Privacy Policy

Email address. Collected at registration to identify your account, send transactional messages (password resets, billing receipts, account notices), and communicate important service updates.

Password hash. Your password is hashed using bcrypt before storage. We never store, transmit, or log your plaintext password. The bcrypt hash is a one-way cryptographic transformation that cannot be reversed to recover the original password.

Backup metadata. When you back up your OpenClaw configuration, we record metadata including backup timestamps, backup size, number of backups performed, storage consumed, and the version identifier of each backup. This metadata is necessary for enforcing plan limits, displaying backup history, and providing the Service.

Google Sign-In. If you register or log in using Google Sign-In, we receive your Google user ID and profile name from Google. We use this information solely to create and authenticate your MemoryClaw account. We do not access your Google contacts, Gmail, Drive, or any other Google service data.

Device information. We collect device identifiers used during authentication to manage authorized sessions and detect unauthorized access attempts.

Server logs. Our servers automatically record limited information about each request, including IP address, timestamp, request method, endpoint path, and HTTP status code. These logs are used exclusively for security monitoring, debugging, and abuse prevention.

Rate limiting data. IP addresses are temporarily tracked in volatile server memory for the purpose of enforcing API rate limits and preventing abuse. This data is not persisted to any database or long-term storage and is automatically discarded when the rate limit window expires or the server process restarts.

Payment information. If you subscribe to a paid plan, payment is processed entirely by Stripe. We do not receive or store your full credit card number, CVV, or billing address. Stripe provides us with a limited set of billing details (last four digits, card brand, expiration date, and billing email) to display subscription status and manage your plan.

MemoryClaw is built on a zero-knowledge architecture. This means there are categories of data that we structurally cannot access, even if compelled by legal process or in the event of a server breach:

• Your encryption passphrase. Your passphrase is never transmitted to our servers. It is used exclusively on your local device to derive the encryption key. If you lose your passphrase, we cannot recover it or your data.
• Unencrypted backup contents. All backup data is encrypted client-side using AES-256-GCM before it leaves your device. We store only the resulting encrypted blobs. We cannot read, inspect, decrypt, or otherwise access the contents of your backups.
• Your plaintext password. We store only the bcrypt hash of your password. The hashing is performed server-side upon receipt, and the plaintext value is never written to disk, logged, or retained in memory beyond the authentication request lifecycle.

This design ensures that a compromise of our infrastructure does not expose your sensitive configuration data or credentials.

We use the information we collect strictly for the following purposes:

• Service operation. To provide, maintain, and improve the Service, including authenticating your identity, authorizing access, enforcing plan limits (backup counts, storage quotas), and delivering your encrypted backups on demand.
• Billing and subscriptions. To process payments, manage subscription lifecycle (upgrades, downgrades, cancellations), and issue receipts through Stripe.
• Transactional communications. To send essential emails including a one-time welcome email upon registration, account verification, email change verification, password resets, billing receipts, plan change confirmations, and data deletion notices. We do not send marketing emails, newsletters, or promotional content.
• Security and abuse prevention. To detect and prevent fraud, unauthorized access, API abuse, and other security incidents through rate limiting, log analysis, and anomaly detection.
• Legal compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do NOT sell, rent, lease, or trade your personal information to any third party. We do not use your encrypted backup data for any purpose other than storing it and returning it to you upon authenticated request.

We share limited information with third-party service providers solely to operate the Service. Our providers may change over time (for example, we may switch infrastructure, email delivery, or payment processors). When we make material changes to the third parties that process your personal information, we will update this section and, where required, provide notice as described in Section 12.

