Privacy Policy

Clawhost — Managed AI Assistant Hosting Platform

Last Updated: February 23, 2026 Effective Date: February 23, 2026

1. Introduction

This Privacy Policy explains how Helixir Labs OÜ ("Clawhost", "we", "us", "our"), a company registered in the Republic of Estonia (registration number 16344641, VAT EE102426168), collects, uses, stores, and protects your personal data when you use the Clawhost platform (the "Service").

This Privacy Policy should be read together with our Terms and Conditions. Capitalized terms not defined here have the meanings given in the Terms and Conditions.

Registered Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia

Data Protection Contact: legal@clawhost.com

2. Data Controller

Helixir Labs OÜ is the data controller for the personal data we collect about you (our users) through the Service.

If you deploy an Agent that interacts with end users, you are the data controller for any personal data your Agent collects from those end users. See Section 11 for details on GDPR roles.

3. Personal Data We Collect

3.1 Account Data

When you create an account, we collect:

Name — from your OAuth provider profile or derived from your email address
Email address — required for all authentication methods
Username — automatically generated, displayed on public skill pages

If you sign in via Google or GitHub, we receive your name, email address, and profile image from the OAuth provider.

3.2 Authentication and Security Data

OAuth tokens — access and refresh tokens for linked Google or GitHub accounts, used solely for authentication
Two-factor authentication data — if you enable 2FA, we store an encrypted TOTP secret and backup codes
Session tokens — JWT-based session identifiers stored in secure cookies

3.3 Anti-Fraud and Account Integrity Data

To prevent abuse and protect the Service, we collect at the time of your first sign-in:

IP address — used for rate limiting and fraud detection
User-Agent string — used for device identification and fraud detection
Email metadata — domain and normalized form, used to detect duplicate or disposable email accounts
Device identifier — used to prevent multiple free trial claims from the same device

This data is used to compute a risk score and risk flags for your account. We do not use this data for profiling or marketing purposes.

3.4 Billing and Payment Data

We use Stripe as our payment processor. Clawhost does not store your credit card numbers, CVVs, or bank account details. All payment instrument data is held exclusively by Stripe.

We store:

Stripe customer and subscription identifiers
Billing period, subscription status, and spending cap settings
Payment event identifiers (for idempotency and billing accuracy)

Your email address and name are shared with Stripe when creating your customer record.

3.5 Agent and Deployment Data

When you create and deploy Agents, we store:

Agent name, description, image, and configuration
Workspace files (personality definitions, instructions, identity files)
Deployment metadata (timestamps, status, region, event history)
References to vault secrets used by each deployment (not the secrets themselves)

3.6 Vault Secrets

API keys, bot tokens, SSH keys, and other sensitive credentials you provide are stored exclusively as encrypted ciphertext using AES-256-GCM encryption. We never store plaintext secrets in the database. Decryption occurs only server-side, in memory, for the duration necessary to complete a specific operation (such as deploying your Agent). See Section 7 for more detail.

3.7 Usage and Billing Metrics

We collect non-content usage metrics for billing and service operation:

AI model identifiers used by your Agent
Token counts (input and output) per request
Provider cost per request (in USD)
Request timestamps

These metrics do not include message content or personally identifiable information of your end users.

3.8 Channel Connection Data

When you connect messaging channels (WhatsApp, Telegram, Discord, Slack, etc.) to your Agent, we store:

Channel type and connection status
The bot's external identifier and username on the platform
Connection and error timestamps

The bot token or API credential for each channel is stored encrypted in the vault (Section 3.6).

3.9 Logs

We collect operational and lifecycle logs for your Agents, including:

Log level, type, and timestamp
Infrastructure events (e.g., agent started, agent stopped, server provisioned)
Channel connection events (e.g., channel connected, channel disconnected, channel error)

These logs relate to the deployment lifecycle and infrastructure status only. We do not collect or store logs about individual messages sent or received by your Agent.

3.10 Communication Preferences

Email notification preferences (general notifications, weekly reports, error alerts)

3.11 Waitlist Data

If you join our waitlist, we collect your email address and the source of your signup.

