Privacy Policy

Last updated: April 5, 2026

This Privacy Policy explains how Dennis Rolea ("we", "us", "our"), operating as Clawshift, collects, uses, and protects your personal data when you use our website (clawshift.ai) and services. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and German data protection law (BDSG).

In short: Your data stays in Europe, is encrypted, never sold, and never used to train AI models. You have full control over your data at all times.

1. Data Controller

Dennis Rolea
Weil am Rhein, Germany
Email: [email protected]
USt-IdNr: DE437806810

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address — for authentication and communication
  • Name — for personalization
  • Password (hashed) — if you use email/password login
  • Google account data — if you sign in via Google OAuth (email, name, profile picture)

2.2 Onboarding Data

During onboarding, we collect your responses to personalize your agent:

  • Usage type (personal/business)
  • Business type and team size
  • Preferred use cases
  • Time and value estimates (used only to show you savings calculations)

2.3 Payment Data

Payment processing is handled entirely by Stripe, Inc. We do not store your credit card number, CVC, or full card details. We receive from Stripe:

  • Stripe customer ID
  • Subscription status and plan
  • Payment history (amounts, dates, invoice IDs)

2.4 Agent Conversation Data

When you use your AI agent, your conversations are processed by third-party AI model providers (see Section 5). We store:

  • Conversation history (encrypted at rest)
  • Agent memory and configuration files
  • Connected service credentials (encrypted with per-user keys)
  • Token usage records (model, tokens in/out, timestamp)

2.5 Technical Data

We automatically collect:

  • IP address (for security and abuse prevention)
  • Browser type and version
  • Pages visited and timestamps
  • Referring URL

3. How We Use Your Data

  • Providing the Service (agent hosting, conversations) — Art. 6(1)(b) Contract performance
  • Processing payments — Art. 6(1)(b) Contract performance
  • Sending transactional emails (welcome, receipts) — Art. 6(1)(b) Contract performance
  • Security monitoring and abuse prevention — Art. 6(1)(f) Legitimate interest
  • Improving the Service — Art. 6(1)(f) Legitimate interest
  • Marketing emails (only with consent) — Art. 6(1)(a) Consent
  • Legal compliance — Art. 6(1)(c) Legal obligation

4. Where Your Data Is Stored

All data is stored within the European Union.
  • Application servers: Hetzner Online GmbH, Finland (EU)
  • Database: PostgreSQL on Hetzner (Finland, EU)
  • Secrets management: Self-hosted Infisical on Hetzner (Finland, EU)
  • Email delivery: Resend (Amazon SES, EU-West-1 Ireland)
  • DNS and CDN: Cloudflare (edge servers globally, origin in EU)
  • Payment processing: Stripe, Inc. (US company, EU data processing — see Stripe's Privacy Policy)

5. AI Model Providers

Your agent conversations are processed by third-party AI model providers via API. We route requests through OpenRouter, which connects to providers including:

Important: None of these providers use paid API data for model training. Your conversations are processed for inference only and are not retained by the model providers beyond their standard API data retention policies (typically 30 days or less for abuse monitoring).

We only route to GDPR-compliant providers. We do not use providers based in jurisdictions without adequate data protection (e.g., we exclude Chinese AI providers).

6. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Stripe, Inc. — Payment processing — US (EU data processing)
  • Resend / Amazon SES — Email delivery — EU (Ireland)
  • OpenRouter — LLM API routing — US
  • AI model providers — Processing conversations — Various (see Section 5)
  • Hetzner Online GmbH — Server hosting — Finland (EU)
  • Cloudflare, Inc. — CDN, DNS, DDoS protection — Global (EU origin)

For US-based processors (Stripe, OpenRouter, Cloudflare), we rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework as the legal basis for data transfers.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Conversation data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Payment records: Retained for 10 years as required by German tax law (§257 HGB, §147 AO).
  • Server logs: Automatically deleted after 90 days.
  • Onboarding responses: Retained while your account is active.

8. Data Security

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Per-user encryption keys for sensitive data (API keys, credentials)
  • Password hashing with bcrypt (12 rounds)
  • Automated security monitoring and intrusion detection
  • Regular security audits
  • Secrets managed via self-hosted Infisical (not stored in code or environment files)

9. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access — Request a copy of all personal data we hold about you (Art. 15)
  • Rectification — Correct inaccurate personal data (Art. 16)
  • Erasure — Request deletion of your personal data ("right to be forgotten") (Art. 17)
  • Restrict processing — Limit how we use your data (Art. 18)
  • Data portability — Receive your data in a machine-readable format (Art. 20)
  • Object — Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent — Where processing is based on consent, withdraw at any time (Art. 7(3))

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. Cookies

We use only essential cookies required for the Service to function:

  • Session cookie — Maintains your login session (strictly necessary)
  • CSRF token — Prevents cross-site request forgery (strictly necessary)

We do not use analytics cookies, advertising cookies, or tracking pixels. We do not use Google Analytics or similar tracking services.

11. Children's Privacy

Clawshift is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

13. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de

14. Contact

Dennis Rolea
Weil am Rhein, Germany
Email: [email protected]
USt-IdNr: DE437806810

Terms of ServiceCookie PolicyData Processing AgreementImpressum