Current providers include:

• Stripe — processes all payment transactions for paid subscriptions. Stripe receives your payment details directly; we never handle or store full card numbers. Stripe's handling of your payment data is governed by the Stripe Privacy Policy.
• Google Cloud Platform (GCP) — Cloud Storage — stores your encrypted backup blobs. Cloud Storage provides infrastructure-level encryption at rest on top of the client-side encryption already applied to your data.
• Google Cloud Platform (GCP) — Firestore — stores account information, backup metadata, and subscription records. Data is encrypted at rest by Google Cloud.
• Google — provides authentication via Google Sign-In (OAuth 2.0). When you choose to sign in with Google, Google transmits your user ID, profile name, and profile picture URL to us. We store this information to create and authenticate your MemoryClaw account and to display your profile picture within the Service. Google's handling of your data is governed by the Google Privacy Policy.
• Cloudflare — provides bot detection via Cloudflare Turnstile on login and registration forms. Turnstile may collect browser telemetry and interaction data to distinguish human users from automated bots. No personal information is shared with Cloudflare beyond what is necessary for this verification. Cloudflare's handling of your data is governed by the Cloudflare Privacy Policy.
• Gmail (Google) — processes transactional emails (password resets, account notices) via SMTP relay. Email content is transmitted through Google's infrastructure for delivery. Google's handling of this data is governed by the Google Privacy Policy.
• Namecheap Private Email — hosts our contact email inbox (info@memoryclaw.ai). Inbound messages you send to this address are stored and processed by Namecheap's email infrastructure. Namecheap's handling of this data is governed by the Namecheap Privacy Policy.

We do not use any advertising networks, analytics trackers, or data brokers. We do not embed third-party scripts that collect user behavior data. We do not share your encrypted backup data with any third party.

We may disclose account information if required by law, subpoena, court order, or valid legal process, but only to the minimum extent necessary.

Active accounts. We retain your account information and encrypted backup data for as long as your account remains active. Your data persists across billing cycles and plan changes.

Inactive free accounts. If a free-tier account has had no backup activity for 12 consecutive months, we may schedule it for deletion. Before any deletion occurs, we will send a 30-day advance notice to your registered email address, giving you the opportunity to log in and retain your account.

Account deletion. You may delete your account at any time from your dashboard settings or by contacting us. Account deletion is immediate and irreversible. When you delete your account:

• Your encrypted backup blobs are permanently removed from Google Cloud Storage.
• Your account information (email, hashed password) is permanently erased from our database.
• All backup metadata and usage records associated with your account are deleted.
• Because of our zero-knowledge architecture, we cannot restore any data once deleted.

Claw deletion metadata. When a claw (device) is deleted, minimal metadata markers are retained for rate limiting and re-registration prevention. These markers contain no backup data or personal content. They persist until account deletion, at which point all user data is permanently removed.

Server logs. Retained for as long as reasonably necessary for security monitoring, debugging, and abuse prevention. Log retention periods may vary based on infrastructure configuration.

Stripe billing records. Payment and invoice records processed by Stripe are retained by Stripe in accordance with their own retention policy and applicable tax and financial regulations. We do not control Stripe's retention schedule.

localStorage. We use browser localStorage to persist your JWT authentication token, your email address, user identifier, and claw selection preference. This data remains on your device and is not transmitted to third parties.

Essential first-party cookies. We may set a small number of essential first-party cookies required for the Service to function correctly, such as beta gate access verification.

No tracking or advertising cookies. We do not use third-party tracking cookies, advertising cookies, fingerprinting scripts, or any form of cross-site tracking technology. We do not participate in any advertising networks or retargeting programs.

CLI local storage. The MemoryClaw CLI plugin stores data locally on your device in the ~/.config/memoryclaw/ directory. This includes authentication credentials, device configuration, your encryption passphrase (stored in encrypted form), and local settings. This data is cleared when you run memoryclaw logout from the CLI. Note that deleting your account from the website does not automatically remove CLI local storage — you must run memoryclaw logout separately to clear local data from your device.

You can configure your browser to reject cookies or clear localStorage, but doing so may require you to re-authenticate and may affect Service functionality.

Regardless of your location, we extend the following rights to all MemoryClaw users. These rights are consistent with the requirements of the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA):

• Right to access. You can request a copy of all personal information we hold about your account.
• Right to correction. You can update your email address and other account information through your dashboard at any time.
• Right to deletion. You can delete your account and all associated data from your dashboard settings. Deletion is immediate and irreversible.
• Right to data portability. You can export your encrypted backup data at any time using the memoryclaw pull --file CLI command, which downloads and decrypts your backup to a local file you control.
• Right to object and restrict. You can object to or request restriction of certain processing activities by contacting us.
• Right to withdraw consent. Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.

