Privacy Policy

This Privacy Policy explains how ReClaw ("ReClaw," "we," "us," or "our") collects, uses, discloses, protects, and retains personal information when you use our website, dashboard, CLI, APIs, encrypted backup and restore services, billing features, documentation, and related services (collectively, the "Service").

For account, billing, security, website, and operational data, ReClaw generally acts as the controller or business that decides how personal information is processed. For personal information you include inside encrypted backup archives or other Customer Content, you decide what to back up and why. In that situation, ReClaw acts only as your service provider or processor to host and process that content for the Service, unless a separate written agreement says otherwise.

This Privacy Policy does not apply to third-party websites, products, services, or open-source projects that we do not control. Those third parties have their own privacy practices.

ReClaw is designed for client-side encrypted backups. Your backup passphrase is not sent to ReClaw, and we cannot use it to decrypt your backup archives. If you lose your passphrase, we cannot recover it or decrypt backups for you.

Even when backup archive contents and backup metadata are encrypted, we may still process account-level and operational information needed to provide the Service, such as user IDs, backup IDs, blob paths, backup status, sizes, timestamps, expiration dates, client version, OpenClaw version, API key records, and event logs.

We do not intentionally collect payment card numbers through our app. Payment details are handled by our billing and payment providers.

We may collect the following categories of information:

• Account information: name, email address, account ID, password authentication data, email verification status, profile image if provided, account settings, plan, and timestamps.
• Authentication and security information: session tokens, API key records, API key prefixes or starting characters, hashed or stored key material as configured by our authentication provider, permissions, IP address, user agent, request metadata, security logs, and audit events.
• Backup account information: encryption version, key derivation settings, salts, wrapped keys, nonces, encrypted backup metadata, backup IDs, blob paths, backup status, archive sizes, plaintext size reported by the client, expiration dates, deletion dates, client version, OpenClaw version, and backup event history.
• Customer Content: encrypted backup archives and any files, workspace data, secrets, source code, credentials, personal information, labels, configuration data, or other material you choose to include in backups or submit to the Service.
• Billing information: plan, billing cycle, subscription status, product IDs, customer IDs, payment status, renewal or cancellation state, billing portal interactions, tax information where applicable, and limited transaction metadata from billing providers.
• Device, usage, and diagnostics information: pages visited, API routes used, CLI version, base URL, command outcomes, scheduler state when reported to the Service, error information, dates and times of requests, and approximate location inferred from IP address.
• Communications: support messages, emails, issue reports, survey responses, feedback, and other communications you send to us.
• Cookies and local storage: session cookies, authentication cookies, security cookies, and preference cookies, such as dashboard sidebar state, plus analytics cookies used to understand website usage. We do not currently use third-party advertising cookies in the codebase.

We collect information from:

• you, when you create an account, configure the CLI, or contact us;
• your devices and software, when they interact with the website, dashboard, CLI, APIs, backup upload routes, or restore routes;
• service providers, such as authentication, hosting, storage, database, billing, payment, security, and infrastructure providers;
• third-party integrations you choose to use or authorize; and
• public or commercially available sources when needed for security, fraud prevention, sanctions compliance, or legal compliance.

We use personal information to:

• provide, operate, maintain, secure, and improve the Service;
• create and manage accounts, sessions, API keys, backup accounts, backup records, restore permissions, and subscriptions;
• process encrypted backup uploads, retain backup records, enable restore workflows, and enforce retention or deletion policies;
• authenticate users and prevent fraud, abuse, and security incidents;
• process payments, renewals, cancellations, refunds, taxes, and billing support;
• respond to support requests and communicate about the Service;
• debug, monitor, analyze, and improve performance, reliability, usability, and security;
• enforce our Terms of Service and other policies;
• comply with legal obligations, court orders, and government requests;
• protect the rights, safety, property, and security of ReClaw, users, and others; and
• create aggregated, de-identified, or anonymized information that cannot reasonably identify you.

If European Economic Area, United Kingdom, or similar data protection law applies, our legal bases may include:

• Contract: to provide the Service you requested, including account access, backups, restores, support, and billing.
• Legitimate interests: to secure, maintain, improve, and protect the Service, prevent abuse, communicate with you, and understand Service use, where those interests are not overridden by your rights.
• Legal obligations: to meet tax, accounting, compliance, sanctions, security, law enforcement, and dispute obligations.
• Consent: where we ask for consent, such as for optional communications or non-essential cookies if they are added. You may withdraw consent at any time.

We may disclose personal information:

• To service providers and processors that help us host, store, secure, authenticate, bill, monitor, support, analyze, and operate the Service.
• To payment and billing providers for checkout, subscription management, payment processing, invoices, refunds, tax, fraud prevention, and customer portal access.
• To infrastructure providers for hosting, database, private blob storage, networking, logging, backups, and security.
• At your direction when you use integrations, share information, request support, restore data, or authorize disclosure.
• For legal, safety, and enforcement reasons if we believe disclosure is required by law, needed to protect rights or safety, necessary to enforce our terms, or appropriate to prevent fraud, abuse, or security incidents.
• In business transfers involving a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or due diligence, subject to appropriate confidentiality safeguards.
• As aggregated or de-identified information that does not reasonably identify you.

