Privacy Policy

Last updated: April 7, 2026

1. Information We Collect

Account Information

When you sign in via OAuth (Google or GitHub), we receive your email address, display name, and avatar. We do not receive or store your password.

Payment Information

Payments are processed by Stripe. We store only your Stripe Customer ID—we never see or store your card details.

Usage Data

We collect instance status, quota usage, and chat messages routed through RunClaw's AI gateway to model providers.

Channel Credentials

Bot tokens, app secrets, and other credentials you provide for messaging platform configuration are stored for your hosted OpenClaw instance.

Files

Uploaded images and documents are stored in local or S3-compatible storage.

API Keys

User-provided model provider API keys are encrypted at rest.

Technical Data

We collect IP addresses, browser information, and request logs for security and operational purposes.

2. Cookies

We use the following cookies:

• session (HttpOnly, 30-day, SameSite=Lax) — authentication session
• current_instance_id (HttpOnly) — remembers your active assistant

We do not use third-party tracking cookies.

3. How We Use Information

We use collected information to:

• Operate and maintain the Service
• Process payments and manage subscriptions
• Communicate service updates and important notices
• Enforce our Terms of Service
• Improve and develop the Service

4. Data Sharing with Third Parties

We share data with the following categories of third parties:

• Stripe — payment processing
• AI Model Providers — chat messages are routed through RunClaw's gateway to generate responses
• Cloud Infrastructure Providers — instance hosting
• Resend — transactional emails

Messaging platform interactions (Telegram, Discord, etc.) happen within your OpenClaw instance, not through RunClaw's core platform. RunClaw stores channel credentials you provide for instance configuration.

We do not sell your personal data.

5. Data Security

We protect your data with encryption in transit (TLS), encryption of OAuth tokens and API keys at rest, and randomly generated session tokens.

6. Data Retention

• Active account: data retained while your subscription is active
• After cancellation: data retained for 3 days, then permanently deleted
• Account deletion: available on request at any time

7. International Data Transfers

Your data may be processed in multiple regions depending on instance deployment. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate.

8. Your Rights

You have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and associated data
• Request data portability

Contact [email protected] to exercise these rights.

9. EU/EEA Users (GDPR)

Our legal basis for processing is contract performance and legitimate interest. You additionally have the right to restrict processing, object to processing, and lodge a complaint with your supervisory authority. The data controller is RunClaw.

10. California Users (CCPA)

Categories of personal information collected: identifiers, commercial information, and internet activity. You have the right to know what data we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. We will not discriminate against you for exercising your rights.

11. Children's Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16.

12. Changes to This Policy

We may update this Privacy Policy with notice via email or platform notification. Continued use after changes take effect constitutes acceptance.

13. Contact

For privacy-related questions, contact us at [email protected].