4. How We Use Your Data

We process your personal data for the following purposes:

Purpose	Lawful Basis (GDPR Art. 6)
Providing and operating the Service (account management, Agent deployment, vault encryption)	Performance of contract (Art. 6(1)(b))
Processing payments and managing subscriptions	Performance of contract (Art. 6(1)(b))
Preventing fraud, abuse, and duplicate trial claims	Legitimate interest (Art. 6(1)(f))
Ensuring platform security and integrity	Legitimate interest (Art. 6(1)(f))
Sending transactional emails (sign-in links, billing notifications, service alerts)	Performance of contract (Art. 6(1)(b))
Sending weekly usage reports and error alerts	Consent (Art. 6(1)(a)) — configurable in settings
Analytics to understand Service usage and improve the product	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations (tax records, law enforcement requests)	Legal obligation (Art. 6(1)(c))
Enforcing our Terms and Acceptable Use Policy	Legitimate interest (Art. 6(1)(f))

We do not sell your personal data. We do not use your data for automated decision-making that produces legal effects, except for automated fraud detection at sign-up which may result in account restrictions (you may contest such decisions by contacting support@clawhost.com).

5. Cookies and Tracking

5.1 Essential Cookies

Cookie	Purpose	Duration
Session token	Identifies your authenticated session	Until expiry or sign-out
2FA pending	Temporarily stores user ID during two-factor verification	10 minutes
New user flag	Triggers onboarding redirect for new accounts	5 minutes
Color scheme	Persists your light/dark theme preference	Persistent

These cookies are strictly necessary for the Service to function. They cannot be disabled.

5.2 Analytics Cookies

We use Google Analytics 4 to understand how users interact with our website and dashboard. Google Analytics sets cookies (such as _ga) that collect:

Pages visited and time spent
Browser and device information
Approximate geographic location (derived from IP address)
Referral source

Google Analytics data is used in aggregate to improve the Service. We do not use Google Analytics to identify individual users. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We do not use any other third-party tracking or advertising cookies.

6. Third-Party Services

We share data with the following third-party services as necessary to operate the Service:

Service	Purpose	Data Shared
Google (OAuth)	Sign-in with Google	Receives authentication requests; provides your name, email, and profile image
GitHub (OAuth)	Sign-in with GitHub	Receives authentication requests; provides your name and email
Resend	Transactional email delivery (magic link sign-in, notifications)	Your email address
Stripe	Payment processing, subscription management, billing portal	Your name, email, and subscription metadata. Payment instrument data is held exclusively by Stripe
Google Analytics	Website and dashboard analytics	Pseudonymized usage data (see Section 5.2)
AI model providers	Powering Agent conversations	Conversation data is routed through your configured AI model provider according to their privacy policy. We record token usage metrics (not message content) for billing
Infrastructure providers	Hosting the Service and running Agents	Your encrypted vault secrets are decrypted in memory during deployment to configure your Agent. All infrastructure is located in the European Union

Each third-party service processes your data according to its own privacy policy and terms of service. We encourage you to review their policies.

7. Data Security

We implement the following security measures to protect your data:

Encryption at rest — All sensitive credentials in the vault are encrypted using AES-256-GCM before storage. Only ciphertext, initialization vectors, and authentication tags are written to the database.
Server-side decryption only — Vault secrets are decrypted exclusively on our servers, never in the browser. Decrypted values are held in memory only for the duration of the specific operation.
Secure sessions — Session tokens are stored in HTTP-only, secure, same-site cookies.
Access control — Only you (authenticated via your account) can access your vault secrets, agent configurations, and deployment data.
EU data residency — Your account data, agent configurations, and encrypted secrets are stored on servers within the European Union.
No plaintext logging — We do not log, cache, or transmit plaintext secrets.

No system is perfectly secure. Despite our security measures, we cannot guarantee that the Service will be free from unauthorized access or data breaches. See Section 8.3(e) of the Terms and Conditions for full security disclaimers.

8. Conversation Data

Messages exchanged between your end users and your Agent are processed on your Agent's dedicated server. In the ordinary course of service delivery, Clawhost does not access, read, store, or analyze the content of these conversations.

