BackDeutsch

Privacy Policy

Last updated: February 17, 2026

The German version of this Privacy Policy (Datenschutzerklärung) is the legally binding version. This English translation is provided for convenience only.

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Henri Matteo Mache
Dorothea-Erxleben-Straße 56
23562 Lübeck, Germany
Phone: +4915164327820
E-mail: hello@simpleopenclaw.com

For full contact details, see our Imprint.

2. Overview of Data Processing

We process personal data only to the extent necessary for the provision of our Service, the operation of our website, and the fulfillment of our contractual and legal obligations. We adhere to the principle of data minimization (Art. 5(1)(c) GDPR) and do not collect more data than is required for the respective purpose.

The following categories of data are processed:

  • Account data (registration and profile information)
  • Payment data (via Stripe)
  • Instance configuration data
  • Server logs and access data
  • Consent records
  • Communication data (support inquiries)

3. Data Collected and Purposes

Account data (e-mail address, password hash, name if provided) — collected upon registration. Legal basis: Art. 6(1)(b) GDPR (performance of contract). Purpose: account creation, authentication, and service delivery.

Payment data (Stripe customer ID, subscription status, plan tier, billing period) — processed by Stripe. We do not store credit card numbers or full payment credentials. Legal basis: Art. 6(1)(b) GDPR (performance of contract). Purpose: billing, subscription management, and invoicing.

Instance configuration data (API keys, channel tokens, gateway tokens) — stored encrypted at rest. Legal basis: Art. 6(1)(b) GDPR (performance of contract). Purpose: provisioning and operating Customer Instances.

Server logs (IP address, browser type and version, operating system, referring URL, timestamps) — collected automatically upon accessing the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security, stability, and abuse prevention). Retention: 30 days, then automatically deleted.

Consent records (consent type, timestamp, IP address, user agent) — recorded when you accept terms of service, privacy policy, or withdrawal waiver. Legal basis: Art. 6(1)(c) GDPR (legal obligation to document consent). Purpose: demonstrating compliance with legal consent requirements.

Communication data (e-mail content, sender information) — collected when you contact us for support. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures or contract performance) and Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). Purpose: handling support requests and inquiries.

4. Hosting and Content Delivery

Website hosting: Our website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When you visit our website, Vercel processes server log data (IP address, browser information, timestamps). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable and secure website delivery).

Instance hosting: Customer Instances are hosted on Railway (Railway Corp., USA). Railway processes data necessary for running containerized applications, including network traffic and application logs. Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in stable infrastructure).

5. Third-Party Processors

We use the following third-party data processors, each bound by data processing agreements (DPAs):

  • Supabase (Supabase Inc., USA) — Database hosting, authentication, and edge functions. Processes account data, instance metadata, and consent records.
  • Railway (Railway Corp., USA) — Container hosting for Customer Instances. Processes instance configuration and runtime data.
  • Stripe (Stripe Inc., USA) — Payment processing. Processes payment method details, billing addresses, and transaction data. Stripe's own privacy policy applies to data collected directly by Stripe.
  • Vercel (Vercel Inc., USA) — Website hosting and content delivery. Processes server log data.

Transfer safeguards: All processors listed above participate in the EU-U.S. Data Privacy Framework and/or have entered into Standard Contractual Clauses (SCCs) in accordance with Art. 46(2)(c) GDPR.

6. International Data Transfers

Personal data is transferred to the United States as part of our use of the third-party processors listed in Section 5. The following transfer mechanisms are in place:

  • EU-U.S. Data Privacy Framework (DPF): Where processors are certified under the DPF, this serves as the primary adequacy mechanism (Art. 45 GDPR).
  • Standard Contractual Clauses (SCCs): Where DPF certification is unavailable or as a fallback mechanism, transfers are safeguarded by SCCs adopted by the European Commission (Art. 46(2)(c) GDPR).

Supplementary technical measures include encryption in transit (TLS/HTTPS) and encryption at rest for sensitive data (API keys, tokens).

7. Cookies

We use only essential cookies that are strictly necessary for the operation of the website:

  • Session / authentication cookies: Required for login state management and CSRF protection. These cookies expire when your session ends or after a defined timeout.

We do not use analytics cookies, advertising cookies, social media tracking pixels, or any other non-essential cookies. Therefore, no cookie consent banner is required under §25(2) TTDSG (Telekommunikation-Digitale-Dienste- Datenschutz-Gesetz), as only technically necessary cookies are set.

8. Data Retention

  • Account data: Retained while your account is active, plus 30 days after account deletion to allow for account recovery.
  • Instance data: Deleted 7 days after Instance deletion or account termination.
  • Invoices and billing records: Retained for 10 years in accordance with German commercial and tax law (§147 AO, §257 HGB).
  • Server logs: Automatically deleted after 30 days.
  • Consent records: Retained for 3 years after the end of the contractual relationship, in accordance with the general statutory limitation period (§195 BGB).
  • Communication data (support): Retained for the duration of the business relationship plus 3 years (§195 BGB).

After expiry of the respective retention period, data is deleted or anonymized unless further retention is required by law.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You may request information about whether and which personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data.
  • Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): You may request that processing of your data be restricted under certain conditions.
  • Right to data portability (Art. 20 GDPR): You may request that your data be provided to you or another controller in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to processing based on legitimate interest at any time, for reasons arising from your particular situation.
  • Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority.

Competent supervisory authority: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany.

To exercise your rights, contact us at hello@simpleopenclaw.com. We will respond to your request within one month of receipt (Art. 12(3) GDPR). This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (Art. 32 GDPR). These measures include:

  • Encryption in transit: All data transmitted between your browser and our servers is protected by TLS/HTTPS.
  • Encryption at rest: Sensitive data (API keys, tokens, credentials) is encrypted at rest in our database.
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
  • Regular backups: Data is backed up regularly to prevent data loss.

11. Data Processing Within Instances

When you use our Service to operate an OpenClaw Instance, you may process personal data of your own end users through that Instance (e.g., messages received via Telegram, Discord, or other connected channels).

With respect to such data:

  • You (the Customer) are the data controller within the meaning of Art. 4(7) GDPR.
  • We (the Provider) act as a data processor within the meaning of Art. 4(8) GDPR, processing data exclusively on your instructions.

As data controller, you are responsible for:

  • ensuring a valid legal basis for processing your end users' data;
  • providing appropriate privacy notices to your end users;
  • responding to data subject requests from your end users;
  • complying with all applicable data protection laws in your jurisdiction.

We do not access data processed within your Instances except as necessary for the technical operation of the Service or when required by law.

12. Changes

We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal requirements. Material changes will be communicated to you via the e-mail address associated with your account at least 14 days before they take effect.

The updated date displayed at the top of this page indicates when this Privacy Policy was last revised.