Privacy Policy

1. Information We Collect

Account Information: When you create a ClawBoss account, we collect your name, email address, and password (hashed). We do not store plaintext passwords.

Billing Information: Payments are processed by Stripe. We do not store your credit card number. We receive and store limited billing metadata such as subscription status and plan type.

Instance Configuration: We store the VPS IP address and configuration details you provide when setting up your ClawBoss-governed OpenClaw instance.

Agent Activity Data: The ClawBoss Chrome extension detects AI agent tool execution events within OpenClaw sessions in your browser in order to evaluate governance policies. This data is transmitted to your self-hosted ClawBoss governance layer on your own VPS. In addition, governance decision data — including the tool name, action taken (ALLOW or BLOCK), risk tier, and timestamps — is transmitted to ClawBoss servers and stored in our hosted database (the agent_events table in Supabase) to power the persistent audit trail feature.

Usage Data: We may collect anonymized usage data such as feature interactions and session metadata to improve the Service.

2. Information We Do Not Collect

ClawBoss is not designed to collect:

• Browsing history from websites unrelated to OpenClaw sessions
• Passwords or authentication credentials
• Form input data from third-party websites
• Device camera, microphone, contacts, or location data

3. How We Use Your Information

• To create and manage your account
• To process payments and manage your subscription
• To operate and improve the ClawBoss Service
• To send transactional emails such as beta invitations, account confirmations, and service notices
• To enforce our Terms of Service and protect the security of the Service

We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. Chrome Extension Data Practices

The ClawBoss Chrome extension requires the following permissions to operate:

• activeTab & tabs: To detect when an OpenClaw agent session is active in your browser
• scripting: To inject a lightweight monitoring script into OpenClaw agent pages to capture tool execution events
• storage: To persist your VPS connection settings and governance preferences locally in your browser
• host permissions: To communicate with your self-hosted OpenClaw instance on your VPS and with app.clawboss.ai to fetch pending approvals, sync governance activity, and persist audit trail data
• alarms: To schedule periodic heartbeat signals between the extension and your governance layer
• notifications: To deliver real-time desktop alerts when governance events require owner attention, such as pending approvals, blocked tool calls, or expired spend requests

Raw agent activity data (such as page content and full tool payloads) monitored by the extension is transmitted to your own self-hosted VPS and is not sent to ClawBoss servers. However, governance decision data — including which tool was called, whether it was allowed or blocked, and the associated risk tier — is transmitted to and stored on ClawBoss servers to provide the persistent audit trail feature.

5. Data Storage and Security

Account data is stored securely using Supabase with row-level security policies. We use industry-standard encryption in transit (TLS) and at rest. Access to production data is restricted to authorized personnel only.

ClawBoss is designed so that sensitive agent execution data remains on infrastructure controlled by the user whenever possible.

6. Third-Party Services

We use the following third-party services to operate ClawBoss:

• Supabase — database and authentication
• Stripe — payment processing
• Resend — transactional email delivery
• Vercel — application hosting

Each of these providers maintains their own privacy policies and data handling practices.

7. Data Retention

We retain your account data for as long as your account is active. If you cancel your subscription or request deletion, we will delete your personal data within 30 days, except where retention is required by law.

Governance Audit Trail: Governance decision data stored on ClawBoss servers is retained for 30 days by default. Retention periods may vary by plan tier in the future, and we will update this policy accordingly.

8. Automated Decision-Making

ClawBoss uses rule-based governance policies to determine whether AI agent tool calls are allowed, blocked, or require approval. These policies are configured by the user and operate deterministically. They apply only to AI agent actions and do not make decisions about individuals.

9. No AI Training on Customer Data

ClawBoss does not use customer data, governance logs, or agent-generated content to train machine learning models.

10. Legal Disclosure

We may disclose your information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

11. Your Rights

Depending on your location, you may have the right to access, correct, or delete your personal data. To exercise these rights, contact us at the address below.

12. Children's Privacy

ClawBoss is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the ClawBoss dashboard. Continued use of the Service after changes constitutes acceptance of the updated policy.