Privacy Policy

dcode technologies S.a r.l., Luxembourg, is the data controller for the processing of personal data on wp-claw.ai. Contact: [email protected].

• Account data: Email address, company name (optional), subscription plan.
• Site connection data: WordPress site URL, PHP version, WP version, plugin version, connection status.
• Usage data: API request logs (endpoint, timestamp, status code), task counts, agent activity summaries.
• Payment data: Processed by Stripe. We store subscription status and plan details, never credit card numbers.
• Analytics: Plausible Analytics (cookieless, no personal data collected, GDPR-compliant by design). Optionally, Google Analytics 4 with IP anonymization — only activated with your explicit consent via the cookie banner.

• Contract performance (Art. 6(1)(b)): Account creation, site connection, subscription management, AI agent operation.
• Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement.
• Consent (Art. 6(1)(a)): Marketing emails (opt-in only).
• Legal obligation (Art. 6(1)(c)): Invoicing, tax records, regulatory compliance.

• Provision and operation of the WP-Claw service (AI agents managing your WordPress site).
• Authentication and account management.
• Processing payments and managing subscriptions via Stripe.
• Sending transactional emails (connection status, billing, security alerts).
• Service improvement based on aggregated, anonymized usage patterns.
• Security monitoring and abuse prevention.

We share data only with:

• Supabase (database + auth): EU-hosted, your account and site data.
• Stripe (payments): Payment processing only. Stripe Privacy Policy.
• Hetzner (hosting): EU-based server infrastructure.
• AI model providers: Task context sent to LLM APIs for agent operation. No personal data included in prompts — only site content and operational data.

We do not sell personal data. We do not share data with advertising networks.

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• API logs / audit trail: 90 days.
• Invoices and payment records: 10 years (Luxembourg legal requirement).
• Analytics data: Plausible retains aggregated data only (no personal data).

You have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data (“right to be forgotten”, Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)

To exercise these rights, contact [email protected]. We respond within 30 days.

API keys are encrypted at rest with AES-256-GCM. All communication uses HTTPS with HMAC-SHA256 signed requests. Connection tokens are one-time use and stored as SHA-256 hashes. Your Klawty instance is isolated on our internal network — never exposed to the public internet.

WP-Claw uses essential cookies for authentication (Supabase session cookies). We use Plausible Analytics which does not use cookies. If you opt in via the cookie banner, Google Analytics 4 may set analytics cookies (_ga, _ga_*) with IP anonymization enabled. No analytics cookies are set without your explicit consent. See our Cookie Policy for details.

You have the right to lodge a complaint with a supervisory authority. For Luxembourg: Commission Nationale pour la Protection des Données (CNPD).

We may update this policy. Changes are posted on this page with an updated date. For material changes, we notify you via email.