Legal

Privacy Policy

Last updated: May 2, 2026

Muscled Inc. (“ClawBots,” “we,” “our,” or “us”) operates the ClawBots service, a managed AI family assistant available at claw-bots.com. Each subscribing family receives a dedicated AI agent (Hermes) that runs in an isolated container and connects to the family through Telegram.

This policy explains what information we collect about the people in your family, how we use it, who we share it with, and the choices and rights you have. It also describes the additional protections we apply when a family member is under 13, in line with the Children’s Online Privacy Protection Act (COPPA) and similar laws.

By creating an account or using ClawBots, you agree to this policy. If you do not agree, please stop using the service and email support@claw-bots.com to delete your account.

1. Who can use ClawBots

ClawBots accounts may only be created by adults aged 18 or older. The account holder (the “parent” or “account owner”) is responsible for everyone they add to the family, including minors. Children do not create their own ClawBots accounts. They participate only because the parent has added them as a family member and connected their Telegram chat.

By adding a family member under 13, the parent provides verifiable consent under COPPA for that child to use the service under the parent’s supervision.

2. What data we collect

Account information

Email address, name, and a hashed password (managed via Better Auth). If you sign in with Google, we receive your name, email, and profile photo from Google.
Session tokens used to keep you signed in.

Family setup

Family name and household preferences you choose to share.
For each family member you add: name, role (parent, child, other), age or date of birth if you choose to provide it, and the Telegram chat ID once they connect.

Conversations and family content

Messages your family sends to the bot through Telegram, and the bot’s replies.
Lists, calendar events, reminders, and free-text memory facts the family creates or that the bot saves at the family’s direction (for example, “Mia is allergic to peanuts”).

Technical and audit data

A tool-call audit log that records, for each bot action, the route name, status code, and how long the call took. This log does not contain message content. We keep it for 30 days and then purge it.
Standard server logs (IP address, browser/device type, error traces) used for security and debugging.
Provisioning state for your family’s container (start, stop, health).

Payment information

Card details are collected and processed by Stripe. We never see or store your full card number. We store only your Stripe customer ID, subscription ID, plan, and billing status.

3. How we use this data

Operate the service. Provision and run your family’s container, deliver messages through Telegram, and store the lists, calendar entries, and memory facts your family creates.
Personalise the bot’s memory of your family. The bot uses your family’s saved facts and history so it can answer in context. This memory is scoped to your family only and is not used to train any shared AI model.
Billing. Process subscription payments and send receipts.
Support. Diagnose issues you report, using metadata and audit logs (we do not read message content unless you explicitly share it with support).
Security and fraud prevention. Detect abuse, rate-limit suspicious activity, and protect the service.
Legal compliance. Meet record-keeping, tax, and other obligations imposed by applicable law.

We do not sell your personal data, and we do not use the content of your family’s conversations to train AI models for anyone else.

4. Who we share data with

We use the following sub-processors to deliver the service. Each one only receives the data it needs for its specific role.

Stripe

Subscription billing and payment processing.

Data shared: Email, customer/subscription ID, billing events. Card numbers go directly to Stripe and never touch our servers.

OpenRouter (and Google, via Gemini 2.5 Flash Lite)

LLM inference for the bot’s replies.

Data shared: The conversation messages sent to the bot, plus the relevant family memory context the bot needs to answer. These transit OpenRouter to Google’s Gemini API.

Hetzner (Germany, EU)

Hosting and storage.

Data shared: All ClawBots databases and family containers run on Hetzner servers in Germany.

Message delivery between your family and the bot.

Data shared: Telegram chat IDs, message contents (Telegram is the transport).

Better Auth

Session and authentication tooling embedded in our application.

Data shared: Email, hashed password, session token. Better Auth runs inside our infrastructure; data is stored in our Hetzner-hosted database.

We will update this list when sub-processors change. Material changes will be announced on this page.

5. Children under 13 (COPPA notice to parents)

ClawBots is designed to be used by whole families, including children. When a parent adds a child under 13 as a family member, the parent acts on the child’s behalf and provides verifiable parental consent under COPPA.

What information is collected about a child

The name and role the parent enters for the child.
The age or date of birth, if the parent chooses to provide it.
The Telegram chat ID linking the child to the bot.
The messages the child sends to the bot, the bot’s replies, and any memory facts saved about the child (for example, allergies, schedule, interests).

Parental controls

The parent owns the family account and controls every family member entry.
The parent can review the child’s saved data (memory facts, lists, calendar entries, audit metadata) from the dashboard.
The parent can remove the child as a family member at any time. Doing so deletes the child’s memory facts, list entries, calendar entries, and Telegram link.
The parent can request “delete all the bot’s memory of my child” by email at support@claw-bots.com. This cascades through the family memory facts table for that child and removes the child from the family roster.
The parent can withdraw consent at any time, after which the child will no longer be able to use the bot.

We do not knowingly collect more information about a child than is needed to operate the bot for that family, and we do not condition a child’s participation on disclosing more information than is reasonably necessary.

6. How long we keep data

Account data — kept while the account is active. After cancellation, deleted within 30 days.
Family content (lists, calendar entries, memory facts, conversation history) — kept while the account is active. Removed within 30 days of cancellation, or immediately when the parent removes a family member or requests deletion.
Tool-call audit logs — 30 days, then purged.
Backups — purged on a rolling 90-day cycle. Once a backup ages out, deleted records are no longer recoverable.
Billing records — retained for as long as required by tax and accounting law.

7. Your rights

Subject to applicable law, you (and parents acting on behalf of children) have the following rights:

Access — request a copy of the personal data we hold about your family.
Correction — ask us to fix inaccurate or incomplete data.
Deletion — ask us to delete your account, a specific family member, or specific memory facts.
Portability — receive your family data in a structured, machine-readable format.
Withdraw consent — withdraw consent for any processing we perform on the basis of your consent, including consent given on behalf of a child.
Lodge a complaint — contact your local data protection authority if you believe we have not handled your data lawfully.

To exercise any of these rights, email support@claw-bots.com. We aim to respond within 30 days.

8. Where your data is stored and international transfers

Your account, family roster, lists, calendar entries, and memory facts are stored in our database on Hetzner servers located in Germany (European Union).

When the bot generates a reply, the conversation is sent to OpenRouter and on to Google’s Gemini API for inference. Google may process this data in the United States or in other regions where Google operates infrastructure. By using ClawBots you consent to this cross-border transfer, which is necessary to deliver the service. We rely on the receiving providers’ published privacy programs and standard contractual safeguards where applicable.

9. Cookies

We use a minimal set of cookies. Our session cookie (better-auth.session_token) is required to keep you signed in. Stripe sets its own essential cookies on the checkout page so that payments work. We do not use advertising or cross-site tracking cookies in the current version. See our Cookie Policy for details.

10. Security

We use TLS encryption in transit, isolate each family’s container from every other family, restrict database access to authenticated services on a private network, and avoid logging secrets in plain text. No system is perfectly secure. If you find a vulnerability, please contact support@claw-bots.com before disclosing it publicly.

11. Children’s privacy

ClawBots is intended to be used by families where adults supervise the bot’s use by children. We do not knowingly collect personal information from a child without the account-holding parent’s consent. If you believe a child has used the service without the parent’s knowledge or consent, contact support@claw-bots.com and we will delete the relevant data promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify the account owner by email. Continued use of ClawBots after a change takes effect constitutes acceptance of the revised policy.

13. Contact us

For privacy questions, requests, or complaints:

Muscled Inc.

720 Bathurst Street, Toronto, ON M5S 2R4, Canada

Email: support@claw-bots.com

Questions? Email support@claw-bots.com.

← Back to home