Privacy Policy — ClawFusion

1. Introduction

This Privacy Policy explains how ClawFusion Inc. ("Company", "we", "us") collects, uses, and protects your information when you use ClawFusion ("Service"). We are committed to protecting your privacy and operating with a minimal-data philosophy.

By using the Service, you consent to the practices described in this policy.

2. What We Collect

Account Information

Data	Purpose	Stored Where
Email address	Account login, notifications	PostgreSQL (AWS RDS)
Team name	Workspace identification	PostgreSQL (AWS RDS)
Billing information	Subscription payments	Stripe (PCI-compliant)
IP address	Security, rate limiting	Application logs (30-day retention)

Usage Data

Number of agents spawned and their health status
API request counts and response times
Feature usage patterns (anonymized)
Error logs for debugging

3. What We Do NOT Collect

🔐 BYOK — Zero-Knowledge Architecture

Your LLM API keys are encrypted using AES-256 in AWS Secrets Manager. ClawFusion operates on a zero-knowledge model — we never access, read, or log your API keys. They are decrypted only at runtime by your agents, within isolated microVMs.

LLM API keys: Encrypted in AWS Secrets Manager. We never access or view them.
Agent processing data: We do not store the content your agents process. Agent messages flow through Kafka and are not persisted beyond delivery.
Agent outputs: The work product of your agents is not stored on our servers.
Passwords in plain text: All authentication credentials are hashed (bcrypt).

4. How We Use Your Data

Provide the Service: Account management, agent orchestration, billing
Communicate: Service announcements, security alerts, billing notifications
Improve the Service: Anonymized usage analytics to identify bugs and improve performance
Security: Fraud detection, abuse prevention, rate limiting
Legal compliance: Respond to lawful requests from authorities

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Third-Party Services

We use the following third-party services to operate ClawFusion:

Service	Purpose	Data Shared
Stripe	Payment processing	Email, billing details
AWS	Infrastructure (compute, database, secrets)	Encrypted data at rest
Google Analytics	Website analytics (landing page only)	Anonymized usage data, cookies

Each third-party service has its own privacy policy. We recommend reviewing them:

6. Cookies

We use minimal cookies:

Cookie	Type	Purpose	Duration
Session cookie	Essential	Authentication	Session
_ga / _gid	Analytics	Google Analytics (landing page only)	Up to 2 years

You can disable analytics cookies in your browser settings. The Service will function without them.

7. Data Security

Encryption at rest: AES-256 for all stored data
Encryption in transit: TLS 1.3 for all connections
Agent isolation: Firecracker microVMs with hardware-level sandboxing
Access control: Role-based access, API key authentication, team-level isolation
Audit logging: AWS CloudTrail for all infrastructure operations
Secrets management: AWS Secrets Manager with automatic rotation support

8. Data Retention

Account data: Retained while your account is active, deleted within 30 days of account deletion
Billing records: Retained for 7 years per tax/accounting regulations
Application logs: 30-day rolling retention
API keys (BYOK): Deleted immediately from AWS Secrets Manager upon your request

9. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

Right to access: Request a copy of all data we hold about you
Right to rectification: Correct inaccurate personal data
Right to erasure: Request deletion of your personal data ("right to be forgotten")
Right to data portability: Receive your data in a structured, machine-readable format
Right to restrict processing: Limit how we process your data
Right to object: Object to processing based on legitimate interests

To exercise any of these rights, email us at hello@clawfusion.com. We will respond within 30 days.

10. Children's Privacy

ClawFusion is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. International Data Transfers

Your data may be processed in the United States (AWS us-east-1 region). We ensure appropriate safeguards are in place, including Standard Contractual Clauses, for data transfers outside the EEA.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service. The "Last updated" date at the top indicates the most recent revision.

13. Contact

For privacy-related questions or to exercise your GDPR rights:

ClawFusion Inc.
Email: hello@clawfusion.com
Subject line: "Privacy Request — [Your Request]"