Privacy Policy

This Privacy Policy explains how SmartClaw ("we", "us", or "our") collects, uses, stores, and protects your information when you use the SmartClaw desktop application, web dashboard, cloud services, and related services (collectively, the "Service"). We are committed to protecting your privacy and ensuring transparency about our data practices.

SmartClaw is designed with an offline-first, privacy-preserving architecture. The vast majority of your data never leaves your local machine. This policy details exactly what data we handle and how.

SmartClaw operates primarily on your local machine. The following data is stored exclusively on your device and is never transmitted to SmartClaw servers:

• • All files, documents, and media processed by SmartClaw
• • Chat messages from WhatsApp, Telegram, Discord, Signal, and Slack
• • Calendar events, email data, and contact information
• • AI conversation history, memory data, and adaptive learning insights (stored locally by default; if you enable Cloud Chat Sync, conversations are encrypted on your device with AES-256-GCM before transmission — we cannot read them)
• • Application logs and activity history
• • Custom personality configurations and skill data

This data is stored in the SmartClaw_Workspace directory on your device. We (the developers of SmartClaw) cannot access, view, read, or retrieve any of this local data under any circumstances.

To provide license validation, subscription management, and customer support, we collect and store the following information on our servers:

Account Information

• • Email address (used for account creation and communication)
• • Hashed password (we never store plaintext passwords)
• • Account creation date and last login timestamp

Subscription and Billing Data

• • Subscription plan type and status (trial, annual, lifetime, cloud relay monthly, cloud relay annual, cloud add-on)
• • Payment history processed through Stripe (we do not store credit card numbers)
• • Billing address (if provided for tax purposes)

Device Information

• • A cryptographic hardware hash (used to enforce the 3-device limit per license)
• • Operating system type and version (e.g., Windows 11, macOS 15)
• • Device name (as configured in your OS settings)
• • Last seen timestamp for each registered device

Cloud Backup Data (Optional)

• • Assistant configuration snapshots (provider settings, feature toggles, safety level — API keys are stripped before upload)
• • Backup metadata (timestamp, size, device of origin)

Cloud Chat Sync Data (Optional)

• • End-to-end encrypted conversation payloads stored as opaque ciphertext only — we cannot decrypt or read them
• • Sync metadata: timestamp, payload size, and originating device identifier
• • PIN-encrypted sync key blob (used for cross-device pairing only)

Cloud Relay Data (Optional)

• • Cloud Relay instance status, heartbeat timestamps, and container logs (info, warning, error level only — no message content)
• • Encrypted API keys (AES-256-GCM encrypted on your device before upload; decrypted only in-memory within your isolated container — SmartClaw staff cannot access plaintext keys)
• • Assistant configuration snapshot (provider settings, feature toggles — API keys are stripped before upload)
• • Message queue payloads for desktop sync (event type and metadata; retained until delivered and acknowledged, then cleaned after 30 days)

Usage Analytics (Aggregated)

• • Daily message count and task completion count
• • Estimated API cost per day (calculated locally, only totals are synced)
• • We do NOT collect the content of your messages, prompts, or AI responses

• • Content of your conversations, messages, or AI prompts (even when Cloud Chat Sync is enabled, your conversation content is encrypted on your device before leaving it)
• • Your files, documents, images, or any personal media
• • Your API keys or provider credentials
• • Keystrokes, screen recordings, or browser history
• • Location data, IP address tracking, or device fingerprinting beyond the hardware hash
• • Contact lists, calendar details, or email content
• • Telemetry about which AI models you use or what you ask them

SmartClaw operates on a "Bring Your Own Key" (BYOK) model. Your API keys for third-party providers are handled as follows:

• • Storage: API keys are stored exclusively in your operating system's native secure keychain (Windows Credential Manager on Windows, Keychain Access on macOS). They are never written to plaintext files.
• • Transmission: API keys are never transmitted to SmartClaw servers. They are used only for direct communication between your device and the respective AI provider.
• • Backups: When creating cloud backups, API keys and sensitive credentials are automatically stripped from the configuration snapshot before upload. Restored backups require you to re-enter your API keys.
• • Memory: API keys are loaded into application memory only when needed for API calls and are not cached beyond the current session.

When you connect API keys and use cloud AI providers through SmartClaw, your prompts and data are transmitted directly from your device to the provider's servers via TLS-encrypted connections. SmartClaw's servers are never in the middle of these communications. The providers SmartClaw supports include:

Each provider has its own privacy policy and data handling practices. We strongly recommend reviewing the privacy policy of each provider you use. When using local AI models (e.g., Ollama with Llama), no conversation data leaves your machine at all.

SmartClaw can connect to messaging platforms (WhatsApp, Telegram, Discord, Signal, Slack) to act as your AI assistant. When using these integrations:

• • Messages are processed locally on your device. SmartClaw does not relay your messages through our servers.
• • Bot tokens and pairing credentials are stored in your local secure keychain.
• • Message history is stored only on your device in the SmartClaw workspace.
• • SmartClaw complies with each platform's bot and automation policies.

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We do not store, process, or have access to your full credit card number, CVV, or bank account details. Stripe provides us with:

• • The last four digits of your payment method (for display purposes)
• • Payment status (success, failed, refunded)
• • Subscription status and billing cycle information

For more information about Stripe's data practices, please review Stripe's Privacy Policy.

The SmartClaw desktop application does not use cookies or tracking pixels. The SmartClaw website at www.smartclaw.dev and the account surfaces on smartclaw-server.vercel.app use:

• • Essential cookies: Required for authentication and session management on the web dashboard.
• • No advertising trackers: We do not run ad-tech, retargeting pixels, or third-party marketing trackers on the current site.

We do not sell, rent, or trade your personal information to advertisers or data brokers.

We retain your data according to the following schedule:

• • Account data: Retained for the lifetime of your account plus 30 days after deletion request.
• • Payment records: Retained for 7 years as required by financial regulations.
• • Cloud backups: Retained until you delete them or delete your account. Maximum of 30 backup snapshots per account.
• • Device registrations: Retained until you deactivate the device or delete your account.
• • Usage analytics: Aggregated daily summaries are retained for 12 months.
• • Local data: Stored indefinitely on your device until you manually delete the SmartClaw workspace folder or uninstall the Application.
• • Cloud Chat Sync data: Encrypted payloads are deleted when you disable sync, delete your account, or request deletion. Adaptive learning insights are stored locally only and never uploaded.

You have the right to delete your data at any time:

• • Cloud data: Use the "Delete Account" button in the Application's Account panel. This permanently removes your account, licenses, device registrations, cloud backups, and usage data from our servers within 30 days.
• • Local data: Delete the SmartClaw_Workspace directory from your device to remove all local chat logs, files, and configuration.
• • Stored credentials: Uninstalling SmartClaw or manually clearing entries from your OS keychain removes stored API keys and tokens.

You may also contact us at support@smartclaw.dev to request data deletion or to receive a copy of the data we hold about you.

We implement industry-standard security measures to protect your data:

• • All communications between SmartClaw and our servers use TLS 1.3 encryption
• • Passwords are hashed using bcrypt with salt before storage
• • API keys are stored in OS-level secure keystores with hardware-backed encryption where available
• • Cloud backup data is encrypted at rest on our servers
• • Authentication tokens are short-lived and rotated automatically
• • Our backend infrastructure is hosted on SOC 2 compliant providers

While we take extensive precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

SmartClaw is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a minor, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@smartclaw.dev.

Our servers are located in the United States. If you access SmartClaw from outside the United States, your account information (email, subscription status, device hashes) may be transferred to and processed in the United States. By using SmartClaw, you consent to this transfer. We ensure that any data transfers comply with applicable data protection laws and that appropriate safeguards are in place.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• • Right to Access: Request a copy of the personal data we hold about you.
• • Right to Rectification: Request correction of inaccurate personal data.
• • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
• • Right to Portability: Request your data in a structured, machine-readable format.
• • Right to Object: Object to processing of your personal data for certain purposes.
• • Right to Withdraw Consent: Withdraw consent for data processing where consent is the legal basis.

To exercise any of these rights, contact us at support@smartclaw.dev. We will respond within 30 days.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this Privacy Policy periodically.

If you have questions about this Privacy Policy or our data practices, please contact us:

• • Email: support@smartclaw.dev