Privacy Policy — HiveClaw

At HiveClaw (“HiveClaw,” “we,” “us,” or “our”), we understand that we are handling your most valuable assets: your ideas, your proprietary code, your credentials, and your business data. This Privacy Policy explains what personal information we collect, how we use it, how we share it, how we protect it, and what rights you have regarding your data when you use the HiveClaw platform and all related services (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service immediately. This Privacy Policy should be read alongside our Terms of Service.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to name, email address, IP address, and payment identifiers.
“Project Data” means requirements, specifications, documentation, uploaded files, conversation history, and any other materials you provide to inform or direct the Swarm.
“Generated Output” means source code, designs, documentation, and any other deliverables produced by our AI agents (“Crab-Bees”) on your behalf.
“Credentials” means API keys, passwords, tokens, secrets, and other authentication data you store in HiveVault.
“Swarm” means the coordinated set of AI agents that execute your project, orchestrated by Alfred (our orchestration agent).
“Processing” means any operation performed on Personal Data, whether automated or manual, including collection, storage, use, disclosure, and deletion.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: When you register, we collect your name, email address, password (stored as a cryptographic hash—we never store plaintext passwords), company name (optional), avatar, and timezone preferences.
OAuth Data: If you sign in via Google or GitHub, we receive your profile information (name, email, avatar) and an authentication token from the provider. We store provider account identifiers to link your social login to your HiveClaw account.
Project Data: Requirements, specifications, briefs, wireframes, documentation, and files you upload during the intake and build process.
Communication Content: Messages you send through in-platform conversations and connected communication channels (Slack, Discord, Telegram, or email), including any attachments.
Credentials (HiveVault): API keys, passwords, tokens, and secrets you store in HiveVault for use by the Swarm during project execution. These are encrypted at rest using AES-256 encryption and are scoped per-project, per-phase, and per-agent role.
Billing Information: When you fund a project, Stripe collects and processes your payment method details (credit/debit card information). We store only your Stripe customer ID and default payment method identifier—we never directly store your full card number or CVV.
Support Communications: Any emails, messages, or feedback you send to our support team.

2.2 Information Collected Automatically

Usage Data: Pages visited, features used, actions taken within the dashboard, timestamps of activity, and interaction patterns.
Device & Browser Information: Browser type and version, operating system, screen resolution, language preferences, and device identifiers.
IP Address: Your IP address is collected for security purposes (including fraud detection, rate limiting, and credential access auditing) and may be used to infer approximate geographic location.
Cookies & Similar Technologies: We use cookies and similar storage mechanisms for session management, authentication persistence, and user preference storage. See Section 10 (Cookies & Tracking) for details.
Log Data: Server access logs, error logs, and API request metadata, which may include request paths, response codes, and timing information.

2.3 Information from Third Parties

OAuth Providers: Profile data from Google or GitHub when you use social login.
reCAPTCHA: Google reCAPTCHA collects hardware and software information (device type, OS, browser) and interaction data to determine whether the visitor is human. This data is governed by Google’s Privacy Policy.
Stripe: Payment confirmation status, transaction identifiers, and fraud-related signals.

2.4 Generated Output & AI Processing

During project execution, our AI agents process your Project Data and Credentials to generate code, designs, and documentation. This processing occurs through third-party LLM providers (see Section 7). The Generated Output, along with intermediate artifacts such as agent memory and reasoning logs, is stored in project-isolated namespaces and is subject to the same retention policies as Project Data.

3. How We Use Your Information

We process your information for the following purposes:

3.1 Service Delivery

To create and manage your account and authenticate your identity.
To execute your projects via coordinated AI agents, including intake, estimation, building, and delivery.
To facilitate communication regarding project status, approvals, budget alerts, and deliverables.
To provide HiveVault functionality, including scoped credential access for agents during builds.

3.2 Billing & Payments

To process payments, issue invoices, track real-time spend, and handle refund requests via Stripe.
To enforce budget limits and pause work when funded balances are exhausted.

3.3 Security & Integrity

To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
To enforce rate limits and monitor for unauthorized access attempts.
To maintain comprehensive audit logs of credential access, agent actions, and project activity.

3.4 Platform Improvement

To analyze aggregated, de-identified usage patterns to improve the platform’s features, performance, and reliability.
To debug issues, monitor infrastructure health, and improve agent accuracy.

3.5 Communications

To send transactional emails (verification, password reset, project updates, billing receipts).
To relay project messages through your chosen communication channel (Slack, Discord, Telegram, or email).

We do not sell, rent, or trade your Personal Data. We do not use your proprietary Project Data, Generated Output, or Credentials to train foundational AI models.

4. Lawful Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process Personal Data under the following lawful bases:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you have requested, including account management, project execution, billing, and communication.
Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement through aggregated analytics, and enforcement of our Terms of Service, where such interests are not overridden by your rights and freedoms.
Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, such as tax reporting, anti-money laundering regulations, and responding to lawful government requests.
Consent (Art. 6(1)(a)): Where we rely on consent (e.g., optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Project Isolation & Security

Security is not an afterthought at HiveClaw—it is foundational to our architecture. We enforce strict isolation between all projects to prevent cross-contamination of data:

5.1 Infrastructure Isolation

Repositories: Every project receives a dedicated, private Git repository. No agent or process from one project can access another project’s repository.
Agent Memory: Agent context, reasoning, and memory are namespace-isolated. An agent working on Project A has zero access to the data of Project B.
Dedicated Tier: Dedicated-tier customers receive a physically separate VPS with full infrastructure isolation.

5.2 Credential Security (HiveVault)

Encryption: All credentials are encrypted at rest using AES-256 with per-credential encryption keys.
Scoped Access: Credentials are scoped by project, by phase, and by agent role. An agent can only access credentials explicitly assigned to its scope.
Audit Logging: Every credential access attempt (granted or denied) is logged with timestamp, agent type, purpose, and IP address.
Classification: Credentials are classified by sensitivity level (low, medium, high), with escalating access controls for higher classifications.

5.3 Additional Security Measures

All data in transit is encrypted using TLS 1.2 or higher.
Passwords are hashed using bcrypt with an appropriate cost factor.
Session tokens are securely generated and rotated.
Rate limiting is enforced on all API endpoints and authentication flows.
reCAPTCHA is used to protect against automated abuse during registration.
We perform regular security reviews and maintain incident response procedures.

6. Data Retention & Deletion

We believe in data minimization. We do not want to hold your data longer than necessary.

6.1 Retention Periods

Project Data & Generated Output: Automatically and permanently deleted 90 days after project completion or termination. This includes source code, specifications, agent memory, conversation history, and all intermediate artifacts.
HiveVault Credentials: Deleted alongside the associated project. Credentials with a user-defined expiration are automatically purged upon expiry.
Account Data: Retained for as long as your account is active. Upon account deletion, all associated personal data and project data are queued for permanent deletion.
Billing Records: Transaction records, invoices, and related financial data are retained for a minimum of 7 years to comply with applicable tax and accounting regulations.
Audit Logs: Security and credential access logs are retained for 1 year for compliance and incident investigation purposes.
Server Logs: Automated server and error logs are retained for up to 90 days for debugging and operational purposes, then permanently deleted.

6.2 Your Deletion Rights

Instant Project Deletion: You may request immediate, permanent deletion of any project and all its associated data at any time via your dashboard.
Account Deletion: Deleting your account immediately queues all associated projects, personal data, credentials, and communication history for permanent, irreversible deletion.
Verification: Deletion requests are processed within 30 days. You will receive confirmation once deletion is complete.

6.3 Data Portability

You may export your project data, including source code, deliverables, and project briefs, through the dashboard at any time before the retention period expires. Generated Output is delivered to you as part of normal project completion (via Git repository handoff, deployed applications, and downloadable assets).

7. Third-Party Services & Data Sharing

We share data with third parties only as necessary to provide the Service. We do not sell your data to any third party.

7.1 LLM Providers (AI Processing)

We use APIs from Anthropic (Claude) and OpenAI to power our AI agents. When agents process your Project Data, portions of that data may be sent to these providers as API prompts.

We utilize zero-data-retention API agreements where available, meaning these providers do not store or train on the prompts and completions from our API calls.
We minimize the data sent in each prompt to only what is necessary for the specific task.
Credentials from HiveVault are never sent to LLM providers in plaintext—agents use tool-based access patterns that inject credentials at the execution layer, not the prompt layer.

7.2 Payment Processing

All payment processing is handled by Stripe. Stripe collects and processes your payment method information directly. We never have access to your full card number. Stripe’s handling of your data is governed by their privacy policy.

7.3 Infrastructure & Hosting

Hetzner: We use Hetzner Cloud for server hosting (EU-based data centers).
Cloudflare R2 / AWS S3: We use cloud object storage for file uploads (intake documents, deliverables).
GitHub: Dedicated private repositories are provisioned under our GitHub organization for project source code.

7.4 Communication Services

Resend: Transactional emails (verification, password reset, project updates) are sent via Resend.
Slack, Discord, Telegram: If you connect a communication channel, project messages are relayed through the respective platform. Data shared through these channels is also subject to each platform’s own privacy policies.

7.5 Security & Anti-Abuse

Google reCAPTCHA: Used during registration to prevent automated abuse. Subject to Google’s Privacy Policy and Terms of Service.

