Privacy Policy

SiuClaw (hereinafter "the Service", "we", "us") is operated by Heart Forest Investment Co. Limited at siuclaw.com. This Privacy Policy explains how we collect, use, store, and disclose your personal data, in compliance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486, hereinafter "PDPO").

By using the Service, you consent to the data processing practices described in this Policy. If you do not agree, please discontinue use of the Service.

---

1. Personal Data We Collect

We collect only the personal data necessary to provide the Service, including:

1.1 Account Data

• Email address
• Name or display name
• Password (stored as a bcrypt hash; we cannot read your plaintext password)

1.2 Payment Data

• Payment records and subscription status (processed by Stripe; we do not store credit card numbers or full payment details)
• Stripe Customer ID

1.3 Message and AI Conversation Data

• Message content sent via Telegram or WhatsApp (Baileys)
• Conversation history with the OpenClaw AI system
• AI instructions, workflow configurations, and related outputs

1.4 Usage Data

• Token usage and quota consumption
• Service usage time, frequency, and feature usage records
• Container runtime status and system logs (excluding conversation content)

1.5 Technical Data

• IP address (used for security and abuse prevention)
• Browser type and device information (collected via Google Analytics 4)
• Session cookie identifiers

---

2. Purpose of Collection

We collect your personal data for the following purposes (PDPO Data Protection Principle 1):

• Creating and managing your SiuClaw account
• Deploying and operating your dedicated OpenClaw container
• Processing subscription payments and token top-ups
• Providing customer support and technical assistance
• Monitoring service health, preventing abuse, and ensuring system security
• Sending service-related notifications (e.g. billing notices, service changes)
• Improving service quality (using anonymised usage data for analysis)
• Complying with applicable legal obligations

We will not use your personal data for any purpose beyond those listed above, and we will not sell your personal data to any third party.

---

3. Data Storage and Security

3.1 Storage Location

Your data is stored on servers in a Hetzner data centre located in Singapore. We selected this location to ensure low-latency service while maintaining reasonable data protection standards.

3.2 Encryption Measures

• All data at rest is encrypted using AES-256
• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are stored as irreversible bcrypt hashes
• Each user has a fully isolated Docker container; data is never shared with other users

3.3 Access Controls

Only authorised personnel of Heart Forest Investment Co. Limited and necessary automated systems have access to user data. No customer support team has access to conversation content.

---

4. Third-Party Service Providers

We use the following third-party service providers to help deliver the Service. These providers act as data processors and may only process your data according to our instructions:

4.1 Stripe (Payment Processing)

We use Stripe to process all payment transactions. Your credit card and payment information is processed and stored directly by Stripe; we do not store your full payment details. Stripe is PCI DSS compliant.

4.2 OpenRouter (AI Model Routing)

AI conversation requests are routed through OpenRouter to various large language model providers. OpenRouter may process query content in accordance with its own privacy policy.

4.3 Telegram

If you choose to use the Telegram channel, messages will be transmitted via Telegram's infrastructure. Telegram's data processing is governed by its privacy policy.

4.4 WhatsApp (Baileys Library)

If you choose to use the WhatsApp channel, we use the open-source Baileys library to connect to WhatsApp. Messages are transmitted via WhatsApp's infrastructure and are subject to WhatsApp's privacy policy.

4.5 Hetzner (Cloud Infrastructure)

Hetzner provides server hosting in their Singapore data centre. As an infrastructure provider, Hetzner does not directly access the content of your personal data.

4.6 Google Analytics 4

We use Google Analytics 4 (tracking ID: G-WPN4819005) to collect anonymised website usage data to understand how users interact with our website. Data collected by Google Analytics includes page views, session duration, and device type, but does not include personally identifiable information.

---

5. Cookie Policy

The Service uses only session cookies. We do not use tracking cookies or third-party advertising cookies.

• Cookie purpose: maintaining your login state and session security
• Cookie attributes: HttpOnly (prevents JavaScript access), Secure (transmitted over HTTPS only), SameSite=Strict
• Expiry: automatically expires when the browser is closed (session cookies)
• We do not use persistent tracking cookies

Google Analytics 4 may use its own cookies (such as _ga). For details, please refer to Google's cookie policy. You may opt out of Google Analytics tracking via your browser settings or by using the Google Analytics Opt-out Add-on.

---

6. Data Retention

We retain your personal data according to the following principles:

• Account data: retained for the duration your account is active
• AI conversation records and messages: retained for the duration your account is active, for use by your OpenClaw container
• Payment records: retained for at least 7 years as required by applicable law (including the Hong Kong Inland Revenue Ordinance)
• After account deletion: all personal data (except payment records) will be permanently deleted within 30 days of account deletion
• System logs: retained for a maximum of 90 days for security monitoring and diagnostics

---

7. Your Data Subject Rights Under PDPO

Under the Hong Kong Personal Data (Privacy) Ordinance (PDPO), you have the following rights:

7.1 Right of Access (PDPO Section 18)

You have the right to request access to the personal data we hold about you, including the categories of data and how it is used.

7.2 Right of Correction (PDPO Section 22)

If you believe personal data we hold about you is inaccurate, you have the right to request correction.

7.3 Right to Erasure

You may request deletion of your account and all associated personal data at any time. Deletion requests will be processed within 30 working days. Payment records subject to legal retention obligations are excluded.

7.4 Right to Lodge a Privacy Complaint

If you believe we have violated the PDPO, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong.

To exercise any of the above rights, please contact us using the details below. We will respond within a reasonable time (generally within 40 days).

---

8. Cross-Border Data Transfers

Your data may be transferred outside Hong Kong through the third-party service providers we use (such as Stripe, OpenRouter, Telegram, and WhatsApp). We ensure such transfers comply with PDPO Data Protection Principle 3 and take reasonable steps to ensure that recipients provide an equivalent level of data protection.

---

9. Children's Privacy

The Service is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete the relevant data as soon as possible.

---

10. Amendments to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and update the "Last Updated" date at the top of this Policy. We recommend reviewing this Policy periodically. Continued use of the Service constitutes acceptance of the updated Policy.

---

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data subject rights, please contact: