Privacy Policy

Effective Date: March 6, 2026
Last Updated: March 6, 2026

This Privacy Policy describes how Codebridge Technology, Inc. ("Company," "we," "us," or "our"), a Delaware corporation with its principal office at 8 The Green, Suite 12848, Dover, DE 19901, USA, collects, uses, and protects information in connection with the OpenClaw platform available at openclaw.gdn and all related services (the "Service").

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

• Full name;
• Email address;
• Authentication data from third-party providers (Google, Microsoft, or GitHub), which may include your profile picture and account identifier.

1.2 Billing Information

When you subscribe to a paid plan or make a purchase, payment information (credit card number, billing address) is collected and processed directly by our payment processor, Stripe. We do not store your full payment card details on our servers. We receive and store only a transaction identifier, the last four digits of your card, and the card expiration date for record-keeping purposes.

1.3 Usage and Technical Data

We automatically collect certain information when you use the Service, including:

• IP address;
• Browser type and version;
• Operating system;
• Pages visited and features used within the dashboard;
• Timestamps of access;
• VM health metrics (CPU usage, memory usage, uptime) for service monitoring purposes.

1.4 AI Usage Data

We track aggregate AI usage metrics such as the number of messages sent, tokens consumed, and AI budget utilization. This data is used for billing, enforcing usage limits, and improving the Service. We do not read, store, or access the content of your conversations with the AI assistant on our management infrastructure.

1.5 Conversation Data

Your conversations with the AI assistant, custom configurations, and any files on your VM are stored exclusively on your dedicated, isolated virtual machine. This data is not transmitted to or stored on our central management systems. When you use the AI assistant, your messages are sent directly from your VM to the AI model provider (Anthropic, OpenAI, or Google) for processing.

1.6 BYOK API Keys

If you provide your own API keys (BYOK), these keys are stored exclusively on your dedicated VM and are never transmitted to our management infrastructure or any third party.

1.7 Cookies

We use essential cookies for the following purposes:

• Authentication: To maintain your logged-in session;
• Security: To protect against cross-site request forgery and other attacks.

We do not use third-party advertising or tracking cookies. We may use minimal analytics to understand aggregate usage patterns.

2. How We Use Your Information

We use the collected information for the following purposes:

• Providing the Service: Creating and managing your account, provisioning and maintaining your VM, processing payments, and enforcing usage limits;
• Communication: Sending transactional emails (account verification, billing receipts, trial expiration notices, payment failure alerts) and responding to support requests;
• Service Improvement: Analyzing aggregate usage patterns and performance metrics to improve reliability, features, and user experience;
• Security: Detecting and preventing fraud, abuse, and unauthorized access;
• Legal Compliance: Fulfilling legal obligations and responding to lawful requests from authorities.

We do not use your personal information for advertising purposes. We do not sell, rent, or trade your personal information to third parties for marketing.

3. How We Share Your Information

We share your information only in the following limited circumstances:

• Payment Processor (Stripe): Billing information is shared with Stripe to process payments. Stripe's privacy policy is available at stripe.com/privacy;
• AI Model Providers: When using our managed AI keys (non-BYOK), your messages are routed through our proxy to AI providers (Anthropic, OpenAI, Google) for processing. These providers process your messages according to their respective privacy policies. When using BYOK, your messages go directly from your VM to the provider;
• Infrastructure Providers: We use Hetzner for server hosting and Cloudflare for DDoS protection and CDN services. These providers may process IP addresses and network traffic data;
• Legal Requirements: We may disclose information if required by law, court order, subpoena, or governmental request, or if necessary to protect our rights, safety, or property;
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you before your information becomes subject to a different privacy policy.

4. Data Security

We implement multiple layers of security to protect your data:

• VM Isolation: Each user's data is stored on a dedicated virtual machine with hardware-level (KVM) isolation. VMs cannot communicate with each other;
• Encryption: Sensitive data (such as managed API keys and bot tokens) stored on our management infrastructure is encrypted using AES-256-GCM. All data in transit is encrypted via TLS/HTTPS;
• Network Security: User VMs are not directly accessible from the internet. Access is routed through a secured reverse proxy with firewall rules restricting traffic;
• Access Controls: Administrative access to infrastructure is restricted by IP allowlisting, SSH key authentication, and audit logging.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Data Retention

• Account Information: Retained for as long as your account is active and for a reasonable period afterward for record-keeping and legal compliance;
• Conversation Data: Stored on your VM and deleted within 30 days of account termination or VM shutdown;
• Billing Records: Retained for up to 7 years as required by applicable tax and financial regulations;
• Server Logs: Automatically rotated and deleted after 90 days.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

6.1 All Users

• Access: Request a copy of the personal information we hold about you;
• Correction: Request correction of inaccurate personal information;
• Deletion: Request deletion of your account and associated personal data;
• Data Export: Download your data through the dashboard or by contacting us;
• Opt-Out: Unsubscribe from non-essential communications at any time.

6.2 European Economic Area (EEA) Residents — GDPR

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on: (a) performance of a contract (providing the Service), (b) legitimate interests (security monitoring, service improvement), and (c) your consent (where applicable);
• Data Portability: Right to receive your personal data in a structured, commonly used, and machine-readable format;
• Restriction: Right to request restriction of processing in certain circumstances;
• Objection: Right to object to processing based on legitimate interests;
• Supervisory Authority: Right to lodge a complaint with your local data protection authority.

Our servers are located in the European Union (Hetzner, Germany). For any data transfers outside the EEA, we ensure appropriate safeguards are in place.

6.3 California Residents — CCPA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: What personal information we collect, use, and disclose;
• Right to Delete: Request deletion of personal information;
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

We do not sell your personal information as defined by the CCPA.

6.4 Exercising Your Rights

To exercise any of these rights, contact us at contact@codebridge.tech. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

7. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. If you believe that a child has provided us with personal information, please contact us at contact@codebridge.tech.

8. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy applies only to the OpenClaw platform. We are not responsible for the privacy practices of any third-party services. We encourage you to review the privacy policies of any third-party services you interact with.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service at least 30 days before the changes take effect. Minor changes (clarifications, formatting) may take effect immediately. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Codebridge Technology, Inc.
8 The Green, Suite 12848
Dover, DE 19901, USA
Email: contact@codebridge.tech
Phone: +1 302 688 70 80