Privacy Policy

Last updated: April 22, 2026

Summary

We collect the minimum needed to run the Service: your email, optional phone for SMS verification, the Telegram bot token you provide (encrypted at rest), and usage metadata for billing + abuse prevention. We do not sell your data. We do not use your message content to train models. This page is the long version.

1. Data we collect

  • Account data: email address, hashed password, phone number (if you enable SMS verification), and timestamps.
  • Bot configuration: Telegram bot token (encrypted at rest with AES-256-GCM), bot username, Fly app identifier.
  • Usage metadata: per-request token counts, model used, provider used, lane (normal/slow), cost in micro-dollars, request timestamp, HTTP status, latency. Stored to operate billing, enforce fair-use caps, and investigate abuse.
  • Payment data: handled by our payment processor (Dodo Payments); we see only subscription status + a customer identifier. We never see your card number.
  • Operational data: server logs, error reports (via Sentry), session cookies, IP address (for rate-limiting and abuse detection).

2. What we do NOT collect or do

  • We do not log or store the content of your chat messages.
  • We do not sell, rent, or share your data with advertisers.
  • We do not use your content to train AI models, ours or anyone else's.
  • We do not read your Telegram DMs outside of messages you send to your bot.

3. Sub-processors

We rely on these third parties to operate the Service:
  • Fly.io — infrastructure hosting + managed Postgres.
  • Upstash — Redis (via Fly integration) for rate-limit state + cache.
  • DeepSeek, DeepInfra, Together AI — LLM inference providers. Your message content transits through the provider selected for your request; providers commit to not retaining prompts for training under their API terms.
  • Dodo Payments — payment processing.
  • Twilio — SMS verification (when you opt into phone verification).
  • Sentry — error monitoring. May capture stack traces that include request URL and anonymized server state; does not capture message content.

4. Retention

  • Account data: while your account is active, plus up to 90 days after cancellation for billing reconciliation.
  • Usage events: 12 months, then rolled into aggregated monthly totals retained indefinitely for audit.
  • Server logs: 30 days.
  • Error reports (Sentry): 90 days.

5. Your rights (GDPR / CCPA / similar)

You can:
  • request a copy of your data (export in JSON);
  • request deletion of your account and associated data (we honor this within 30 days; audit-mandated retention may keep financial records longer per § 4);
  • correct inaccurate data;
  • withdraw consent for SMS verification or other optional features at any time.
Send requests to support@gotclawbot.com with the email on your account. We may ask for verification before acting on deletion or export requests.

6. Security

We encrypt data in transit (TLS 1.2+) and at rest where it's sensitive (Telegram bot tokens, TOTP secrets). Passwords are hashed with Argon2id. Admin access requires two-factor authentication. If we discover a breach affecting your account, we will notify you within 72 hours via the email on file.

7. Cookies

We use strictly-necessary cookies for authentication (session tokens) and nothing else — no tracking pixels, no advertising identifiers, no third-party analytics. Sentry session replay is enabled on 10% of sessions for debugging; it records UI interactions but masks input fields.

8. International transfers

Our primary infrastructure is in Frankfurt, Germany (EU). LLM providers may process requests in the United States or other regions. By using the Service, you consent to these transfers under the providers' respective safeguards.

9. Children

The Service is not directed at children under 13. We do not knowingly collect data from children under 13; if you believe we have, contact us and we will delete it.

10. Changes

Material changes to this policy will be announced by email and posted here with a new "Last updated" date. Continued use after the effective date constitutes acceptance.

11. Contact

Data questions: support@gotclawbot.com.