To exercise any of these rights, use the relevant options in your dashboard settings or contact us at info@memoryclaw.ai. We will acknowledge your request within 5 business days and respond substantively within 30 days.

Additional region-specific rights are detailed in Section 14 below.

We implement multiple layers of security to protect your data:

• HTTPS everywhere. All communication between your device and our servers is encrypted in transit using TLS. Unencrypted HTTP requests are rejected.
• Client-side AES-256-GCM encryption. Your backup data is encrypted on your device before transmission using AES-256-GCM, an authenticated encryption standard. The encryption key is derived from your passphrase, which never leaves your device.
• bcrypt password hashing. Account passwords are hashed using bcrypt with a per-user salt, making brute-force and rainbow table attacks computationally infeasible.
• JWT with 7-day expiry. Authentication sessions are managed via JSON Web Tokens with a maximum lifetime of 7 days. Tokens are signed server-side and validated on every request. Expired tokens are rejected, requiring re-authentication.
• Rate limiting. API endpoints are protected by rate limiting to prevent brute-force attacks, credential stuffing, and denial-of-service attempts.
• Least privilege access. Internal systems follow the principle of least privilege. Service components have access only to the specific resources they require. Database credentials and encryption keys are managed through environment-scoped secrets.

While we take extensive measures to protect your data, no system is perfectly secure. We encourage you to use a strong, unique passphrase and to keep your CLI and dependencies up to date.

MemoryClaw is not intended for use by anyone under the age of 13 (or the applicable minimum age in your jurisdiction — see Section 14 for region-specific details). We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

If we become aware that we have inadvertently collected personal information from a child under 13 (or below the applicable minimum age in your jurisdiction — see Section 14 for region-specific details), we will take immediate steps to delete the account and all associated data. If you believe a child under 13 has created a MemoryClaw account, please contact us at info@memoryclaw.ai so we can take appropriate action.

MemoryClaw is operated from and data may be stored in the United States. If you access the Service from outside the United States, you understand and consent to the transfer, processing, and storage of your information in the United States.

The United States may not provide the same level of data protection as your home jurisdiction. By using the Service, you acknowledge this and consent to such transfers. We apply the same security and privacy protections described in this policy regardless of where you are located.

For information about the specific legal mechanisms we use for cross-border transfers, see the region-specific disclosures in Section 14.

MemoryClaw does not track users across third-party websites or services. We do not use advertising cookies, analytics trackers, or behavioral profiling of any kind. Because we do not engage in tracking, there is no change in our behavior when a Do Not Track (DNT) browser signal is received.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email to your registered address or by posting a prominent notice on the Service at least 14 days before the changes take effect.

We may also make non-material updates (such as clarifications, formatting changes, or updates to reflect provider changes) without prior notice. The "Last updated" date at the top of this page indicates when this policy was most recently revised.

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use and delete your account before the updated policy takes effect.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us through the following channels:

For all inquiries — privacy, security, or general support — email us at info@memoryclaw.ai.

We aim to acknowledge all inquiries within 5 business days and provide a substantive response within 30 days.

The following subsections provide additional disclosures required by specific regional privacy laws. These supplements apply in addition to, and do not replace, the rest of this Privacy Policy.

This subsection applies if you are located in the European Economic Area (EEA). It supplements the information above with disclosures required by the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Data controller. The data controller for purposes of the GDPR is NGSRV, LLC (owner and operator of MemoryClaw). You may contact us regarding data protection matters at info@memoryclaw.ai.

Data Protection Officer. We have not appointed a Data Protection Officer, as we do not meet the thresholds set out in Article 37 of the GDPR (we do not carry out large-scale systematic monitoring of individuals, nor do we process special categories of data at scale).

Legal basis for processing. We process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)): Account creation, authentication, encrypted backup storage and retrieval, payment processing, and transactional emails are necessary to perform the contract between you and MemoryClaw.
• Legitimate interests (Article 6(1)(f)): Server logging, security monitoring, rate limiting, and abuse prevention are carried out on the basis of our legitimate interest in protecting the Service and its users. These activities are proportionate and do not override your fundamental rights.
• Legal obligation (Article 6(1)(c)): We may process data to comply with applicable tax, financial reporting, or law enforcement obligations.

