Privacy Policy
Last updated: March 1, 2026
1. Overview
HexaClaw ("we", "our", "us") operates hexaclaw.com and provides the HexaClaw AI services platform, including the Cloud API Platform (unified proxy for LLM completions, embeddings, web search, image generation, text-to-speech, speech-to-text, browser automation, and vector storage), desktop application, CLI, Guardian security engine, and related services (collectively, the "Service").
This Privacy Policy explains what personal data we collect, the legal basis for processing it, how we use and protect it, and the rights you have regarding your data. We are committed to protecting your privacy and processing personal data transparently, lawfully, and fairly.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Data Controller
HexaClaw is the data controller responsible for your personal data under applicable data protection laws. For any questions or concerns about how we handle your data, contact us at privacy@hexaclaw.com.
If you are a resident of the European Union or European Economic Area, you also have the right to contact your local data protection supervisory authority.
3. Data We Collect
The following table summarizes the categories of personal data we collect, what is included, and our legal basis for processing under the General Data Protection Regulation (GDPR).
| Category | Data Collected | Legal Basis |
|---|---|---|
| Account data | Email address, display name (from Google OAuth), profile photo URL | Contract performance (GDPR Art. 6(1)(b)) |
| Payment data | Processed by Stripe. We store only: Stripe customer ID, subscription status, and plan type. We never store card numbers or full payment credentials. | Contract performance (GDPR Art. 6(1)(b)) |
| Usage data | Page views, feature usage, session duration (via Google Analytics, if enabled by you) | Legitimate interest (GDPR Art. 6(1)(f)) |
| Cloud API Platform data | API key identifiers (hashed), credit transaction ledger (amounts, service type, model used, token counts, timestamps), generation metadata (model, request ID, latency), rate limit counters. User prompts and AI responses are forwarded to Third-Party Providers in transit but are not stored by HexaClaw. | Contract performance (GDPR Art. 6(1)(b)) |
| Guardian Cloud API data | Sanitized metadata only: rule ID triggered, threat category, timestamp. No user prompts, no AI responses, no file contents are transmitted. | Legitimate interest (GDPR Art. 6(1)(f)) -- security improvement |
| Browser session data | Session identifiers, creation and termination timestamps, session duration (for billing). Browser session content is processed by Browserbase; we store only session metadata. | Contract performance (GDPR Art. 6(1)(b)) |
| Vector storage data | Text content you store via the /remember command is converted to vector embeddings and stored. You control what data is stored and can delete it at any time. | Contract performance (GDPR Art. 6(1)(b)) |
| Device information | Operating system type, application version (used for update delivery and compatibility) | Legitimate interest (GDPR Art. 6(1)(f)) |
| Support data | Email correspondence, support tickets, and any information you voluntarily provide during support interactions | Contract performance (GDPR Art. 6(1)(b)) |
4. How We Use Your Data
We process your personal data for the following purposes:
- Provide, operate, and maintain the Service, including the Cloud API Platform
- Route your API requests to Third-Party Providers and meter credit usage
- Process payments and manage subscriptions
- Send product updates and security alerts (you can unsubscribe at any time)
- Improve Guardian detection rules using anonymized threat metadata only
- Provide customer support and respond to inquiries
- Comply with applicable legal obligations
- Detect and prevent fraud, abuse, or security incidents
We do NOT:
- Sell your personal data to any third party
- Use your data for advertising purposes
- Share your data with data brokers
- Train AI models on your personal data
- Profile you for marketing or cross-context behavioral advertising
5. Cloud API Platform Data Handling
The Cloud API Platform routes your requests to Third-Party Providers (such as Anthropic, OpenAI, Google, and others). The following describes how data flows through our platform:
Data in Transit
- Your API requests (prompts, text, audio files, image prompts) are forwarded to the selected Third-Party Provider over encrypted connections (TLS 1.3)
- Request content passes through our proxy infrastructure but is not stored, logged, or retained by HexaClaw after the request is completed
- AI-generated responses are streamed back to you through our proxy and are not retained by HexaClaw
Metadata We Store
- Credit ledger entries: amount, service type, model, token counts, request ID, and timestamp (append-only, immutable)
- Generation metadata: model name, latency, token usage (for billing accuracy and usage dashboards)
- API key identifiers (hashed, never stored in plaintext)
- Rate limit counters and daily usage aggregates
Third-Party Provider Data Handling
Each Third-Party Provider has its own data retention and privacy policies. When your requests are forwarded, the Third-Party Provider processes that data according to their own terms. We encourage you to review the privacy policies of the providers whose models you use. HexaClaw uses API access (not consumer products), and most providers do not train on API data by default.
