Privacy Policy
Last updated: May 10, 2026 (v4)
This Privacy Policy explains how Clawless ("Clawless", "we", "us") collects, uses, stores, and protects information when you use our service. Clawless is an AI assistant accessible through WhatsApp and Telegram. The service domain is myclawless.com. The customer-facing channel is the Clawless bot — for privacy questions or data-subject requests, message the bot from the WhatsApp or Telegram account on file. The support@myclawless.com address is monitored for regulator and security disclosures.
1. Information We Collect
From your messaging app (WhatsApp or Telegram):
- Phone number (WhatsApp) or Telegram user ID — used as your stable identity
- Display name as visible on the messaging app
- Message content you send (text, voice notes, images, files) and the bot's responses
- Timestamps and message-level metadata used to enforce per-tier rate limits
From your subscription:
- PayPal subscription identifier and billing-period boundaries returned by PayPal
- The last 4 characters of the email address on your PayPal account (used as a self-service confirmation challenge on the Manage page; we never store the full email)
From connected Google accounts (only if you choose to connect):
- An OAuth refresh token issued by Google, encrypted at the application layer with a key unique to your account
- Read/write access to the specific Google data covered by the scopes you authorize (see Section 3)
Cookies on the website (myclawless.com):
- An
HttpOnlysession cookie, set after WhatsApp-OTP login on the Manage page, used only to authenticate your subscription-management actions - If you accept the cookie banner, Microsoft Clarity sets analytics cookies; you can decline via "Essential Only"
2. How We Use Your Data
- To deliver the AI assistant — process messages, run agent tasks, return responses
- To maintain conversation memory so the assistant has continuity across sessions
- To enforce subscription tier limits centrally (token + cost ledger; the assistant cannot exceed your tier's cap)
- To process payments, manage subscriptions, and handle cancellations through PayPal
- To call Google APIs on your behalf, but only the scopes you authorize (see Section 3)
- To send transactional notifications about your account (e.g. payment failure, subscription cancelled, account terminated) via WhatsApp message templates approved by Meta
- To meet legal, security, and audit obligations (e.g., responding to lawful requests, investigating abuse)
We do not sell your data. We do not use your conversation content or your Google data to serve advertising or for any advertising purpose. We do not use your data to train any AI model.
3. Connected Google Accounts & Google API Services
Clawless can optionally connect to your Google account so the assistant can read or write specific data on your behalf. You initiate this connection through Google's standard OAuth consent screen, which lists the exact scopes Clawless is requesting. You can revoke at any time.
Scopes Clawless may request (only when you authorize them):
| Scope | What it grants |
|---|---|
.../auth/calendar.readonly | Read your calendar events so the assistant can answer questions like "what's on my calendar today?" |
.../auth/calendar.events | Read and write your calendar events when you ask the assistant to schedule, reschedule, or cancel meetings |
.../auth/calendar.app.created | Create a single secondary calendar named "Clawless" inside your Google account; the assistant can only manage events it created in this calendar — it cannot access your other calendars |
.../auth/gmail.readonly | Read your Gmail messages when you ask the assistant to summarize or search your inbox |
.../auth/gmail.send | Send Gmail messages on your behalf when you instruct the assistant to draft and send mail |
.../auth/gmail.modify | Read, send, and modify mail labels — used when you ask the assistant to triage your inbox (e.g., archive, label). We do not permanently delete mail. |
Limited Use of Google User Data.
Clawless's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide or improve user-facing features that are prominent in the Clawless assistant — namely, the calendar and email features the user explicitly invokes by message.
- We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable laws, or as part of a merger or acquisition (subject to prior user consent).
- We do not use Google user data for serving advertisements, including retargeted, personalized, or interest-based advertising.
- We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (e.g., investigating abuse), to comply with applicable law, or for internal operations with the data first de-identified or aggregated.
How your Google credentials are stored.
Your Google OAuth refresh token is encrypted at the application layer with a per-account encryption key managed by Google Cloud KMS. The encryption key for your account is gated by an IAM condition bound to the hashed identifier of your phone number, so the key can only be used while processing your own requests. We never store your Google account password.
Revoking access: you can revoke the Clawless connection at any time at myaccount.google.com/permissions, or by messaging the bot "disconnect google", or by deleting your Clawless account (which destroys the per-account key — see Section 7). Once revoked, Clawless can no longer call Google APIs on your behalf.
4. WhatsApp Business Solution Data
We use the WhatsApp Business Platform (Meta Cloud API) to receive and send messages. Meta is the hosting provider for WhatsApp messages and processes them subject to Meta's WhatsApp Privacy Policy and the WhatsApp Business Solution Terms.
- By sending the first message to the Clawless WhatsApp number, you opt in to receive messages from Clawless on WhatsApp.
- We send transactional messages (e.g. payment failed, subscription cancelled, login OTP) only via Meta-approved templates.
- You can opt out at any time by messaging "stop"; this stops all bot-initiated messages and is not reversed by future messages from us.
- Message content received via WhatsApp is processed by Clawless servers under this Privacy Policy.
