Privacy Policy

Effective: March 11, 2026

1. Controller

The controller responsible for data processing on this website is:

Allonsy GmbH
Haldesdorfer Str. 14, 22179 Hamburg, Germany
Managing Director: Hendrik Kleinwaechter
HRB 149247, Amtsgericht Hamburg
Email: datenschutz@clawy.io

2. Data We Collect

We collect and process the following categories of personal data:

Account Data

  • Email address
  • Username
  • Hashed password (bcrypt — we never store plaintext passwords)

Server Logs

  • IP address
  • Timestamps of requests
  • HTTP method and requested URL
  • Browser user agent string

VM Metadata

  • Resource usage statistics (CPU, memory, disk)
  • VM state and configuration metadata

Payment Data

  • Payment method details (processed by Stripe — we do not store card numbers)
  • Billing address
  • Transaction history and invoices
  • Subscription status

AI Interaction Data

  • Prompts and messages sent to AI agents (processed by third-party AI providers)
  • AI-generated responses (stored temporarily for session continuity)

Data We Do NOT Collect

We do not access, monitor, or process any data stored or processed inside your virtual machines. Your VM is your private environment.

3. Legal Basis for Processing

We process your personal data on the following legal bases under Art. 6(1) GDPR:

  • Contract performance (Art. 6(1)(b)): Account data is necessary to provide the service you registered for
  • Legitimate interest (Art. 6(1)(f)): Server logs are processed for security, abuse prevention, and service stability
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain data by law (e.g., tax or commercial regulations)

4. Automated Decision-Making and Profiling (Art. 22 GDPR)

Clawy uses third-party AI models (such as Anthropic Claude and OpenAI) to process user prompts and generate responses. This constitutes automated processing of your data.

However, this processing does not constitute automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. AI-generated responses are informational and do not produce legal effects or similarly significant consequences for you.

If you have questions about how your data is processed by AI models, contact us at datenschutz@clawy.io.

5. Cookies

Clawy uses a single session cookie that is strictly necessary for the functioning of the service (authentication). This cookie is essential and does not require consent under Art. 5(3) of the ePrivacy Directive. We do not use any tracking, analytics, or advertising cookies.

6. Data Retention

  • Account data: Retained until you delete your account
  • Server logs: Automatically deleted after 90 days
  • VM metadata: Deleted 30 days after VM or account deletion
  • Billing data: Invoices and transaction records retained for 10 years as required by German tax law (§147 AO, §257 HGB)

7. Sub-processors

We use the following sub-processors to provide the service:

Sub-processor Purpose Location
Hetzner Online GmbH Infrastructure hosting (dedicated servers) Germany
Let's Encrypt / ZeroSSL TLS certificate issuance EU / USA*
Stripe, Inc. Payment processing USA*
Anthropic PBC AI model provider USA*
OpenAI, Inc. AI model provider USA*
OpenRouter, Inc. AI model routing USA*

* Data transfers to the USA are covered by the EU-U.S. Data Privacy Framework adequacy decision (July 2023) and/or Standard Contractual Clauses (SCCs).

8. International Data Transfers

Personal data storage (accounts, VM metadata) remains in Germany on Hetzner infrastructure.

Payment processing (Stripe) and AI model processing (Anthropic, OpenAI, OpenRouter) involve data transfers to the United States. These transfers are protected by:

  • The EU-U.S. Data Privacy Framework adequacy decision (European Commission, July 2023)
  • Standard Contractual Clauses (SCCs) as an additional safeguard

9. Payment Processing

We use Stripe, Inc. for payment processing. When you subscribe to Clawy, your payment details are transmitted directly to Stripe via their secure payment form. We do not store credit card numbers or full payment method details on our servers.

Stripe processes your payment data as an independent data controller for fraud prevention and compliance purposes, and as our data processor for transaction processing. Stripe's privacy policy applies to their handling of your data.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation and a copy of data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate data
  • Right to erasure (Art. 17): Request deletion of your personal data
  • Right to restriction (Art. 18): Request restriction of processing
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interest

To exercise any of these rights, contact us at datenschutz@clawy.io.

11. Right to Lodge a Complaint

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority. Our competent authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22, 7. OG, 20459 Hamburg
Phone: +49 40 428 54-4040
Email: mailbox@datenschutz.hamburg.de
Website: datenschutz-hamburg.de

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or an in-app notice. The current version is always available at this URL.