BYOK (Bring Your Own Key) Data
When using BYOK, your Third-Party Provider API keys are stored encrypted at rest in your local configuration file. They are transmitted to the respective provider over TLS but are never stored on HexaClaw servers.
6. Guardian Cloud API Data Handling
The Guardian Cloud API enhances our security engine with cloud-based threat intelligence. We take extraordinary care to ensure that only the minimum necessary metadata is transmitted.
What is sent to the Guardian Cloud API
- Rule ID that was triggered
- Threat category and severity score
- Timestamp of the event
- Anonymized session hash (cannot be linked back to your identity)
What is NEVER sent
- User prompts or AI responses
- File contents or file paths
- Credentials, API keys, or tokens
- Any personal or identifiable data
All data is sanitized on the client side before transmission. Guardian Cloud API threat metadata is retained for 30 days for threat analytics purposes, after which it is permanently deleted.
You can disable Guardian Cloud at any time in your hexaclaw.json configuration. Guardian continues to function fully offline using local rules.
7. Cookies & Tracking
We use only essential cookies by default. For our full cookie policy, see /cookies.
- Firebase authentication session cookie -- essential for maintaining your login session
- Cookie consent preference -- essential for remembering your cookie choices
- Google Analytics -- optional, activated only if you accept analytics in the cookie banner
We respect Do Not Track (DNT) browser signals. When a DNT signal is detected, optional analytics cookies will not be loaded.
8. Data Sharing & Sub-processors
We use the following sub-processors to deliver the Service. Each sub-processor processes data only as necessary for its stated purpose.
| Sub-processor | Location | Purpose |
|---|---|---|
| Google Cloud Platform | United States | Hosting, infrastructure, Cloud Run relay, Firestore database |
| Firebase (Google) | United States | Authentication, user database, cloud functions |
| Stripe | United States | Payment processing, subscription management |
| Anthropic | United States | LLM completions (Claude models) via Cloud API Platform |
| OpenAI | United States | LLM completions (GPT, o-series), embeddings, TTS, STT via Cloud API Platform |
| Google (Gemini API) | United States | LLM completions (Gemini models), embeddings via Cloud API Platform |
| DeepSeek | China | LLM completions (DeepSeek models) via Cloud API Platform |
| Mistral AI | France (EU) | LLM completions (Mistral, Codestral models) via Cloud API Platform |
| Groq | United States | LLM completions (Llama, Qwen, Gemma models) via Cloud API Platform |
| xAI | United States | LLM completions (Grok models) via Cloud API Platform |
| Brave Software | United States | Web search results via Cloud API Platform |
| fal.ai | United States | Image generation (Flux models) via Cloud API Platform |
| Browserbase | United States | Cloud browser automation sessions via Cloud API Platform |
| Qdrant | United States | Vector storage and semantic search via Cloud API Platform |
| Google Analytics | United States | Website analytics (optional, can be disabled) |
We do not share your personal data with any other third parties for marketing, advertising, or any purpose unrelated to delivering the Service.
9. International Data Transfers
Your data is primarily stored in the United States on Google Cloud infrastructure (us-central1 region). If you are located in the European Union or European Economic Area, transfers of your personal data to the United States are covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission.
Our sub-processors, including Google Cloud and Stripe, maintain Standard Contractual Clauses for international data transfers. You may request a copy of the applicable SCCs by contacting privacy@hexaclaw.com.
China-Based Provider (DeepSeek)
DeepSeek, one of the Third-Party Providers accessible through the Cloud API Platform, is based in China. When you select a DeepSeek model, your request content (prompts and inputs) is transmitted to DeepSeek's servers in China for processing. The following safeguards apply:
- DeepSeek processes data only for generating the requested completion and, per their API terms, does not use API-submitted data for model training
- You can avoid this transfer by not selecting DeepSeek models. All other providers on the platform are based in the United States or the EU.
- We apply supplementary technical measures per the Schrems II framework: all data is encrypted in transit (TLS 1.3), and no personal data beyond the request content is shared with DeepSeek
- For EU/EEA users who require full adequacy-based transfers, we recommend using alternative models (e.g., Mistral, which is EU-based)
10. Data Retention
We retain your data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Payment records | 7 years (tax and legal obligations) |
| Guardian threat metadata | 30 days |
| Analytics data | 14 months (Google Analytics default) |
| Support correspondence | 2 years after resolution |
| Credit ledger & API usage data | Duration of account + 7 years (financial records) |
| Vector storage data | Until deleted by user; 90 days after account cancellation |
| Server logs | 30 days |
11. Your Rights
11.1 All Users
Regardless of where you are located, you have the following rights:
- Access -- request a copy of the personal data we hold about you
- Correction -- request that we correct inaccurate or incomplete data
- Deletion -- request that we delete your personal data
- Data portability -- request your data in a structured, machine-readable format
- Withdraw consent -- where processing is based on consent, withdraw it at any time
- Object to processing -- object to processing based on legitimate interest
11.2 EU/EEA Rights (GDPR)
If you are in the European Union or European Economic Area, you have additional rights under the GDPR:
- Right to restriction -- request that we restrict the processing of your data in certain circumstances
- Right to lodge a complaint -- file a complaint with your local data protection supervisory authority
- Right regarding automated decision-making -- you have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects
We will respond to GDPR requests within 30 days.
11.3 California Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know -- what personal information we have collected, used, disclosed, or sold
- Right to delete -- request deletion of your personal information
- Right to opt-out -- opt out of the sale or sharing of your personal information
- Right to non-discrimination -- we will not discriminate against you for exercising your privacy rights
We do NOT sell or share personal information as defined under the CCPA. We will respond to CCPA requests within 45 days, extendable by an additional 45 days where reasonably necessary.
11.4 "Do Not Sell or Share"
We do not sell or share your personal information with third parties for cross-context behavioral advertising. This applies to all users regardless of whether you are a California resident.
To exercise any of these rights, email privacy@hexaclaw.com with your request. We will verify your identity before processing any rights request.
12. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit (TLS 1.3) and at rest
- Firebase Authentication with secure token handling and session management
- Regular security reviews of our codebase and dependencies
- Access controls limiting employee access to personal data on a need-to-know basis
- Infrastructure hosted on Google Cloud Platform with SOC 2 certification
No system is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to security@hexaclaw.com (see our Security & Vulnerability Disclosure page).
13. Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33
- Notification will include: the nature of the breach, the categories of data affected, measures taken or proposed to address the breach, and contact information for further questions
- We will notify the relevant supervisory authority where required by applicable law
- We maintain an incident response plan that is reviewed and updated regularly
14. Children's Privacy
The Service is not directed at anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data promptly.
If you believe that a child under 16 has provided us with personal data, please contact us at privacy@hexaclaw.com so we can take appropriate action.
15. Data Processing Agreement
Enterprise and organizational users who require a Data Processing Agreement (DPA) can find our standard DPA at /dpa. For custom DPA requests or questions, contact legal@hexaclaw.com.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- Material changes: We will provide at least 30 days advance notice via email or in-app notification before material changes take effect
- Non-material changes: Will be posted on this page with an updated date
Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy. We will maintain a change log of material updates to this policy.
17. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, you can reach us at:
- Privacy inquiries: privacy@hexaclaw.com
- General questions: hello@hexaclaw.com
- Legal matters: legal@hexaclaw.com
Mailing address: Quantum Growth Partners LLC, 1111B S Governors Ave STE 26015, Dover, DE 19904, United States.