SeeClaw Privacy Policy

Effective date: 17 February 2026

This Privacy Policy explains how OpenClaw (Pty) Ltd ("SeeClaw", "we", "us") collects, uses, stores, and shares personal information when you use SeeClaw services, websites, and applications (the "Services").

1. Scope

This policy applies to information processed by SeeClaw as:

• A responsible party/controller for account, billing, and service operations data.
• An operator/processor when handling user content based on your instructions.

2. Information We Collect

• Account data: name, email, credentials, account metadata.
• Operational data: diagnostics, service logs, connection and health data.
• Billing data: plan, billing cycle, and payment-related metadata via payment providers.
• Integration data: tokens and metadata for connected services such as Google APIs.
• User content: prompts, tool actions, and outputs needed to provide requested functionality.

3. How We Use Personal Information

• To provide, secure, and maintain the Services.
• To authenticate users and manage connected integrations.
• To perform user-requested actions and product features.
• To detect abuse, fraud, and security incidents.
• To meet legal obligations and enforce agreements.

4. Google API Data (OAuth Disclosure)

If you connect a Google account, SeeClaw accesses only the scopes you authorize and only for user-requested features. Current core use cases include:

• Gmail read-only access: Reading Gmail messages and labels to summarize and search mailbox data on your instruction.
• Gmail send access: Sending Gmail messages when explicitly instructed by you.
• Gmail labels access: Reading label metadata to categorize and filter email context.
• Calendar events access: Reading and creating calendar events when explicitly instructed by you.

4.1 Storage and Encryption of Google Data

Google OAuth tokens (access tokens and refresh tokens) are stored exclusively on your dedicated server instance. Tokens are encrypted at rest using AES-256-GCM with a server-specific encryption key. All communication between the SeeClaw app and your server, and between your server and Google APIs, occurs over TLS 1.2 or higher (encryption in transit).

Google API response data (such as email content or calendar events) is processed in memory on your server to fulfil your request and is not persisted to disk beyond the duration of the active session, unless explicitly saved by you (for example, in a conversation memory).

4.2 Retention and Deletion of Google Data

OAuth tokens are retained on your server while your Google account remains connected. When you disconnect Google (via the in-app disconnect button or via your Google Account permissions page at myaccount.google.com/permissions), all stored tokens are deleted from your server immediately. If your server is deprovisioned or your SeeClaw account is terminated, all data on the server — including any Google tokens — is permanently destroyed within 72 hours.

4.3 Access Controls

Google data on your server is accessible only to processes running on your dedicated server instance. SeeClaw staff do not have routine access to customer server data. Emergency access for critical security incidents requires two-person authorization and is logged. No Google user data is shared with third parties except as required to communicate with Google APIs on your behalf.

4.4 Limited Use Disclosure

SeeClaw's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google data to provide and improve the user-facing features described above.
• We do not transfer Google data to third parties except as necessary to provide user-requested features, comply with law, or as part of a merger/acquisition with equivalent privacy protections.
• We do not use Google data for serving advertisements.
• We do not allow humans to read Google data except with your explicit consent, for security investigations, to comply with law, or where data is aggregated and anonymized for internal operations.

We do not sell Google user data. We do not use Google Workspace API data to develop, improve, or train generalized AI or ML models.

5. Legal Bases (Including POPIA)

Where applicable, we process personal information based on one or more of the following:

• Your consent (for example, connecting Google OAuth scopes).
• Performance of a contract (providing your purchased/used services).
• Legitimate interests (security, reliability, fraud prevention, product operations).
• Compliance with legal obligations.

6. Cross-Border Transfers

SeeClaw may process data in jurisdictions outside South Africa through infrastructure and subprocessors. For transfers from South Africa, we apply safeguards aligned with POPIA section 72 and equivalent protections where required. For users in other regions (for example, EEA/UK), we use appropriate transfer mechanisms where legally required.

7. Data Retention

• Account data (name, email, hashed password): retained while your account is active. Deleted within 30 days of account termination upon request.
• Google OAuth tokens: retained on your dedicated server while connected. Deleted immediately upon disconnect or account termination. Server destruction occurs within 72 hours of deprovisioning.
• Operational logs: retained for up to 90 days for security and debugging, then automatically purged.
• Billing data: retained as required by applicable tax and accounting law (typically 5-7 years).
• User content (conversations, memories): stored on your dedicated server and deleted when you clear them or when your server is deprovisioned.

8. Sharing and Subprocessors

We may share data with:

• Infrastructure and hosting providers.
• Payment processors and essential service providers.
• Integration providers where authorized by you (for example, Google APIs).
• Authorities where required by law.

We require service providers to process data under confidentiality and security obligations.

9. Security

We use technical and organizational safeguards designed to protect personal information, including:

• TLS 1.2+ for all data in transit between client, server, and third-party APIs.
• AES-256-GCM encryption at rest for sensitive credentials (OAuth tokens, API keys).
• Dedicated per-user server instances with isolated storage.
• JWT-based authentication with bcrypt-hashed passwords.
• Rate limiting on authentication and OAuth endpoints.

No method of transmission or storage is perfectly secure, but we apply security controls proportionate to risk.

10. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access your personal information.
• Request correction or deletion.
• Object to or restrict certain processing.
• Withdraw consent where processing relies on consent.
• Lodge a complaint with a supervisory authority.

South Africa users can also raise concerns with the Information Regulator (South Africa), where applicable.

11. Children

The Services are not directed to children under 18, and we do not knowingly collect children's personal information for standalone consumer use.

12. Changes to This Policy

We may update this policy periodically. We will publish the updated version with a new effective date and provide additional notice where required.

13. Contact and Data Protection Queries

OpenClaw (Pty) Ltd
Email: privacy@seeclaw.ai
Legal: legal@seeclaw.ai