Legal

Privacy Policy

Effective date: February 26, 2026 · Last updated: February 26, 2026

TL;DR — The short version

✓Your LLM traffic, prompts, and responses never leave your machine. ClawGuard inspects everything locally.
✓Your API keys are stored encrypted on your device. We never see them.
✓We collect only what billing requires: your email address and a machine fingerprint for licence enforcement.
✓No telemetry. No analytics. No beacons. We have no visibility into how or where you use ClawSentinel.
✓Payments are handled entirely by Stripe. We never store card details.

1. Who We Are

ClawSentinel is developed and operated by hshdevhub (security@clawsentinel.dev). References to "we", "us", or "our" in this policy refer to hshdevhub.

This policy applies to the ClawSentinel software package, the billing API at api.clawsentinel.dev, the marketing website at clawsentinel.dev, and the ClawSentinel Guard browser extension.

2. What Data We Collect and Why

2.1 Billing data (Pro subscribers only)

When you subscribe to ClawSentinel Pro, Stripe collects your payment details and provides us with:

Email address — used to send your activation key and billing receipts.
Stripe customer ID — used to manage your subscription.
Subscription status (active / cancelled) — used to enforce your plan.

We never receive or store your card number, CVV, or bank details. These are handled exclusively by Stripe (PCI DSS Level 1 certified).

2.2 Machine fingerprint (Pro subscribers only)

To enforce the one-machine-per-licence policy, we store a machine fingerprint derived from a one-way SHA-256 hash of your device's hostname, operating system, username, and CPU model. This hash is a 32-character hex string. It cannot be reversed to identify your machine or your identity. It is used solely to prevent a single licence being shared across multiple machines.

2.3 Activation token

A cryptographically random 64-character activation token is generated when you subscribe and stored server-side. This is sent to your email and used to activate your licence. It is not linked to any personal information beyond your email and subscription status.

2.4 Website analytics

We do not currently run any analytics or tracking scripts on clawsentinel.dev. No cookies are set. No third-party trackers are loaded.

3. What We Do Not Collect

The following data never leaves your machine and is never transmitted to ClawSentinel servers under any circumstances:

✗Your LLM prompts, responses, or conversation history

✗WebSocket or HTTP traffic passing through ClawGuard

✗API keys stored in ClawVault (stored encrypted locally only)

✗Security events logged by ClawEye (stored in local SQLite database)

✗Pattern engine scan results

✗Semantic engine analysis results

✗OpenClaw skill source code scanned by ClawHub

✗File system paths or file contents

✗IP addresses beyond what Vercel's infrastructure logs (standard web server logs)

The semantic engine (Pro feature) sends content to the LLM provider you configure (Anthropic, OpenAI, or a local Ollama instance). This is a direct connection from your machine to your LLM provider. ClawSentinel does not relay, intercept, or log these requests.

4. Third-Party Services

We use the following sub-processors. Each handles data only as necessary to provide their service:

Service	Purpose	Data shared
Stripe	Payment processing	Email, payment details
Upstash Redis	Billing database	Email, machine fingerprint, subscription status, activation token
Resend	Transactional email	Email, activation token (in email body)
Vercel	API hosting	Standard server logs (IP, timestamp, endpoint)

All third-party services are contractually bound to process data only for the stated purpose and are prohibited from using it for their own commercial purposes.

5. Data Retention

Active subEmail, machine fingerprint, and subscription status are retained for the duration of your subscription.
CancelledAfter cancellation, your subscription record is marked inactive. We retain it for 90 days to handle disputes or reactivation, then delete it.
DeletionTo request immediate deletion of all server-side data, email security@clawsentinel.dev. We will action it within 30 days.
Local dataAll local data (SQLite database, ClawVault, plan.json) is under your complete control. Run clawsentinel uninstall to remove everything.

6. Your Rights

Regardless of your location, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate data.
Erasure — request deletion of your data (subject to legal retention requirements).
Portability — receive your data in a machine-readable format.
Objection — object to processing of your data.
Opt out of sale — we do not sell your data. Ever.

To exercise any of these rights, email security@clawsentinel.dev with the subject line "Data Request". We respond within 30 days.

7. Security

All API endpoints are served over HTTPS only.
Server-side data is stored in Upstash Redis with encryption at rest.
Activation tokens are cryptographically random (256 bits of entropy).
Access tokens are short-lived JWTs (24-hour expiry, HS256).
ClawSentinel's source code is open for public audit at github.com/hshdevhub/clawsentinel.

To report a security vulnerability, follow the responsible disclosure process in SECURITY.md.

8. Children's Privacy

ClawSentinel is a developer tool intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently done so, contact us immediately and we will delete the data.

9. Changes to This Policy

If we make material changes to this policy — particularly changes that affect what data we collect or how we use it — we will notify active subscribers by email at least 14 days before the changes take effect. The effective date at the top of this page is always the date of the most recent revision.

10. Contact

For any privacy-related questions, data requests, or concerns:

Email: security@clawsentinel.dev

Response time: within 5 business days