Privacy Policy

Last updated: February 9, 2026

This Privacy Policy describes how Anonime LLC, a Delaware limited liability company (“Company,” “we,” “us,” or “our”), collects, uses, discloses, retains, and protects your personal information when you access or use the Clawship platform, website located at clawship.app, APIs, and all related services (collectively, the “Service”).

BY ACCESSING OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY. IF YOU DO NOT AGREE, DO NOT USE THE SERVICE.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Full name, email address, and authentication credentials (hashed password via Argon2, or OAuth tokens from Google). We never store plaintext passwords.
• Billing Information: Payment details are collected and processed exclusively by Stripe, Inc. We receive and store: Stripe customer ID, subscription ID, subscription status, plan details, and transaction records (amount, currency, date, success/failure status). We do not receive, process, or store your full credit or debit card number, CVV, or card expiration date.
• Instance Configuration: AI model selections, system prompts, channel API tokens and credentials, deployment region preferences, and other configuration data you provide when deploying AI assistant instances. Channel API tokens are encrypted at rest using AES-256-GCM.
• Communications: Information you provide when contacting us for support, feedback, DMCA notices, or other correspondence.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, click events, timestamps, and interaction patterns within the dashboard.
• Device & Browser Information: IP address, browser type and version, operating system, screen resolution, language preference, and device identifiers.
• Server Logs: API request logs (endpoint, method, status code, response time), authentication events (login, logout, failed attempts), and error diagnostics. Logs are retained for up to 30 days.
• Instance Runtime Data: Container health metrics, uptime/downtime events, deployment timestamps, and channel connectivity status. We do not log the content of messages passing through your AI assistant instances.

1.3 Information from Third Parties

• Google OAuth: If you sign in via Google, we receive your name, email address, and profile picture URL as authorized by your Google account permissions. We store your Google account ID for authentication purposes.
• Stripe Webhooks: Subscription lifecycle events (created, updated, canceled, deleted), invoice events (paid, failed), and customer metadata.

2. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service to you (e.g., account management, instance deployment, billing).
• Legitimate Interests: Processing for our legitimate business interests (e.g., security, fraud prevention, service improvement, analytics) where those interests are not overridden by your data protection rights.
• Legal Obligation: Processing required to comply with applicable law (e.g., tax reporting, responding to lawful government requests).
• Consent: Where we rely on consent, you may withdraw it at any time by contacting us at [email protected].

3. How We Use Your Information

• Provide, operate, maintain, and improve the Service.
• Create and manage your account and authenticate your identity.
• Process payments, manage subscriptions, and generate invoices via Stripe.
• Deploy, configure, and manage AI assistant instances on your behalf.
• Send transactional communications, including billing receipts, subscription status changes, security alerts, and Service update notifications.
• Provide customer support and respond to your inquiries.
• Monitor and improve the security, performance, reliability, and availability of the Service.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal obligations, resolve disputes, and enforce our agreements.
• Generate aggregated, de-identified analytics to understand usage patterns and improve the Service. Such aggregated data cannot reasonably be used to identify you.

We do NOT:

• Sell, rent, or trade your personal information to third parties.
• Use your data to train AI models.
• Use your data for third-party advertising or ad targeting.
• Access or log the content of messages passing through your deployed AI assistant instances.

4. How We Share Your Information

We share personal information only in the following limited circumstances:

4.1 Service Providers (Sub-Processors)

We engage trusted third-party service providers who process data on our behalf, subject to contractual obligations to protect your data:

*The content of messages sent to and from your AI assistant instances is transmitted to the AI model provider you select. This data is processed according to that provider’s own privacy policy and data processing terms. You are responsible for reviewing the applicable provider’s terms.

4.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, subpoena, court order, or governmental request, or when we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of Anonime LLC, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.

4.3 Business Transfers

In connection with a merger, acquisition, reorganization, bankruptcy, sale of assets, or similar transaction, your personal data may be transferred to the acquiring entity. We will provide notice (via email or prominent notice on the Service) before your data becomes subject to a materially different privacy policy.

4.4 With Your Consent

We may share your information in other circumstances with your explicit prior consent.

5. Data Security

We implement commercially reasonable administrative, technical, and physical security measures, including:

• Encryption at Rest: Channel API tokens and sensitive credentials are encrypted using AES-256-GCM. Database connections use TLS.
• Encryption in Transit: All communications between your browser and our servers use TLS 1.2 or higher.
• Password Security: Passwords are hashed using Argon2id with per-user salts. We never store or transmit plaintext passwords.
• Authentication: Sessions use JWT tokens with expiration. OAuth 2.0 for third-party sign-in.
• Instance Isolation: Each AI instance runs in an isolated container environment with dedicated networking.
• Rate Limiting: API endpoints are protected against brute force and abuse.
• Access Control: Internal access to production systems is restricted on a need-to-know basis.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and shall not be liable for unauthorized access resulting from circumstances beyond our reasonable control.

6. Data Retention

When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized.

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of your location, you may:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements. We will process verified deletion requests within 30 days.
• Account Export: Request an export of your account data in a structured, machine-readable format (JSON).

7.2 Additional Rights (EEA/UK/Switzerland — GDPR)

If you are in the EEA, UK, or Switzerland, you additionally have the right to:

• Restrict Processing: Request restriction of processing in certain circumstances.
• Object to Processing: Object to processing based on legitimate interests.
• Data Portability: Receive your data in a portable format.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time (without affecting lawfulness of prior processing).
• Lodge a Complaint: File a complaint with your local data protection supervisory authority.

7.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Delete: Request deletion of your personal information.
• Correct: Request correction of inaccurate personal information.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• No Sale / No Sharing: We do not “sell” or “share” (as defined by the CCPA/CPRA) your personal information for cross-context behavioral advertising.

To exercise your California privacy rights, email [email protected] with the subject line “CCPA Request.” We will verify your identity before processing your request.

7.4 How to Exercise Your Rights

To exercise any of your privacy rights, contact us at [email protected]. We will verify your identity (using your account email) and respond within 30 days. If we need additional time, we will notify you of the extension and the reason.

8. Cookies & Tracking Technologies

We use only essential, strictly necessary cookies required for the operation of the Service. We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral analytics trackers.

Because we use only strictly necessary cookies, no cookie consent banner is required under most privacy regulations. If this changes, we will update this section accordingly.

9. Children’s Privacy

The Service is not directed to, and not intended for use by, individuals under the age of 18 (or the applicable age of majority). We do not knowingly collect personal information from children under 13 (or 16 in the EEA). If we become aware that we have inadvertently collected personal data from a child, we will promptly delete it. If you believe a child has provided us with personal data, contact us at [email protected].

10. International Data Transfers

Your information is processed and stored in the United States. If you are located outside the United States, your data will be transferred to, and processed in, the United States, which may have different data protection laws than your country of residence.

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, as applicable.
• The EU-U.S. Data Privacy Framework and UK Extension, to the extent applicable and certified.
• Your explicit consent to the transfer, as provided when you create your account.

We ensure that any sub-processors receiving personal data from the EEA/UK/Switzerland are bound by equivalent data protection obligations.

11. Do Not Track Signals

Our Service does not currently respond to “Do Not Track” (DNT) browser signals, as there is no universally accepted standard for DNT. However, as stated above, we do not engage in cross-site tracking or behavioral advertising.

12. Data Processing Agreement (DPA)

If you require a Data Processing Agreement for GDPR or other regulatory compliance, please contact us at [email protected] and we will provide one for execution.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least fifteen (15) days’ prior notice via email and/or a prominent notice on the Service. Non-material changes may be made without notice. Your continued use of the Service after the effective date of any change constitutes your acceptance. If you do not agree to the updated policy, you must stop using the Service.

14. Contact Information

For privacy-related inquiries, data subject access requests, or complaints: