GDPR Compliance

GDPR and ClawHosters

ClawHosters operates under the General Data Protection Regulation (GDPR) as a German company with all infrastructure located in Germany. This page explains your rights as a data subject, what data we process, and how to exercise those rights.

Who Is the Data Controller

ClawHosters (operated by Daniel Samer, based in Germany) is the data controller for your account data, billing information, and instance metadata.

For the content stored on your OpenClaw instance (AI conversations, chat history, configuration), you are the data controller. ClawHosters provides the infrastructure but does not access or process the content on your instance.

What We Process and Why

Data Category	Legal Basis	Purpose
Email address	Contract performance	Account creation, login, communication
Password hash	Contract performance	Account authentication
Billing records	Legal obligation (GoBD)	Tax compliance, invoicing
Instance metadata	Contract performance	Service delivery, instance management
API tokens	Contract performance	API access
BYOK API keys	Contract performance	LLM routing
Server logs	Legitimate interest	Security monitoring, abuse prevention
Payment data	Contract performance	Processed by Stripe, not stored by ClawHosters

We do not process data for advertising, profiling, or selling to third parties.

Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you. This includes your account information, billing history, instance metadata, and any support ticket history.

How to request: Open a support ticket from your dashboard or email support. We will respond within 30 days.

Right to Rectification (Article 16)

If any of your personal data is inaccurate or incomplete, you can request correction. You can update your email address and account details directly from your dashboard settings.

Right to Erasure (Article 17)

You can request deletion of your account and all associated data. When you delete your account:

• Instance data (VPS, snapshots) is deleted within 24 hours
• Account data (email, profile, metadata) is deleted within 30 days
• Billing records are retained for 10 years per German tax law (GoBD) -- this is a legal obligation that overrides the right to erasure for financial records
• Stripe retains payment data per their own policy

How to request: Delete your account from dashboard settings, or contact support for assisted deletion.

Right to Data Portability (Article 20)

You can request your data in a machine-readable format. Available exports:

• Instance data: Access via SSH and copy your files
• Configuration: Download openclaw.json from dashboard
• Billing history: Available in dashboard under Billing
• Full account export: Request via support ticket

Right to Restriction of Processing (Article 18)

You can request that we stop processing your data while a complaint or correction is being resolved. During restriction, your account remains active but no new data processing occurs beyond what is needed to maintain the service.

Right to Object (Article 21)

You can object to processing based on legitimate interest (server logs for security monitoring). If you object, we will evaluate whether our legitimate interest overrides your rights.

Right to Lodge a Complaint

If you believe your data rights have been violated, you can lodge a complaint with a supervisory authority. The relevant authority for a German company is:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

You can also contact your local EU data protection authority, which will coordinate with the BfDI.

Data Retention Periods

Data	Retention	Reason
Active account data	Duration of account	Needed for service
Deleted account data	30 days after deletion	Cleanup window
Financial records	10 years	German tax law (GoBD)
Server logs	90 days	Security and abuse monitoring
Snapshots (paused instances)	7-day grace period, then deleted	Cost management
Support tickets	Duration of account + 30 days	Service history

Sub-Processors

ClawHosters uses the following third-party services that process personal data:

Service	Purpose	Data Processed	Location
Hetzner Cloud	VPS hosting, snapshots	IP addresses, server metadata	Germany
Stripe	Payment processing	Payment method, billing address	EU (with US processing per Stripe DPA)
Coinbase Commerce	Crypto payments	Wallet address, payment amount	US
LLM providers (if managed add-on)	AI model inference	Prompts sent by user	Varies by provider

For BYOK users: you choose your own LLM provider and are responsible for that provider's data handling. ClawHosters only routes the request.

Data Processing Agreement

For business customers who need a formal Data Processing Agreement (DPA) under Article 28 GDPR, contact support. We can provide a DPA that covers the processing activities described on this page.

Contact for Data Requests

For any GDPR-related requests:

1. Open a support ticket from your ClawHosters dashboard
2. Specify which right you are exercising
3. We will acknowledge your request within 48 hours and fulfill it within 30 days

Related Docs

• Data Handling and Privacy -- What data is stored where and how it is protected
• Security Overview -- Infrastructure, container, and data protection measures
• How to Contact Support -- Support ticket creation and response times