5. Payment Processing
Subscription payments are processed by PayPal. PayPal collects and processes your payment information directly — Clawless never sees or stores your full card or bank details. PayPal's handling of your payment data is governed by their Privacy Policy. We retain only the PayPal subscription identifier, the billing-period start/end dates, and the last 4 characters of the email on your PayPal account (used as a self-service deletion challenge).
6. Data Storage & Security
Clawless runs on Google Cloud Platform. Your data is stored as follows:
- Conversation history and assistant memory: on a per-user virtual machine in the EU or US (selected by your phone country code) hosted by Contabo. Conversation files are encrypted at rest with a per-user data-encryption key wrapped by your account's KMS key.
- Subscription state, identity records, and audit metadata: in Google Cloud Firestore (Native mode) and Google Cloud Logging, encrypted at rest by Google.
- OAuth refresh tokens: in Google Secret Manager, with an additional application-layer envelope encryption using your account's KMS key.
- Cryptographic keys: in Google Cloud KMS. Your account's KMS key is unique to your account and gated by an IAM condition bound to the hash of your phone number.
All data in transit is protected with TLS. Production access to user-data systems is restricted to a small set of administrative service accounts; routine engineering work uses no-PII tooling and audit logs of every privileged access are written to a separate, append-only audit project.
7. Account Deletion & Cryptographic Shredding
You can delete your Clawless account at any time. Identity is verified by control of the phone number on the account — Clawless does not store or rely on a customer email address. The two deletion paths are:
- From the Manage page (myclawless.com/manage) by completing the WhatsApp-OTP login and clicking Delete account.
- By messaging the Clawless bot "delete my account" from the WhatsApp / Telegram account on file.
On account deletion we cancel any active PayPal subscription, then irrevocably destroy the KMS encryption key unique to your account. Once that key is destroyed, all data encrypted with it (conversation history, memory, OAuth refresh tokens, workspace files) becomes cryptographically inaccessible — this is sometimes called "crypto-shredding". The per-user virtual machine is then torn down. We target completion within 24 hours of receiving the request; in practice it normally completes within minutes.
After deletion, residual non-personal records may persist for legal and accounting reasons (e.g., the fact that a subscription existed and the dates it was active), but no message content, no Google user data, and no OAuth tokens remain.
8. Data Retention
- Conversation history and assistant memory: retained for as long as you have an active account, then destroyed via the deletion process above.
- Google API data we cache temporarily (e.g., calendar events fetched to answer a question): held in process memory for the duration of a single request, not persisted beyond what is required to deliver your answer.
- OAuth refresh tokens: retained for as long as the connection is active; revoked and destroyed on disconnect or account deletion.
- Audit logs and security telemetry: retained up to 90 days for security investigation, then auto-deleted.
- Subscription / payment records: retained as required by tax and accounting law, typically 7 years.
9. Third-Party Sub-processors
We share the minimum data necessary with the following sub-processors so they can deliver their part of the service:
- Google Cloud Platform — infrastructure hosting, Firestore, KMS, Secret Manager, Logging, Cloud Run.
- Meta (WhatsApp Business Platform) — message transport between you and Clawless.
- Telegram — message transport for users who prefer Telegram.
- Contabo — host of the per-user virtual machine where your conversation runs (EU or US data center).
- PayPal — payment and subscription management.
- AI model providers (Anthropic, xAI, Google) — message content is sent for inference. Each provider's enterprise terms with us prohibit using your data for model training.
- Microsoft Clarity — anonymous website analytics on myclawless.com (only when you accept the cookie banner).
10. International Data Transfers
Your per-user virtual machine is hosted in the EU or US, selected automatically by your phone country code. Other infrastructure (Firestore, KMS, audit logs) is in EU regions. AI model providers may process data in the US or EU. We rely on Standard Contractual Clauses, where applicable, for transfers between jurisdictions.
11. Your Rights
Subject to applicable data-protection law in your jurisdiction (e.g., GDPR in the EU/EEA, UK GDPR, CCPA in California), you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (see Section 7)
- Export your conversation history
- Object to or restrict processing of your data
- Withdraw consent at any time by stopping use of the service or revoking specific permissions
- Lodge a complaint with a supervisory authority
To exercise any of these rights, message the Clawless bot from the WhatsApp / Telegram account on file (which proves control of the phone number — our identity primitive). The operator monitors the support@myclawless.com address for regulator and security disclosures, but customer-account actions (access, export, deletion) are handled through the phone-number channel.
12. Children's Privacy
Clawless is not directed at children under 13 (or 16 in jurisdictions where that is the digital-consent age). We do not knowingly collect personal information from children below those ages. If you believe we have received such data, contact us and we will delete it.
13. Security Disclosure
Clawless follows defense-in-depth practices: per-user encryption keys, central enforcement of usage limits, cryptographic shredding for deletion, IAM-conditional access to user data, and append-only audit logging in a separate Google Cloud project. If you believe you have found a security vulnerability, please email support@myclawless.com with details.
14. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated by updating the "Last updated" date and, where required by law, by direct notice to active users. Continued use of the service after changes take effect constitutes acceptance of the updated Policy.
15. Contact
For privacy questions, data-subject requests, or security disclosures, contact support@myclawless.com.