Privacy Policy

1. Data We Collect

We collect what is needed to operate ActivateClaw: account identity (name, email via Google OAuth), subscription metadata, deployment metadata (subdomain, server status, IP address), optional integration settings (such as Telegram bot token or SSH public key), and support communications.

2. Cookies and Authentication

We use essential cookies for authentication (Supabase session tokens). We do not use tracking cookies, analytics cookies, or any third-party advertising trackers. No cookie consent banner is required because all cookies are strictly necessary for the service to function.

3. Payment Data

All payment processing is handled by Polar.sh, which acts as Merchant of Record. We never see, store, or process your credit card number, CVV, or other payment card details. Polar provides us only with subscription status, customer ID, and transaction metadata needed to manage your service.

4. API Key Handling

We do not store your OpenAI/Anthropic API keys permanently; they are injected into your private VPS.

During setup flows, key material may be processed transiently to validate provider access and apply configuration to your instance.

5. Data We Do Not Intentionally Persist

We do not intentionally persist OpenClaw conversation content in our application database. Your OpenClaw runtime and conversation data are primarily processed and stored on your provisioned VPS.

6. Data Location

Your VPS is hosted on Hetzner Cloud in the European Union (Germany or Finland). Application data (account info, instance metadata) is stored in Supabase. Authentication is handled via Google OAuth through Supabase.

7. Security Position

We implement controls and secure defaults to reduce risk, but no connected system is fully immune to breach, outage, or software defects. You are responsible for server-level controls and operational security after deployment.

8. Sub-processors

The following third-party services are used to deliver ActivateClaw:

• Supabase (authentication and application database — EU/US)
• Polar.sh (Merchant of Record and subscription billing)
• Hetzner Cloud (dedicated VPS infrastructure — EU)
• Cloudflare (DNS record management for instance domains)
• Resend (transactional email delivery)
• OpenRouter (optional OAuth key exchange / provider setup)
• Google OAuth via Supabase (optional identity provider)
• Configured AI providers like OpenAI, Anthropic, and Google Gemini (optional key validation and API calls)

9. Your Rights

You have the right to access, correct, or delete your personal data. You can request a copy of your data or ask us to delete your account and all associated data by contacting us. Upon account deletion, your VPS and all data on it will be permanently destroyed.

10. Retention and Deletion

If your subscription ends, lifecycle retention follows current platform policy: 7-day grace period and 14-day suspended retention before permanent cleanup (21 days total), unless earlier deletion is required for abuse, legal compliance, or security reasons.

11. Age Requirement

ActivateClaw is not intended for anyone under the age of 18. By using this service, you confirm that you are at least 18 years old.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to your registered address. The "Last updated" date at the top reflects the most recent revision. Continued use of the service after changes constitutes acceptance.

13. Contact and Requests

Privacy questions, data access requests, or deletion requests can be sent to activateclaw@gmail.com.