The only data we collect related to Agent activity is:

Infrastructure and lifecycle events (agent started, stopped, channel connected)
Token usage counts for billing (model used, token counts, cost — no message content)

You, as the Agent operator, are solely responsible for how your Agent handles end-user data, including providing privacy notices to your end users and obtaining any required consents. See Section 11 for GDPR roles.

Right to monitor: We reserve the right to inspect Agent activity, including conversation content, where necessary to investigate credible reports of abuse or violations of our Terms. See Section 8.4 of the Terms and Conditions.

9. Data Retention

Data Category	Retention Period
Account data	Until you delete your account, plus 30 days (retrieval period)
Vault secrets	Until you delete them or close your account
Agent configurations and deployments	Until you delete them or close your account
Usage metrics and billing records	Retained as required by tax and accounting regulations (up to 7 years for financial records)
Operational logs	Rolling retention; older logs are automatically purged
Anti-fraud data (IP, User-Agent, risk score)	Retained for the lifetime of the account for ongoing fraud prevention
Trial user data	30 days after trial expiration if you do not subscribe; permanently deleted thereafter
Waitlist emails	Until manually removed or you request deletion
Backup copies	Deleted within 90 days of primary data deletion

Upon account deletion, we delete your personal data, agent configurations, vault secrets, and deployment data from primary storage within 30 days. Deletion from backups may take up to 90 days.

10. Your Rights Under GDPR

If you are in the European Economic Area, United Kingdom, or a jurisdiction with equivalent data protection laws, you have the following rights:

Access — Request a copy of the personal data we hold about you
Rectification — Request correction of inaccurate or incomplete data
Erasure — Request deletion of your personal data (subject to legal retention requirements)
Restriction — Request that we limit processing of your data in certain circumstances
Data portability — Request your data in a structured, machine-readable format
Objection — Object to processing based on legitimate interest
Withdraw consent — Where processing is based on consent (e.g., notification preferences), withdraw at any time via your account settings
Automated decisions — Contest decisions made solely by automated processing that affect you (e.g., fraud detection restrictions)

To exercise any of these rights, contact us at legal@clawhost.com. We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you of the extension and the reasons.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), but you may lodge a complaint with the authority in your country of residence.

11. GDPR Roles — You and Clawhost

11.1 Your Account Data

Clawhost is the data controller for your personal data as a user (name, email, billing information, usage metrics, etc.).

11.2 End-User Data

If your Agent collects or processes personal data from end users:

You are the data controller — you define what data your Agent collects, how it processes it, and how long it is retained.
Clawhost is the data processor — only for the limited processing activities we perform on your behalf: storing encrypted vault secrets, transmitting configuration during deployment, collecting aggregated usage metrics, and storing your account information.

We are not joint controllers. Clawhost does not determine the purposes or means of end-user data processing.

11.3 Data Processing Agreement

If you deploy Agents that process personal data of individuals in the EEA, a Data Processing Agreement governs our relationship as processor. Our standard DPA is available at https://clawhost.com/legal/dpa and is incorporated into the Terms and Conditions by reference. For custom DPA requirements, contact legal@clawhost.com.

12. International Data Transfers

Your data is stored on servers within the European Union (Germany). Some of our third-party service providers may process data outside the EEA:

Google (OAuth, Analytics) — US-based; transfers governed by Google's data processing terms and applicable transfer mechanisms
GitHub (OAuth) — US-based; transfers governed by GitHub's privacy commitments
Stripe (payments) — US-based; certified under the EU-US Data Privacy Framework
Resend (email) — US-based; transfers governed by standard contractual clauses
AI model providers — may be US-based or elsewhere depending on your chosen model; conversation data is processed according to each provider's privacy policy

Where data is transferred outside the EEA, we rely on adequacy decisions, standard contractual clauses, the EU-US Data Privacy Framework, or other appropriate safeguards under GDPR Chapter V.

13. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at legal@clawhost.com and we will take steps to delete the information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy. Previous versions are available upon request.

15. Contact Us

For any questions or concerns about this Privacy Policy or our data practices:

Helixir Labs OÜ

Registered Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia

General support: support@clawhost.com
Data protection and privacy: legal@clawhost.com
Abuse reports: abuse@clawhost.com

Company Registration: 16344641 VAT Number: EE102426168

By using the Clawhost Service, you acknowledge that you have read and understood this Privacy Policy.