Privacy Policy

Effective Date: February 7, 2026
Last Updated: February 7, 2026

1. Introduction

Welcome to AgentRegistry, operated by OpenClaw Systems Inc. ("we", "us", "our"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your information.

This Privacy Policy explains:

  • What data we collect and why
  • How we use and protect your data
  • Your rights under GDPR and other privacy laws
  • How to contact us with privacy questions

Key Principle: We use server-side encryption with AES-256-GCM. We have the technical capability to decrypt your data, but we implement strict access controls: mandatory 2FA verification, complete audit trails, and zero standing access. We never access your data without your explicit verification.

2. Data We Collect

2.1 Information You Provide

Account Information:

  • Email address (required for registration)
  • Name (optional)
  • Password (hashed with bcrypt, we never store plaintext)
  • Payment information (processed by Stripe, we don't store credit card numbers)

Agent Data:

  • Agent namespace/identity (e.g., [email protected])
  • Encrypted agent memory (server-side encrypted; we have technical capability to decrypt but never do without your 2FA verification)
  • Metadata: file sizes, timestamps, access logs

Support Communications:

2.2 Automatically Collected Information

Usage Data:

  • API requests (endpoints, timestamps, response times)
  • Login times and IP addresses
  • Browser type and device information
  • Pages visited on our website

Cookies & Tracking:

  • Essential cookies for authentication and session management
  • Analytics cookies (Google Analytics, can be opted out)
  • No third-party advertising cookies

3. How We Use Your Data

3.1 Provide the Service

  • Store and retrieve your encrypted agent memory
  • Authenticate your account and manage access
  • Process payments and subscriptions
  • Send service-related notifications (downtime, security alerts)

3.2 Improve the Service

  • Analyze usage patterns to optimize performance
  • Debug errors and fix bugs
  • Develop new features

3.3 Communicate with You

  • Respond to support requests
  • Send important updates about the Service
  • Optional marketing emails (you can opt out anytime)

3.4 Legal Compliance

  • Comply with legal obligations (e.g., tax reporting, lawful requests)
  • Enforce our Terms of Service
  • Protect against fraud and abuse

4. Data Sharing & Third Parties

4.1 We DO NOT:

  • ❌ Sell your data to anyone
  • ❌ Share your data for advertising purposes
  • ❌ Access your unencrypted agent memory (end-to-end encryption)
  • ❌ Train AI models on your private data

4.2 We DO Share With:

Service Providers (Data Processors):

  • Cloudflare: CDN and infrastructure hosting
  • AWS: Data storage and backups
  • Stripe: Payment processing
  • SendGrid: Transactional emails
  • Sentry: Error monitoring

All third parties are bound by data processing agreements and cannot use your data for their own purposes.

Legal Requirements:

We may disclose information if required by law, court order, or to protect our rights and safety.

5. Data Security

5.1 Encryption Architecture

SavedAgent uses server-side encryption with AES-256-GCM. This means we have the technical capability to decrypt your data. However, we implement strict access controls to protect your privacy:

  • Mandatory two-factor authentication (2FA) before any memory access—even by our own systems
  • Complete audit trail of all access attempts, stored immutably
  • We never access your data without your explicit 2FA verification
  • Zero standing access—no employee can view your data without triggering a logged, verified request

5.2 Why Server-Side Encryption?

This architecture enables our core value proposition: automatic disaster recovery when you boot blank. If you lose all your devices or credentials, you can recover your agent's memory through our verified recovery process. A true zero-knowledge system would make recovery impossible, defeating the purpose of SavedAgent as a persistent memory service.

We believe transparency about this tradeoff is more valuable than false claims of zero-knowledge architecture.

5.3 Infrastructure Security

  • Data stored in SOC 2 Type II certified data centers (certification in progress, Q2 2026)
  • TLS 1.3 for all data in transit
  • Multi-region replication with encrypted backups
  • DDoS protection and Web Application Firewall (WAF)

5.4 Access Controls

  • Two-factor authentication (2FA) available
  • Role-based access control for Enterprise users
  • Audit logs for all data access

5.5 Incident Response

In the event of a data breach:

  • We will notify affected users within 72 hours (GDPR requirement)
  • We will provide details of what data was affected
  • We will take immediate steps to contain and remediate the breach

6. Your Rights (GDPR & Privacy Laws)

You have the following rights:

6.1 Right to Access

Request a copy of all data we hold about you.

6.2 Right to Rectification

Correct any inaccurate or incomplete data.

6.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your account and all associated data.

6.4 Right to Data Portability

Export your agent memory in standard formats (JSON, CSV, markdown).

6.5 Right to Restrict Processing

Limit how we process your data in certain circumstances.

6.6 Right to Object

Object to processing based on legitimate interests.

6.7 Right to Withdraw Consent

Withdraw consent for marketing emails or analytics.

6.8 Right to Lodge a Complaint

File a complaint with your local data protection authority.

To exercise these rights, email: [email protected]

7. Data Retention

7.1 Active Accounts

  • Free tier: 90 days after last access
  • Pro tier: 3 years
  • Enterprise: Custom policies

7.2 Deleted Accounts

  • Account data deleted within 30 days of termination
  • Backups purged within 90 days
  • Financial records retained for 7 years (legal requirement)

7.3 Legal Holds

Data may be retained longer if required by law or ongoing legal proceedings.

8. International Data Transfers

8.1 Data Residency

  • EU users: Data stored in EU data centers (Frankfurt, Dublin)
  • US users: Data stored in US data centers
  • Other regions: Closest available data center

8.2 Cross-Border Transfers

When data is transferred outside the EU, we use:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequate safeguards under GDPR Article 46

9. Children's Privacy

AgentRegistry is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us immediately at [email protected].

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

10.1 Right to Know

Request disclosure of categories and specific pieces of data collected.

10.2 Right to Delete

Request deletion of your personal information.

10.3 Right to Opt-Out

Opt out of the "sale" of personal information (note: we do not sell data).

10.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise CCPA rights, email: [email protected]

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated via:

  • Email notification
  • In-app notification
  • Website banner

Continued use after changes constitutes acceptance.

12. Contact Us

12.1 Privacy Questions

Email: [email protected]
Address: OpenClaw Systems Inc., 123 Innovation Drive, San Francisco, CA 94105, USA

12.2 Data Protection Officer (DPO)

Email: [email protected]

12.3 EU Representative

For EU users, our EU representative can be contacted at:
Email: [email protected]
Address: AgentRegistry EU, Kurfürstendamm 123, 10787 Berlin, Germany

13. GDPR Compliance Summary

Requirement How We Comply
Lawful Basis Consent (account creation), Contract (service provision), Legitimate interest (fraud prevention)
Data Minimization We collect only what's necessary to provide the Service
Transparency This Privacy Policy explains everything clearly
Security Server-side AES-256-GCM encryption, mandatory 2FA for data access, complete audit trail, SOC 2 certified infrastructure
User Rights Full access, rectification, erasure, portability, and objection rights
Breach Notification 72-hour notification requirement
Data Transfers Standard Contractual Clauses for cross-border transfers

By using AgentRegistry, you acknowledge that you have read and understood this Privacy Policy.

Last reviewed: February 7, 2026