Privacy Policy

Effective date: February 18, 2026

PocketClaw (“we”, “us”, “our”) operates the PocketClaw mobile application (the “App”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your choices regarding your data.

By using the App you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the App.

1. Information We Collect

1.1 Account Information

When you create an account we collect:

Email address — used for authentication and account recovery.
Password — hashed by our authentication provider (Supabase Auth); we never store or see plaintext passwords.
User ID — a unique identifier generated at signup.

If you sign in with a third-party provider (Google or Apple), we receive the email address and a provider-specific identifier. We do not receive your provider password.

1.2 Subscription & Billing Information

Subscriptions are processed by Apple (App Store) or Google (Play Store) through their in-app purchase systems. We receive a confirmation of your subscription status and plan tier but do not collect or store credit card numbers, bank account details, or other payment instruments.

1.3 AI Agent Data

PocketClaw creates a personal AI agent that runs in a cloud virtual machine (VM) on your behalf. The following data is associated with your PocketClaw agent:

Conversation content — messages you send to and receive from your agent, including text and any attached files.
Agent memory — your agent maintains a local memory store on its VM to provide continuity across conversations.
Workspace files — files your agent creates or downloads during tasks are stored on a persistent volume attached to the VM.
Configuration — agent name, model preferences, and enabled integrations.

1.4 Telegram Integration (Optional)

If you choose to connect a Telegram bot, we collect:

Telegram bot token — encrypted at rest using AES-256 authenticated encryption.
Telegram user ID — used to restrict bot access to you only.
Telegram bot username — for display purposes.

Telegram integration is entirely optional. If you do not configure it, none of this data is collected.

1.5 Push Notification Token

If you grant notification permissions, we store an Expo Push Token so we can deliver notifications when your agent completes a task or encounters an error. The token is cleared from our servers when you sign out.

1.6 Usage Data

We track daily counts of AI requests made by your agent for the sole purpose of enforcing plan-based rate limits. This data is not used for analytics, advertising, or profiling.

1.7 Information We Do Not Collect

Precise location or GPS data
Contacts, photos, or other on-device content
Device advertising identifiers
Browsing history outside the App
Analytics or behavioral telemetry

2. How We Use Your Information

Purpose	Data Used
Authenticate you and manage your account	Email, password hash, user ID
Provision and operate your AI agent	Agent config, conversation content, workspace files
Process AI requests via large language models	Conversation content (forwarded through PocketClaw's LLM proxy to tier-specific providers)
Deliver push notifications	Push token, notification content (truncated)
Enforce subscription limits and rate limits	Subscription tier, daily request counts
Connect your Telegram bot (if configured)	Telegram bot token (encrypted), Telegram user ID

3. How We Share Your Information

We do not sell your personal information. We share data with the following service providers solely to operate the App:

Provider	Purpose	Data Shared
Supabase	Authentication, database, serverless functions	Email, user ID, encrypted credentials, subscription status, usage counts
Fly.io	Virtual machine hosting for your AI agent	Agent config, workspace data, VM logs and metrics
Google	Large language model processing (Gemini, Pro tier)	Conversation content routed via PocketClaw infrastructure. Your email is not sent as part of model prompts.
Moonshot AI	Large language model processing (Kimi, Ultra tier)	Conversation content routed via PocketClaw infrastructure. Your email is not sent as part of model prompts.
Telegram (optional)	Messaging interface for your agent	Bot token, messages exchanged via the Telegram Bot API
Expo (expo.dev)	Push notification delivery	Expo Push Token, notification title and body
Apple / Google	In-app purchase and subscription management	Subscription status (managed by the platform; we do not send additional data)

We may also disclose information if required by law, regulation, or legal process.

4. Data Security

Encryption in transit — All network communication uses HTTPS/TLS. WebSocket connections use WSS (TLS-encrypted).
Encryption at rest (credentials) — Sensitive credentials (Telegram bot tokens, gateway tokens) are encrypted in the database using AES-256 authenticated encryption.
On-device security — Tokens and secrets on your device are stored in the operating system's secure enclave (iOS Keychain / Android Keystore) via Expo SecureStore.
Access control — Database row-level security ensures you can only access your own data. Encryption keys are managed server-side and are not accessible to client applications.
API key isolation — Third-party API keys (Google, Moonshot, Fly.io) are stored as server-side secrets and are never sent to or accessible from the mobile app.

No system is perfectly secure. While we implement industry-standard protections, we cannot guarantee absolute security of your data.

5. Data Retention & Deletion

Account data — Retained as long as your account is active.
Agent data (VM, memory, workspace) — Retained while your PocketClaw is provisioned. When you destroy your PocketClaw, the VM, persistent volume, and all data on it are permanently deleted.
Conversation data at model providers — Conversation content may be processed by Google (Gemini) or Moonshot (Kimi), depending on your plan. Provider-specific retention and privacy handling are governed by those providers' policies.
Push notification tokens — Cleared from our servers when you sign out.
Usage counts — Retained for rate-limiting; may be periodically purged.

To delete your account and all associated data, use the in-app flow at Settings → Delete Account. This removes your account records and associated infrastructure after cleanup succeeds.

6. Your Rights & Choices

Access — You may request a copy of the personal data we hold about you.
Correction — You may update your email or password through the App.
Deletion — You may delete your account directly in-app (see Section 5).
Push notifications — You can disable notifications at any time in your device settings.
Telegram — You can disconnect your Telegram bot at any time in the App settings; the encrypted token will be deleted.

If you are a resident of the European Economic Area (EEA), United Kingdom, or California, you may have additional rights under GDPR or CCPA, including the right to data portability and the right to object to processing. Contact us to exercise these rights.

7. Children's Privacy

PocketClaw is not intended for use by anyone under the age of 17. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

8. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. By using the App, you consent to the transfer of your information to these locations. We ensure appropriate safeguards are in place with our service providers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App or by email. The “Effective date” at the top indicates when the policy was last revised.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: support@pocket-claw.com

Support: https://pocket-claw.com/support