HTTPS / TLS 1.2+
  • VPS instances isolated from the public internet via Headscale mesh networking — no open ports
  • Authentication via Firebase — we never store or handle passwords
  • Access to production systems is restricted to authorised personnel only

No security system is infallible. In the event of a breach affecting your personal data, we will notify you and relevant regulators in accordance with applicable law.

8. Your rights

Depending on your location, you may have the following rights under GDPR, CCPA, or similar legislation:

  • Access. You can view your account data and usage in the dashboard at any time.
  • Deletion. You can delete your account and all associated data from the Settings panel. This is a full, irreversible purge.
  • Correction. Your email and display name are managed by your Google account. To change them, update your Google account settings.
  • Portability. To request an export of your account data in machine-readable format, email privacy@superclaw.io.
  • Objection / restriction. You may object to or request restriction of processing based on legitimate interests by contacting us.

For CCPA: we do not sell personal information. California residents have the right to know what personal information is collected, the right to delete, and the right not to be discriminated against for exercising these rights.

To exercise any of these rights, contact privacy@superclaw.io. We will respond within 30 days.

9. International transfers

SuperClaw operates globally. Your data may be processed in jurisdictions outside your own, including the United States. Where applicable, we rely on standard contractual clauses or other appropriate safeguards for international data transfers.

10. Changes to this policy

We will notify you by email at least 14 days before any material changes to this Privacy Policy take effect. Continued use of the service after the effective date constitutes acceptance.

11. Contact

For privacy questions or to exercise your data rights: privacy@superclaw.io

Response time: within 30 days of receipt.