Privacy Policy

Last Updated: March 19, 2026 · Effective Date: March 19, 2026

TL;DR: We collect the minimum data necessary to operate the platform. We cannot read your exchange API keys, trading strategies, or agent conversations. Your data is yours — you can export or delete it at any time.

1. Our Privacy Philosophy

OpenFinClaw Compute is designed with a "platform zero-knowledge" principle:

We provide compute infrastructure; you own all data
Your sensitive data (exchange keys, strategies, trades) is encrypted and inaccessible to us
We only see what's needed for billing and infrastructure health monitoring

2. Information We Collect

2.1 Information You Provide

Data	Purpose	Retention
Email address	Account authentication, billing, essential notifications	Until account deletion
Display name	Personalization	Until account deletion
Timezone & language preference	Localization	Until account deletion
Payment information	Subscription billing (processed by Stripe; we do not store card numbers)	Managed by Stripe

2.2 Information Collected Automatically

Data	Purpose	Retention
IP address	Rate limiting, security, abuse prevention	30 days (logs)
Resource usage (CPU, memory, storage, network)	Billing, quota enforcement	90 days
Container health & uptime metrics	Service reliability, auto-sleep/wake	30 days
Audit log (action type, timestamp, actor)	Security auditing	1 year

2.3 Information We Do NOT Collect or Access

The following data exists only inside your isolated container environment. We cannot read, access, or decrypt it.

Data	Status
Exchange API keys & secrets	Encrypted — Platform cannot access
Trading strategy source code	Platform cannot access
Trading history & portfolio	Platform cannot access
Agent conversations & memory	Platform cannot access
LLM API keys	Encrypted — Platform cannot access
Notification channel tokens (Telegram, etc.)	Encrypted — Platform cannot access

3. How We Use Your Information

Account management: Authentication, profile, preferences
Service delivery: Container provisioning, auto-sleep/wake, health monitoring
Billing: Usage metering, subscription management, invoicing
Security: Abuse detection, rate limiting, audit logging
Essential communications: Service alerts, billing notifications, security notices

We do NOT use your data for:

Advertising or ad targeting
Selling to third parties
Training AI models
Profiling your trading behavior

4. Third-Party Services

We share the minimum necessary data with the following service providers:

Service	Purpose	Data Shared	Privacy Policy
Supabase	Authentication & database	Email, hashed password, profile	Link
Stripe	Payment processing	Email, payment method (card handled by Stripe)	Link

We do NOT share data with any other third parties, analytics providers, or advertising networks.

5. Data Security

Measure	Implementation
Encryption at rest	AES-256-GCM envelope encryption for all sensitive credentials
Encryption in transit	TLS 1.3 for all connections
Tenant isolation	Dedicated container per user with network policies
Access control	JWT-based authentication, RBAC, Row Level Security (RLS)
Audit logging	Append-only audit trail (immutable)
Data destruction	Cryptographic shredding upon account deletion

6. Data Retention & Deletion

Data Category	Retention Period
Account data (email, profile)	Until account deletion + 30 days
Usage metrics	90 days
Billing records	7 years (legal requirement)
Audit logs	1 year
Server access logs	30 days
Agent data (strategies, trades, memory)	Destroyed within 30 days of account deletion

6.1 Account Deletion

You may delete your account at any time from the Settings page or by contacting us. Upon deletion:

Your agent containers are immediately stopped and scheduled for destruction
All encryption keys are destroyed (cryptographic shredding), rendering encrypted data permanently irrecoverable
Account data is purged from our database within 30 days
Billing records are retained for 7 years per legal requirements

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

Right	Description	How to Exercise
Access	Request a copy of your personal data	Settings > Export Data
Rectification	Correct inaccurate personal data	Settings > Profile
Deletion	Request deletion of your personal data	Settings > Delete Account
Portability	Export your data in a standard format	Settings > Export Data
Restriction	Restrict processing of your data	Contact us
Objection	Object to certain processing activities	Contact us

8. Cookies & Local Storage

We use only essential cookies and local storage:

Name	Purpose	Type	Expiry
Supabase auth token	Authentication session	Local Storage	Session / refresh
ofc-lang	Language preference (zh/en)	Local Storage	Persistent
ofc-theme	Theme preference	Local Storage	Persistent

We do NOT use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children's Privacy

The Platform is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. International Data Transfers

Your data may be stored and processed in:

Hong Kong SAR — Primary infrastructure (Tencent Cloud)
United States — Supabase (authentication), Stripe (payments)

Where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-platform notification at least 14 days before the changes take effect. The "Last Updated" date at the top reflects the most recent revision.

12. Contact Us

For privacy-related questions or to exercise your rights:

Email: [email protected]
General: [email protected]