Privacy Policy

1. Introduction

Clawnify ("Clawnify", "we", "us", or "our"), based in Amsterdam, the Netherlands, provides a managed platform that provisions AI agents with messaging and browser capabilities, along with an App Builder for generating and hosting web applications (collectively, the "Services").

This Privacy Policy ("Policy") explains how we collect, use, disclose, and protect personal data when you use our website at clawnify.com, our dashboard, API, and all related services. All personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch data protection law.

Clawnify acts as the data controller for the personal data described in this Policy. For questions about this Policy or requests regarding your personal data, please contact us at privacy@clawnify.com.

2. Personal Data We Collect

2.1 Information You Provide

• Account information. When you sign up via Google OAuth, we receive your name, email address, and profile picture from Google. We also store your account preferences and configuration settings.
• Payment information. When you subscribe, payment details are collected and processed directly by our payment processor (Stripe). We do not store full payment card details — only the last 4 digits, card type, and billing country for record-keeping.
• Communications. When you contact us via email, chat, or support channels, we collect the content of your communications and any information you choose to provide.
• Agent configuration. Instructions, settings, and preferences you provide for your AI agent, including messaging channel configurations, agent personality settings, and API keys you supply.
• Content and inputs. Text, files, images, instructions, and other content you provide to the Services or through your AI agent, as well as content generated by your AI agent at your direction (messages, web applications, etc.).

2.2 Information Collected Automatically

• Device and browser data. IP address, browser type and version, operating system, device type, screen resolution, language settings, and unique device identifiers.
• Usage data. Pages visited, features used, time spent on pages, click paths, search queries, and interactions with the dashboard and Services.
• Server instance data. Resource usage metrics of your provisioned server instance (CPU, memory, disk, network), instance status, uptime, and system logs necessary to operate and maintain the Services.
• Location data. Approximate geographic location derived from your IP address, used for service delivery (server region selection) and compliance purposes.

2.3 Information from Third Parties

• Google OAuth. When you sign in with Google, we receive your name, email address, and profile picture as authorized by your Google account settings.
• Payment processor. Stripe may provide us with transaction status, payment confirmations, and limited billing details.

3. How We Use Your Personal Data

We use your personal data for the following purposes, each with a corresponding legal basis under the GDPR:

4. AI Agent Data Processing

Your AI agent operates on a dedicated server instance and may process data on your behalf, including:

• Messages sent and received via WhatsApp, Telegram, and Slack.
• Web browsing activity performed by the agent on your instructions.
• Content generated by the agent, including web applications and their associated data (stored in per-app databases).

Your agent's interactions with third-party AI model providers (such as Anthropic) involve transmitting your input to those providers for processing. These providers process data according to their own privacy policies. We select providers that offer contractual commitments regarding data handling, but we encourage you to review their policies.

We do not use the content of your agent's conversations or your inputs to train AI models. Content processed by your agent is used solely to provide the Services to you.

5. Google Workspace Integration

The Services may allow your AI agent to connect to your Google Workspace account (including Gmail, Google Calendar, Google Drive, Google Contacts, Google Sheets, Google Docs, and Google Tasks) to perform actions on your behalf. This integration is optional and requires your explicit authorization via Google's OAuth 2.0 consent flow.

5.1 Data We Access

When you authorize Google Workspace access, your AI agent may access and process the following data depending on the permissions you grant:

• Gmail. Read, compose, send, and manage email messages and drafts. Manage labels and email settings.
• Google Calendar. Read, create, modify, and delete calendar events.
• Google Drive. Read, create, modify, and organize files and folders.
• Google Contacts. Read and manage your contacts.
• Google Sheets, Docs, and Slides. Read, create, and modify spreadsheets, documents, and presentations.
• Google Tasks. Read, create, and manage tasks.

5.2 How We Use Google Workspace Data

Google Workspace data is accessed and processed solely to provide the Services you have requested, specifically to allow your AI agent to perform tasks in your Google Workspace on your behalf. We use this data only as follows:

• To execute actions you or your AI agent initiate (e.g., drafting an email, creating a calendar event, reading a document).
• To display relevant information to your AI agent so it can assist you effectively.

We do not:

• Use Google Workspace data for advertising, marketing, or profiling purposes.
• Sell, rent, or share Google Workspace data with third parties, except as strictly necessary to provide the Services (e.g., transmitting your instructions to AI model providers for processing).
• Use Google Workspace data to train AI models or for any purpose unrelated to providing the Services to you.
• Allow any human to read your Google Workspace data, except (a) with your explicit consent, (b) as required by law, or (c) for security purposes such as investigating abuse.

5.3 Data Storage and Security

Google Workspace data is processed on your dedicated server instance and is not stored persistently by Clawnify beyond the duration needed to complete the requested action. OAuth authentication tokens are encrypted and stored locally on your dedicated server instance. Clawnify does not have centralized access to your Google Workspace authentication tokens.

5.4 Revoking Access

You can revoke Clawnify's access to your Google Workspace data at any time by visiting your Google Account permissions page. Revoking access will immediately prevent your AI agent from accessing Google Workspace services. Stored authentication tokens on your server instance will become invalid.

5.5 Compliance with Google API Services User Data Policy

Clawnify's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. User Apps and Data Processing

When your AI agent creates web applications ("User Apps") through the App Builder, those applications may collect and process personal data from their end users. In this context:

• You are the data controller for any personal data collected by your User Apps. You are responsible for providing a privacy policy to your end users, obtaining any required consent, and complying with applicable data protection laws.
• Clawnify acts as a data processor for personal data stored in User App databases (D1) and hosted on our infrastructure. We process this data solely on your behalf and according to your instructions (as implemented through the Services).
• If you require a Data Processing Agreement (DPA), please contact us at privacy@clawnify.com.

7. Who We Share Your Data With

We may share your personal data with the following categories of recipients:

• Infrastructure providers. Hetzner (server provisioning, Germany/Finland), Cloudflare (CDN, edge computing, global), and Supabase (authentication, database, US/EU) for operating the Services.
• AI model providers. Anthropic and other AI providers accessed via OpenRouter, for processing your agent's AI requests.
• Payment processor. Stripe, for processing subscription payments.
• Messaging platforms. WhatsApp (Meta), Telegram, and Slack, to the extent necessary for your agent's messaging channel integrations.
• Legal and compliance. Law enforcement, government authorities, or other parties when required by law, legal process, or to protect our rights, safety, or property.
• Business transfers. In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity.

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.

8. International Data Transfers

Clawnify is based in the Netherlands (EU). Some of our infrastructure providers and sub-processors operate in countries outside the European Economic Area (EEA), including the United States. When we transfer personal data outside the EEA, we ensure an adequate level of protection through one of the following mechanisms:

• Transfers to countries recognized by the European Commission as providing adequate protection (adequacy decisions under Art. 45 GDPR).
• Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR).
• Other appropriate safeguards as permitted by the GDPR.

You may request information about the specific safeguards applied to transfers of your data by contacting us at privacy@clawnify.com.

9. Cookies and Tracking

We use cookies and similar technologies to operate the Services, maintain your session, remember your preferences, and understand how you use the platform. The cookies we use include:

• Essential cookies. Required for authentication, session management, and security (e.g., Supabase auth tokens, tunnel authentication cookies). These cannot be disabled.
• Analytics cookies. Used to understand how users interact with the Services and to improve the platform. These are only set with your consent.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Services.

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by law. Specifically:

• Account data is retained for as long as your account is active and for a reasonable period thereafter to allow for reactivation or to comply with legal obligations.
• Server instance data (logs, metrics) is retained for up to 30 days after your instance is terminated.
• User App data (source code, databases) is deleted when the app is deleted or your account is terminated.
• Payment and billing records are retained for the period required by Dutch tax and accounting law (currently 7 years).
• Communications (support tickets, emails) are retained for up to 2 years after your last interaction.

Upon account termination, we will delete or anonymize your personal data within a reasonable timeframe, except where retention is required by law or necessary to protect our legitimate interests (e.g., fraud prevention, dispute resolution).

11. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete personal data.
• Right to erasure — Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restrict processing — Request that we limit how we use your data in certain circumstances.
• Right to data portability — Receive your personal data in a structured, machine-readable format or request transfer to another controller.
• Right to object — Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@clawnify.com. We will respond within 30 days. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.

12. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These measures include encryption in transit (TLS/HTTPS), access controls, isolated server instances per customer, and regular security reviews. Despite our efforts, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

13. Children

The Services are not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

14. Third-Party Services

The Services may contain links to or integrate with third-party websites and services. This Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access, including:

• Google (authentication, Workspace integration): policies.google.com/privacy
• Stripe (payments): stripe.com/privacy
• Anthropic (AI): anthropic.com/privacy
• Hetzner (infrastructure): hetzner.com/legal/privacy-policy
• Cloudflare (infrastructure): cloudflare.com/privacypolicy

15. Changes to This Policy

We may update this Policy from time to time. We will notify you of material changes by email or by posting a notice on the Services. The "Last updated" date at the top indicates when the latest revision was made. Continued use of the Services after changes become effective constitutes acceptance of the updated Policy.

16. Contact

For any questions, requests, or complaints regarding this Policy or our data processing practices, please contact us:

• Email: privacy@clawnify.com
• Location: Amsterdam, the Netherlands

We aim to resolve all complaints directly. If you are not satisfied with our response, you may contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.