← Back to home

1claw Privacy Policy

Last updated: February 19, 2026

Your private information is yours. We do not sell it, share it for advertising purposes, or give it away. Wherever possible, we minimize what we collect. This Privacy Policy explains what we collect, why we collect it, and how we protect it.

This policy applies to the 1claw platform, API, dashboard, MCP server, SDK, and all related services operated at https://1claw.xyz and https://docs.1claw.xyz.

1. Information We Collect

Account Information

When you create a 1claw account, we collect:

  • Name and email address
  • Account type and authentication credentials (hashed; we never store plaintext passwords)
  • Billing information, processed and stored by our payment processor — 1claw does not store full card numbers
  • Organization or team name, if applicable

Usage and Technical Data

To operate and improve the Service, we collect:

  • IP address and device identifiers
  • API request timestamps, endpoints accessed, HTTP status codes, and latency metrics
  • Vault and agent count, number of secrets stored, and storage consumption (not secret values)
  • Authentication events: login times, JWT issuances, and token expirations
  • Browser type and version when accessing the web dashboard

Audit Log Data

Every secret access, vault creation, agent registration, policy change, and administrative action is recorded in an append-only audit log. This log records who performed an action, what resource was accessed (by path), and when — but never the value of the secret itself. Audit logs are accessible to you and are integral to the Service.

Support Communications

If you contact us at ops@1claw.xyz, we retain the content of your communications to resolve your issue and improve our support.

2. What We Do Not Collect

1claw is designed to keep your secrets secret — including from us:

  • We do not have access to the values of secrets stored in your vaults. Secrets are envelope-encrypted with HSM-backed keys that never leave the hardware security module.
  • We do not read, log, or transmit secret values during retrieval. The audit log records path and metadata only.
  • We do not sell or share your personal information with advertisers or data brokers.
  • We do not use your data to train AI models.

3. How We Use Your Information

We use the information we collect to:

  • Provision and operate your account, vaults, agents, and policies
  • Process billing and manage your Subscription
  • Authenticate users and agents, issue short-lived JWTs, and enforce access policies
  • Maintain and display audit logs for your security and compliance needs
  • Send operational emails including security alerts, billing notices, and service updates
  • Diagnose technical issues and improve the reliability and security of the Service
  • Comply with legal obligations

4. HSM Encryption and Data Security

1claw uses envelope encryption with Hardware Security Modules (HSM) to protect secrets. Each secret is encrypted with a unique Data Encryption Key (DEK), which is itself wrapped by an HSM-backed Key Encryption Key (KEK). The KEK never leaves the HSM hardware.

This architecture means that even 1claw personnel with database access cannot read your secrets. We cannot decrypt your vault contents on your behalf — and we will not attempt to do so.

We employ industry-standard security practices including encrypted connections (TLS), access controls, and intrusion detection. We will promptly notify affected users in the event of a security breach involving personal data, in accordance with applicable law.

5. AI Agent Access

When an AI agent (Claude, Cursor, GPT, or other) authenticates with the Service using an agent key (ocv_), it receives a short-lived JWT scoped to the policies you configured. We log the agent's identity, the secret path requested, and the timestamp of access — never the secret value.

You are responsible for the agent identities you register and the policies you configure. If you believe an agent key has been compromised, you can revoke it immediately through the dashboard or API.

6. MCP Server

The 1claw MCP server (mcp.1claw.xyz) enables AI assistants to access vault secrets via the Model Context Protocol. MCP requests are authenticated using your Bearer token and Vault ID. We log MCP tool invocations in the same append-only audit trail as direct API calls. Secret values returned over MCP are transmitted over encrypted connections and are not retained by 1claw after delivery.

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information only in these limited circumstances:

  • Service providers: We work with infrastructure partners (e.g., cloud hosting, HSM providers, payment processors) who are contractually obligated to protect your data and may not use it for any other purpose.
  • Legal obligations: We will disclose information if required by a valid, enforceable legal process (such as a court order or government request). Where permitted by law, we will notify you before disclosing. See below for law enforcement requests.
  • Safety: We may disclose information if we have a good-faith belief that doing so is necessary to prevent imminent harm to you or others.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to a successor entity, subject to the same privacy protections.

8. Law Enforcement Requests

1claw will respond to enforceable legal requests from government authorities in accordance with applicable law. We will:

  • Review each request for legal validity before complying
  • Notify you of requests for your information where legally permitted to do so
  • Provide only the minimum information legally required

Because secret values are HSM-encrypted and inaccessible to us, any compelled disclosure would be limited to account metadata and audit log records — not your vault contents.

9. Your Rights

Right to Access: You have the right to know what personal information we hold about you. You can view your account information in the dashboard at any time. To request a full summary of what we know about you, contact ops@1claw.xyz from your registered email address.

Right to Export: You may export your vault metadata and audit logs at any time through the dashboard or API. Note that secret values are encrypted and can only be retrieved through an authenticated session using your own keys.

Right to Correct: You may update your account information (name, email, billing details) at any time through your account settings.

Right to Delete: You may request deletion of your account and personal data by contacting ops@1claw.xyz from your registered email address. After we authenticate your request and you delete your account, we will remove your personal information from active systems within a reasonable time. Note that backups maintained for disaster recovery may retain data for a limited period and will be purged on a rolling schedule.

Right to Object or Restrict: You may object to or request restriction of processing of your personal data where applicable law permits. Contact ops@1claw.xyz to exercise this right.

10. Data Retention

We retain account information for as long as your account is active or as needed to provide the Service. Audit logs are retained for a rolling period sufficient to support security investigations and compliance — typically 90 days in the active database, longer in backups. After account deletion, we remove personal data from active systems promptly and from backups on a rolling schedule.

11. Cookies and Tracking

The 1claw web dashboard uses essential cookies to maintain your authenticated session. We do not use third-party advertising cookies or behavioral tracking technologies. We may use minimal analytics (e.g., page load counts) that do not identify you personally.

12. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact ops@1claw.xyz and we will promptly delete it.

13. International Data Transfers

1claw is operated using cloud infrastructure that may process data in multiple regions. By using the Service, you consent to the transfer and processing of your information in accordance with this Privacy Policy and applicable data protection law. Where required, we implement appropriate safeguards for cross-border data transfers.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy at https://1claw.xyz/privacy and notify you via email where material changes are made. Your continued use of the Service after the effective date of any revision constitutes your acceptance of the updated policy.

15. Contact Us

If you have questions or requests regarding this Privacy Policy or your personal data, please contact us at ops@1claw.xyz.

Full documentation is available at https://docs.1claw.xyz.

© 2026 1claw. All rights reserved.