We do not sell personal information or share it for cross-context behavioral advertising as those terms are commonly defined under U.S. state privacy laws. We also do not knowingly use sensitive personal information to infer characteristics about you.

We retain personal information for as long as needed to provide the Service, maintain security, comply with legal obligations, resolve disputes, enforce agreements, and support legitimate business needs. Retention periods vary based on the type of information and context.

Account and billing records may be retained while your account is active and for a reasonable period afterward. Backup records and encrypted backup blobs may be retained until they expire, are deleted, are removed under plan limits, or are no longer needed for the Service. The default backup retention period in the current product is 14 days, unless a plan, feature, or written agreement provides otherwise.

Security logs, fraud prevention records, and legal records may be kept longer where needed. Deleted information may remain in backups, archives, logs, or provider systems for a limited time before it is overwritten or deleted according to normal retention cycles.

We use administrative, technical, and organizational safeguards designed to protect personal information, including access controls, authentication, transport security, private backup blob access, and client-side encryption for backup archive contents. However, no method of transmission, storage, encryption, authentication, or operation is perfectly secure.

You are responsible for securing your local devices, account credentials, API keys, access tokens, backup passphrase, local configuration, local archives, and independent backups. If you believe your account or credentials have been compromised, contact us promptly at privacy@reclaw.io.

Depending on where you live, you may have rights to access, know, confirm, correct, delete, export, or receive a copy of personal information; restrict or object to certain processing; opt out of sale, sharing, targeted advertising, or certain profiling; limit use of sensitive personal information; withdraw consent; appeal a decision; and lodge a complaint with a data protection authority.

You can make a privacy request by emailing privacy@reclaw.io. We may need to verify your identity and authority before responding. We will not discriminate against you for exercising privacy rights, but some requests may limit our ability to provide the Service.

You may update some account information in the dashboard, cancel paid subscriptions through the billing portal when available, rotate or revoke API keys, delete backups where the Service provides deletion controls, and stop CLI-based backups by disabling local scheduling.

This section supplements the rest of this Privacy Policy for residents of California and other U.S. states with comprehensive privacy laws. In the last 12 months, we may have collected the categories listed below:

• Identifiers: name, email, account ID, user ID, IP address, API key identifiers, session identifiers, and billing identifiers.
• Commercial information: plan, subscription, purchase, renewal, cancellation, invoice, and payment status.
• Internet or network activity: login activity, requests, API use, CLI interactions with the Service, device and browser metadata, and usage logs.
• Approximate geolocation: general location inferred from IP address.
• Customer Content: encrypted backup archives and related encrypted metadata you choose to upload.
• Sensitive personal information: account login data, API keys, access tokens, and any sensitive information you choose to include in encrypted backups. We do not collect your backup passphrase.
• Inferences: limited operational inferences, such as plan status, account health, backup cadence, or support needs.

We collect and disclose these categories for the purposes described in this Privacy Policy. We may disclose each category to service providers, processors, billing providers, infrastructure providers, security providers, professional advisors, authorities where required, and transaction counterparties in a business transfer. We do not sell personal information or share it for cross-context behavioral advertising.

You may exercise applicable U.S. state privacy rights by emailing privacy@reclaw.io. If an appeal right applies and we deny your request, you may appeal by replying to our decision email with "Privacy Appeal" in the subject line.

We use cookies and similar technologies for authentication, session management, security, preferences, Service functionality, and website analytics. You can control cookies through your browser settings, but disabling required cookies may prevent the dashboard or account features from working.

We use Google Analytics to understand website traffic and product usage trends so we can improve the Service. Because we do not currently sell personal information or use cross-context behavioral advertising cookies, we do not treat browser "Do Not Track" signals as requiring a separate response. We honor legally required opt-out preference signals, such as Global Privacy Control, where applicable.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, contact privacy@reclaw.io and we will take appropriate steps to delete it.

Users under 18 may use the Service only with involvement and consent of a parent or legal guardian and only where permitted by law.

We and our providers may process personal information in the United States, Israel, the European Economic Area, and other countries where we or our providers operate. Privacy laws in those countries may differ from the laws where you live. Where required, we use appropriate transfer safeguards for international transfers.

We may update this Privacy Policy from time to time. The updated version will be effective when posted unless it states a later date. If we make material changes, we will use reasonable efforts to notify you, such as through the dashboard, account email, or website notice.

For privacy questions or requests, contact ReClaw at privacy@reclaw.io. For general service questions, contact support@reclaw.io.