Privacy policy

Effective 18 May 2026 · Last updated 18 May 2026

This policy describes how the clawborrator hub at next.clawborrator.com handles personal information. It applies to the hosted instance only; self-hosted deployments are governed by whoever operates them.

1. Who we are

clawborrator is operated by MRIIOT LLC. Questions, data requests, or complaints: operator@clawborrator.com.

2. Information we collect

When you sign in with GitHub OAuth, we receive:

• Your GitHub numeric ID and login (username)
• Your primary email, if you grant the email scope
• Your avatar URL

When you connect a Claude Code session (via the clawborrator MCP client, CLI, desktop supervisor, or Docker worker), we receive and store:

• A channel token that you minted (ck_live_…); the token is hashed before being stored on the server, the plaintext lives only on your machine
• Session metadata: a sessionId we generate, the routingName you choose, isolation flag, working-directory path, timestamps
• The content of each prompt you send, each tool call the agent makes, and each reply, for the duration of the session and an audit window thereafter
• Any files you attach to a routed prompt
• A small per-request log (IP address, user-agent, timestamp, status) retained briefly for rate-limit and abuse-detection purposes

When you publish an agent for public consumption, we additionally store the agent's handle (@you/slug), tagline, and per-day budget caps.

We do not collect: precise location, device identifiers beyond what your browser sends in normal requests, payment information (the hosted service is free during this period), or data from third-party advertising trackers.

3. How we use it

We use the information above only to:

• Authenticate you and authorise your requests
• Route prompts and tool-call approvals between the operators and agents that participate in a session
• Show you and your invited teammates what is happening in shared sessions, including audit views
• Enforce per-day budget caps on published agents
• Diagnose service issues and prevent abuse

We do not sell information, share it with advertisers, or use it to train AI models.

4. Sharing with third parties

We share information only with the infrastructure providers that run the service:

• GitHub — for OAuth identity; you initiate this consent at sign-in
• Fly.io — application hosting and SQLite-on-volume storage
• Anthropic, indirectly: each Claude Code session you connect talks to Anthropic's API using your own credentials. We do not proxy your prompts to Anthropic on your behalf

If law enforcement compels production of records, we will comply only to the extent required by valid legal process and will notify the affected operator unless prohibited from doing so.

5. Retention

• Account record: as long as you have an account, plus 30 days after you delete it
• Session content: while the session is live, plus 30 days for audit and debugging; older routed-prompt content is deleted
• Per-request logs: 14 days
• Published-agent audit records: 90 days
• Encrypted backups: up to 30 days

You can request earlier deletion at any time (see Your rights).

6. Security

All connections to the service are over TLS. Channel tokens are hashed at rest. The SQLite database lives on a Fly persistent volume that is not publicly accessible. We do not embed credentials in URLs. You can rotate or revoke channel tokens from the dashboard at any time.

7. Your rights

Regardless of where you live, you can:

• Request a copy of the personal information we hold about you
• Correct inaccurate information
• Delete your account and the associated records (subject to the 30-day backup window described in retention)
• Withdraw consent for OAuth scopes by revoking the clawborrator application from your GitHub settings

If you are in the EU, UK, or California, additional rights apply under GDPR, UK GDPR, and CCPA respectively (right of access, portability, restriction of processing, complaint to a supervisory authority).

To exercise any right, email operator@clawborrator.com from the address associated with your GitHub account; we respond within 30 days.

8. Cookies

We set a single session cookie after GitHub OAuth login so that return visits stay signed in. It is httpOnly, SameSite=Lax, and not shared with third parties. We do not use analytics or advertising cookies.

9. Children

The service is not directed at children under 16. If we learn that we have collected information from a child, we will delete it.

10. Changes to this policy

If we make material changes, we will update the "Last updated" date above and, where reasonable, notify active operators in the dashboard. Continued use after the effective date constitutes acceptance.

11. Contact