Privacy Policy
Last updated: February 14, 2026
1. Data Controller
OpenClaw Cloud is operated by:
OpenClaw
Contact: privacy@openclaw.you
For GDPR inquiries, contact our data protection team at privacy@openclaw.you.
2. Data We Collect
2.1 Account Data
- Email address — Required to create your account and send service communications
- Name — Optional, used for personalization
- Payment information — Processed by Polar.sh; we do not store credit card numbers
2.2 Service Data
- OpenClaw instance data — Your conversations, files, and configurations stored on your dedicated server
- API usage logs — Token counts for billing; no conversation content
- Server logs — Technical logs for debugging and security (IP addresses, timestamps)
2.3 Website Analytics
- Microsoft Clarity — Session recordings and heatmaps for UX improvement
- Google Ads — Conversion tracking for advertising
3. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation & service provision | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Service communications (updates, security) | Legitimate interest (Art. 6(1)(f)) |
| Analytics & UX improvement | Consent (Art. 6(1)(a)) |
| Advertising conversion tracking | Consent (Art. 6(1)(a)) |
| Tax & legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| OpenClaw instance data | Duration of subscription + 7 days after cancellation |
| Billing records | 7 years (per AO §147 / German tax law) |
| Server logs | 90 days |
| Support communications | 2 years after resolution |
5. Data Recipients & Subprocessors
We share data only with the service providers necessary to operate OpenClaw Cloud. See our complete Subprocessor List.
Key subprocessors:
- Hetzner Online GmbH (Germany) — Server infrastructure
- Polar.sh (EU) — Payment processing
- Cloudflare (USA, EU SCCs) — CDN & DDoS protection
- OpenRouter (USA) — AI API routing (only if using credits)
6. International Transfers
Your OpenClaw instance data is stored exclusively in Germany (Hetzner, Nuremberg). It never leaves the EU.
Some service providers (Cloudflare, OpenRouter) are US-based. We ensure appropriate safeguards via:
- EU Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework (where applicable)
7. Your Rights (GDPR Articles 15–22)
You have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Request deletion ("right to be forgotten")
- Restriction — Limit how we process your data
- Portability — Receive your data in a portable format
- Object — Object to processing based on legitimate interest
- Withdraw consent — Revoke consent at any time
To exercise these rights, email privacy@openclaw.you. We respond within 30 days.
8. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. Our lead authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
lda.bayern.de
poststelle@lda.bayern.de
9. Security
- All connections use TLS 1.3 encryption
- Server disks are encrypted at rest
- Each customer has a dedicated, isolated server
- Daily encrypted backups stored in German data centers
10. Cookies
We use cookies for:
- Essential — Authentication, security (no consent required)
- Analytics — Microsoft Clarity for UX improvement (consent required)
- Advertising — Google Ads conversion tracking (consent required)
You can manage cookie preferences through your browser settings.
11. Changes to This Policy
We may update this policy. Significant changes will be communicated via email. The "last updated" date at the top indicates the most recent revision.
12. Contact
For privacy questions:
privacy@openclaw.you