Privacy Policy

Last updated: 2 April 2026

1. Introduction

This Privacy Policy describes how ClawShip ("we", "us", or "our") collects, uses, discloses, and otherwise processes your personal information when you visit our website at clawship.io, use our services, or otherwise interact with us. ClawShip is the trading name of Jose Florendo, a sole trader registered in Australia.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use our services.

2. Information We Collect

Information you provide to us:

• Account information: Your name and email address, collected via Google OAuth when you sign in.
• Billing information: Payment processing is handled by Stripe. We do not store your credit card details. We retain your Stripe customer ID and subscription status.
• Bot credentials: Your Telegram bot token and AI provider API key (OpenAI or Anthropic), which you supply during onboarding. These are stored securely in our database and used solely to provision and operate your assistant. You are solely responsible for keeping your credentials secure and for any activity conducted through them.
• Support communications: Any information you provide when contacting us for support, including your email address and the content of your message.

Information collected automatically:

• Log and usage data: We log provisioning events, service status, and basic request metadata (IP address, browser type, operating system, referring URLs, access times) to operate and support your account.
• Device data: We collect information about the device you use to access our website, including device type, operating system, and browser type.
• Cookies and similar technologies: We use cookies for authentication and session management. See the Cookies section below for details.

3. Information We Do Not Collect

ClawShip does not access, store, monitor, or log the content of messages sent to or generated by your Telegram bot. Conversation data flows directly between Telegram, your hosted OpenClaw instance, and the AI provider (OpenAI or Anthropic). We have no access to this data.

We do not collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data.

4. How We Use Your Information

We use your personal information for the following purposes:

• To provide our services: Create and manage your account, provision and operate your hosted AI assistant, and process payments via Stripe.
• To communicate with you: Send transactional emails (account setup, provisioning updates, billing notifications) and respond to support requests.
• To protect our services: Detect, prevent, and address technical issues, fraud, or abuse.
• To comply with legal obligations: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• To improve our services: Analyse usage patterns to improve the reliability, performance, and user experience of ClawShip.

We do not sell your personal information to third parties. We do not use your personal information for automated decision-making or profiling.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal information only where we have a valid legal basis to do so. Our legal bases include:

• Performance of a contract: Processing necessary to provide you with the ClawShip service, including account management, provisioning, and billing (Article 6(1)(b) GDPR).
• Legitimate interests: Processing necessary for our legitimate interests, such as improving the service, preventing fraud, and ensuring security, where those interests are not overridden by your data protection rights (Article 6(1)(f) GDPR).
• Legal obligation: Processing necessary to comply with applicable law (Article 6(1)(c) GDPR).
• Consent: Where you have given specific consent, which you may withdraw at any time by contacting us at support@clawship.io (Article 6(1)(a) GDPR).

6. Bot Credentials

ClawShip requires customers to supply their own Telegram bot token and AI provider API key (OpenAI or Anthropic) to operate the service. These credentials are:

• Stored securely in our database with encryption at rest
• Used solely to provision and operate your hosted AI assistant
• Never shared with any party other than the respective platform (Telegram for bot tokens, OpenAI or Anthropic for API keys) as required to operate the service
• Deleted from our systems within 30 days of account deprovisioning

ClawShip does not access or monitor bot conversations. You are solely responsible for:

• The security of your credentials
• Any activity conducted through your bot token and API key
• Compliance with the terms of service of Telegram, OpenAI, and Anthropic
• Any content generated by the AI assistant operating under your credentials

7. AI Products

ClawShip enables you to deploy AI assistants powered by third-party AI providers, including OpenAI and Anthropic. When you use our service:

• Your AI provider API key is used to make requests to the AI provider on your behalf
• Input (prompts) and output (responses) are processed by these third-party AI providers according to their own terms and privacy policies
• ClawShip does not control, review, store, or monitor the content of AI inputs or outputs
• You are responsible for ensuring that your use of AI services complies with the respective provider's terms of service and acceptable use policies

For more information on how these providers handle data, see:

• OpenAI Privacy Policy
• Anthropic Privacy Policy

8. How We Share Your Information

We share your information only with the third-party services necessary to operate ClawShip:

• Supabase — database hosting and authentication
• Hetzner — cloud infrastructure (servers located in Germany)
• Vercel — website hosting and deployment
• Stripe — payment processing
• Resend — transactional email delivery
• Telegram — bot platform integration
• OpenAI — AI model provider (when selected by you)
• Anthropic — AI model provider (when selected by you)

Each provider processes your data in accordance with their own privacy policies. We do not share your personal information with any other third parties except:

• As required by law, regulation, legal process, or enforceable governmental request
• To protect our rights, privacy, safety, or property, or that of our users or the public
• In connection with a merger, acquisition, or sale of assets (you will be notified of any such change)

We do not sell, rent, or trade your personal information.

9. Cookies and Tracking Technologies

ClawShip uses cookies solely for authentication and session management. Specifically:

• Essential cookies: These cookies are required for the operation of our website. They include session cookies that enable you to remain logged in as you navigate the site.

We do not use cookies for advertising, analytics, or tracking purposes. We do not use third-party advertising cookies or tracking pixels.

Most web browsers are set to accept cookies by default. You can usually modify your browser settings to remove or reject cookies. If you choose to remove or reject cookies, this may affect the availability and functionality of our services.

10. Do Not Track

Some browsers include a "Do Not Track" (DNT) signal. Because there is no accepted standard for how to respond to DNT signals, we do not currently respond to DNT browser signals. However, as stated above, we do not use tracking cookies or engage in online tracking for advertising purposes.

11. International Data Transfers

Your data may be processed in the following locations:

• Germany: Hetzner cloud infrastructure
• United States: Vercel, Supabase, Stripe, Resend, OpenAI, Anthropic
• Other countries: Where our service providers maintain infrastructure

If you are located in the EEA, UK, or Australia, some of these transfers involve countries that may not have data protection laws equivalent to those in your jurisdiction. Where required by applicable law (including the GDPR), we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the service provider's participation in recognised data protection frameworks.

By using ClawShip, you acknowledge that your data may be transferred to and processed in countries outside your country of residence.

12. Data Retention

We retain your personal information for as long as your account is active and as necessary to fulfil the purposes described in this Privacy Policy. Specifically:

• Account data: Retained while your account is active and for up to 12 months after account closure, to comply with legal obligations, enforce our Terms, and resolve disputes.
• Bot credentials: Your Telegram bot token and AI API key are deleted from our systems within 30 days of account deprovisioning.
• Billing records: Retained as required by tax and accounting laws (typically 7 years in Australia).
• Support communications: Retained for up to 24 months after the issue is resolved.
• Log data: Retained for up to 12 months for operational and security purposes.

When personal information is no longer needed, we delete or anonymise it in accordance with applicable law.

13. Data Security

We implement reasonable technical and organisational measures to protect your personal information, including:

• Encryption of credentials at rest and in transit (TLS/SSL)
• Access controls limiting who can access personal data
• Regular security reviews and updates
• Secure infrastructure hosted by reputable providers

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

14. Data Breach Notification

Australia: In the event of a data breach that is likely to result in serious harm to any individual whose personal information is affected, we will notify the Australian Information Commissioner and affected individuals as required by the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). We will take all reasonable steps to contain the breach, assess the risk of serious harm, and provide notification as soon as practicable.

EEA/UK (GDPR): Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, we will notify affected individuals without undue delay.

US states: We will provide breach notifications in accordance with applicable state data breach notification laws.

15. Children

ClawShip is not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@clawship.io and we will promptly delete the information.

16. Your Privacy Rights

All users: Regardless of your location, you may request access to, correction of, or deletion of your personal information by contacting us at support@clawship.io. We will respond within 30 days.

Australian users (Privacy Act 1988):

This Privacy Policy is compliant with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to:

• Access the personal information we hold about you (APP 12)
• Request correction of inaccurate, out-of-date, or incomplete information (APP 13)
• Make a complaint about our handling of your personal information

If you are not satisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

EEA and UK users (GDPR):

Under the General Data Protection Regulation, you have the following rights:

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure: You have the right to request deletion of your personal data in certain circumstances.
• Right to restriction of processing: You have the right to request that we restrict processing of your personal data in certain circumstances.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you have the right to withdraw consent at any time.

To exercise any of these rights, contact us at support@clawship.io. We will respond within one month. You also have the right to lodge a complaint with your local data protection supervisory authority.

California residents (CCPA/CPRA):

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

• Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting the information, and the categories of third parties with whom we share it.
• Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell or share your personal information as defined by the CCPA/CPRA.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your rights, contact us at support@clawship.io. We will verify your identity before processing your request and respond within 45 days.

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email address, IP address), commercial information (subscription and billing records), and internet or network activity (log data, device information). We collect this information for the business purposes described in section 4 above. We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA.

California Shine the Light (Civil Code § 1798.83):

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. As stated in this Privacy Policy, we do not disclose personal information to third parties for their direct marketing purposes.

Other US state privacy laws:

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and port their personal information, and to opt out of the sale of personal information, targeted advertising, and profiling. We do not sell personal information, engage in targeted advertising, or perform profiling as defined by these laws. To exercise any applicable rights, contact us at support@clawship.io.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email at least fourteen (14) days before the changes take effect. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.

Your continued use of ClawShip after changes take effect constitutes acceptance of the revised policy. We encourage you to review this Privacy Policy periodically.

18. Contact

If you have questions or concerns about this Privacy Policy, your personal information, or how we handle your data, contact us at:

support@clawship.io

If you are located in the EEA or UK and have concerns about our processing of your personal information that we are unable to resolve, you have the right to lodge a complaint with your local data protection supervisory authority.