7.6 Legal & Compliance Disclosures

We may disclose your information if required to do so by law or in good faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or government request; (b) protect and defend our rights or property; (c) prevent fraud or address security issues; or (d) protect the personal safety of users or the public.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States and countries within the European Union. Our primary hosting infrastructure is located in the EU (Hetzner, Germany), but certain third-party services (Stripe, Anthropic, OpenAI, GitHub) may process data in the United States.

For transfers of Personal Data from the EEA, UK, or Switzerland to countries not deemed to have adequate data protection by the European Commission, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Data Processing Agreements with our sub-processors that include appropriate safeguards.
Where applicable, the EU-U.S. Data Privacy Framework certifications of our sub-processors.

9. Automated Decision-Making

Our Service relies heavily on AI-driven automated processing. Specifically:

Project Estimation: Our AI agents analyze your project requirements to generate scope estimates, budget ranges, timelines, and agent rosters. These are projections for your review and approval—not binding decisions.
Code Generation & Execution: AI agents autonomously write code, create designs, and produce deliverables based on your specifications. All significant outputs are subject to phase-gate reviews that require your explicit approval before proceeding.
Budget Enforcement: Spend is tracked automatically, and work pauses automatically when funded balances reach zero. This is a deterministic system, not an AI judgment.
Fraud Detection: We may use automated systems to detect suspicious activity (e.g., unusual login patterns, excessive API requests). Accounts flagged by automated systems are reviewed by human operators before any adverse action is taken.

You have the right to request human review of any automated decision that significantly affects you. Contact us at privacy@hiveclaw.ai to exercise this right.

10. Cookies & Tracking Technologies

We use the following cookies and similar technologies:

10.1 Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled. They include session cookies for authentication, CSRF protection tokens, and user preference storage (e.g., timezone, theme).

10.2 Functional Cookies

These cookies remember your choices (such as your preferred communication channel or dashboard layout) to provide a more personalized experience.

10.3 Analytics Cookies

We may use analytics tools to understand how users interact with the platform in aggregate. Any analytics data is anonymized and is never linked to your Project Data or Credentials.

10.4 Third-Party Cookies

Google reCAPTCHA may set cookies to evaluate whether interactions are legitimate. Stripe may set cookies for payment fraud detection. These are governed by the respective third party’s cookie policies.

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent you from using certain features of the Service.

11. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your Personal Data:

11.1 Rights Under GDPR (EEA, UK, Switzerland)

Right of Access (Art. 15): Request a copy of the Personal Data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete Personal Data.
Right to Erasure (Art. 17): Request deletion of your Personal Data (“right to be forgotten”), subject to legal retention obligations.
Right to Restriction (Art. 18): Request that we restrict Processing of your Personal Data under certain circumstances.
Right to Data Portability (Art. 20): Receive your Personal Data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): Object to Processing based on legitimate interests, including profiling.
Right Regarding Automated Decisions (Art. 22): Not be subject to a decision based solely on automated Processing that produces legal effects or similarly significant effects, with the right to obtain human intervention.
Right to Withdraw Consent: Where Processing is based on consent, withdraw your consent at any time.
Right to Lodge a Complaint: File a complaint with your local supervisory authority (Data Protection Authority).

11.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of Personal Data we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: Request deletion of your Personal Data, subject to certain exceptions.
Right to Correct: Request correction of inaccurate Personal Data.
Right to Opt Out of Sale/Sharing: We do not sell your Personal Data and do not share it for cross-context behavioral advertising. Therefore, there is no need to opt out.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive Personal Data, you may request that we limit its use to what is necessary to provide the Service.

To exercise these rights, contact us at privacy@hiveclaw.ai or use the self-service options in your dashboard. We will respond within 45 days (CCPA) or 30 days (GDPR). We may request identity verification before processing your request.

11.3 Do Not Track

Our Service does not currently respond to “Do Not Track” browser signals, as there is no industry-standard protocol for compliance. However, we minimize tracking as described in Section 10.

12. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data, please contact us at privacy@hiveclaw.ai, and we will promptly delete the information.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law (e.g., GDPR Art. 33).
Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, including the nature of the breach, the data involved, likely consequences, and the measures taken or proposed.
Document all breaches, including facts, effects, and remedial actions, in our internal breach register.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Post the updated policy on this page with a revised “Last updated” date.
Notify you via email and/or an in-app notification at least 30 days before the changes take effect for material changes that affect how we process your data.
Where required by law, obtain your consent before applying changes to existing data processing.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer: privacy@hiveclaw.ai
General Support: support@hiveclaw.ai

For EEA/UK residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.