Privacy Policy

Last updated: February 2026

1. What We Collect

RunClaw collects the minimum data necessary to operate the platform and manage your AI agent infrastructure:

  • Email address -- for authentication and account communications
  • Stripe customer ID -- for billing management (Stripe stores payment details, not us)
  • Hetzner API token (encrypted) -- for BYOH (Bring Your Own Hetzner) provisioning only, stored with AES-256-GCM encryption
  • LLM API keys (encrypted, temporary) -- encrypted in transit, injected into your VPS during setup, then permanently deleted from our database
  • VPS metadata -- server type, region, status, domain, and display name
  • System metrics (30-day retention) -- CPU, memory, and disk usage collected by the open-source sidecar agent
  • Security events -- failed SSH attempts and firewall blocks, collected by the sidecar for your security dashboard

2. What We Don't Collect

RunClaw is designed around a zero-knowledge architecture. We explicitly do not collect:

  • Your AI agent conversations or chat history
  • Your agent's memory, context, or learned data
  • Files stored on your VPS
  • Your browsing or usage patterns (we use no analytics cookies)
  • Payment card details (handled entirely by Stripe's PCI-compliant infrastructure)

3. Where Data Lives

Your data is stored in the following locations:

  • RunClaw platform database -- EU-hosted (Hetzner, Germany). Contains account data, subscription info, and VPS metadata.
  • Your VPS -- located in the region you choose (Hetzner Germany or Finland, or your own provider). Contains your agent, its data, and all conversations.
  • Stripe -- PCI-compliant payment processing. Stores billing history and payment methods.
  • Cloudflare -- DNS records only. We do not use Cloudflare proxying or analytics.
  • Resend -- transactional email delivery for account notifications.

4. Zero-Knowledge Architecture

RunClaw is built so that we cannot access your server or data after initial setup. This is not a policy choice -- it is an architectural guarantee:

  • Admin SSH keys are deleted -- our setup keys are automatically removed from your VPS after provisioning completes
  • LLM keys are encrypted then deleted -- your API keys are encrypted, injected into your VPS configuration, and then permanently deleted from our database
  • No persistent server access -- after setup, only you have SSH access to your VPS
  • Open-source provisioning scripts -- every script that runs on your server is publicly available for you to audit

5. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of Access -- view your data through your RunClaw dashboard
  • Right to Data Portability -- export all your platform data as JSON from your account settings
  • Right to Erasure -- delete your account and all associated data from our systems
  • VPS Data Control -- data on your VPS is already under your exclusive control. We cannot access it.

6. Data Retention

  • System metrics -- 30-day automatic retention via TimescaleDB. Older metrics are automatically purged.
  • Security events -- retained while your account is active, deleted upon account deletion.
  • Account data -- deleted from our systems upon your account deletion request.
  • Stripe billing history -- retained by Stripe per their privacy policy for tax and invoicing compliance.

7. Cookies

RunClaw uses a single session cookie provided by our authentication system (BetterAuth). This cookie is strictly necessary for authentication and cannot be used for tracking.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. No cookie consent banner is required because we do not perform any cookie-based tracking.

8. Third-Party Services

RunClaw integrates with the following third-party services, each with their own privacy policies:

  • Hetzner -- VPS infrastructure provider (EU data centers)
  • Stripe -- payment processing
  • Cloudflare -- DNS management (no proxying or analytics)
  • Resend -- transactional email delivery

9. Contact

For privacy-related inquiries, data access requests, or to exercise any of your GDPR rights, contact us at: privacy@runclaw.run

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices or legal requirements. When we make material changes, we will notify registered users via email and update the "Last updated" date at the top of this page.