Retention periods.

Additional GDPR rights. In addition to the rights listed in Section 7, EEA users have the right to:

• Data portability. Receive your personal data in a structured, commonly used, machine-readable format (JSON). You can also use memoryclaw pull --file to export your encrypted backups at any time.
• Erasure (Article 17). Request deletion of your personal data on any of the grounds set out in Article 17 of the GDPR. Account deletion through the dashboard fulfils this right immediately.
• Restriction of processing. Request that we restrict certain processing activities while a concern is being resolved.
• Lodge a complaint. You have the right to lodge a complaint with a supervisory authority in the EEA Member State of your habitual residence or place of work. A list of supervisory authorities is available on the EDPB website.

International transfers. Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the primary legal mechanism for these transfers. Where applicable, we also rely on the EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations.

ePrivacy. MemoryClaw uses only strictly necessary cookies and local storage as described in Section 6. Because we do not use non-essential cookies, analytics trackers, or advertising technologies, no cookie consent banner is required under the ePrivacy Directive.

Children. In the EEA, the minimum age for consenting to data processing in relation to information society services is 16 years (or a lower age set by individual Member States, but never below 13). If you are below the applicable age in your Member State, a parent or guardian must provide consent on your behalf.

Response times. We will respond to GDPR rights requests within 30 days of receipt. If a request is particularly complex, we may extend this period by up to 2 additional months, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period.

This subsection applies if you are located in the United Kingdom. It supplements the information above with disclosures required by the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

Data controller. The data controller is NGSRV, LLC (owner and operator of MemoryClaw). For data protection inquiries, contact info@memoryclaw.ai.

Legal bases. We process your personal data under the UK GDPR on the same legal bases described in Section 14A above: performance of a contract, legitimate interests, and legal obligation.

Your rights. UK users enjoy the same data protection rights as described in Section 7 and Section 14A, including the rights to access, rectification, erasure, restriction, portability, and objection.

Complaints. If you believe we have not handled your data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can file a complaint at https://ico.org.uk/make-a-complaint/.

International transfers. Your data is transferred to the United States. We rely on the UK Addendum to the EU Standard Contractual Clauses or the International Data Transfer Agreement (IDTA) as the legal mechanism for these transfers. Where applicable, we also rely on the UK Extension to the EU-U.S. Data Privacy Framework.

Children. In the United Kingdom, the minimum age for consenting to data processing in relation to information society services is 13 years under the Data Protection Act 2018.

This subsection applies if you are a California resident. It supplements the information above with disclosures required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA").

Categories of personal information collected. In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Email address, IP address, device identifiers.
• Internet or other electronic network activity information: Server logs, API request data, timestamps, HTTP status codes.
• Commercial information: Subscription plan, payment status, and billing details processed by Stripe (last four digits of card, card brand, expiration).

Sale and sharing of personal information. We do NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

Your CCPA rights. As a California resident, you have the following rights under the CCPA:

• Right to Know. You can request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete. You can request the deletion of personal information we have collected from you, subject to certain legal exceptions. Account deletion via the dashboard fulfils this right immediately.
• Right to Correct. You can request that we correct inaccurate personal information we hold about you.
• Right to Opt-Out of Sale/Sharing. Not applicable — we do not sell or share personal information.
• Right to Limit Use of Sensitive Personal Information. Not applicable — we do not collect sensitive personal information as defined by the CCPA.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or access levels as a result of exercising your privacy rights.

How to submit a request. You may submit a CCPA request by emailing info@memoryclaw.ai with the subject line "CCPA Request." We will verify your identity by confirming your registered email address. We will acknowledge your request and respond within 45 days of receipt. If we require additional time, we will notify you of the extension (up to an additional 45 days).

Authorized agents. You may designate an authorized agent to submit a CCPA request on your behalf. We will require the authorized agent to provide written proof of authorization (such as a signed letter or power of attorney) and may require you to verify your identity directly with us before processing the request.

Financial incentive programs. We do not offer any financial incentive programs related to the collection, retention, or sale of personal information.