← Back to BlitzClaw

Privacy Policy

Last updated: February 15, 2026

1. Data Controller

The data controller for BlitzClaw is:

2M Ventures UG (haftungsbeschränkt)
Geschäftsführer: Philipp Müller
Hohenstaufenstr. 22, 10779 Berlin, Germany
Email: support@blitzclaw.com

2. Data We Collect

Account Data

Email address and authentication credentials (processed via Clerk).

Instance Configuration

Settings you configure for your AI assistant: name, personality, connected services.

Usage Data

API usage metrics, token consumption, instance status — for billing and service operation.

Conversation Data

Messages exchanged with your AI assistant are processed to provide the service. See Section 3 for important information about third-party processing.

3. Third-Party Data Processing

⚠️ Anthropic (AI Provider)

All content you send to your AI assistant is transmitted to Anthropic, PBC (San Francisco, USA) for processing. This includes:

  • All messages you send
  • Files or data you share with or through the assistant
  • Content the assistant accesses on your behalf (websites, documents)
  • Any secrets or credentials you instruct the assistant to use

Anthropic processes this data under their own privacy policy and terms. We cannot control how Anthropic stores, processes, or uses your data. Review Anthropic's policies: anthropic.com/legal/privacy

Data transfer: Your data is transferred to the USA. Anthropic participates in standard contractual clauses for EU-US data transfers.

Polar.sh (Payment Processing)

Polar acts as Merchant of Record for all payments. Polar collects billing information including payment method details. We do not store your payment card data. See: polar.sh/legal/privacy

Clerk (Authentication)

Clerk processes your login credentials and manages authentication sessions. See: clerk.com/legal/privacy

Infrastructure Providers

Your instance runs on servers provided by Hetzner, DigitalOcean, or Vultr (EU/Germany datacenter). These providers have physical access to server infrastructure but not to application-level data which is encrypted.

4. Sub-Processors

We use the following third-party service providers who may process your data:

ProviderPurposeLocation
Anthropic, PBCAI model providerUSA
Clerk, Inc.AuthenticationUSA
Polar Software ABPayment processing (MOR)Sweden
Hetzner Online GmbHServer infrastructureGermany
DigitalOcean, LLCServer infrastructureUSA (Frankfurt DC)
Vultr Holdings, LLCServer infrastructureUSA (Frankfurt DC)
Vercel, Inc.Web application hostingUSA

5. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the service you requested
  • Legitimate interest (Art. 6(1)(f)): Service security, fraud prevention, service improvement
  • Legal obligation (Art. 6(1)(c)): Tax records, law enforcement requests
  • Consent (Art. 6(1)(a)): For optional processing, where applicable

6. Data Retention

  • Account data: Until account deletion plus 30 days
  • Instance data: Deleted within 7 days of instance termination
  • Billing records: 10 years (German tax law requirement)
  • Conversation data on your instance: You control this; deleted when instance is deleted

Note: Data sent to Anthropic is retained according to Anthropic's policies, which we cannot control.

7. Your Rights (GDPR)

You have the right to:

  • Access (Art. 15): Request a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate data
  • Erasure (Art. 17): Request deletion of your data
  • Restriction (Art. 18): Limit how we process your data
  • Portability (Art. 20): Receive your data in machine-readable format
  • Object (Art. 21): Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent

Contact support@blitzclaw.com to exercise these rights. We respond within 30 days.

Supervisory authority: You may lodge a complaint with the Berlin Commissioner for Data Protection (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

8. International Transfers

Your data is transferred to:

  • USA (Anthropic): Conversation data for AI processing
  • USA (Clerk): Authentication data
  • EU/USA (Polar): Payment data

For US transfers, we rely on Standard Contractual Clauses (SCCs) where available from the provider. You acknowledge that US law may provide different data protection standards than EU law.

9. Server Access & Secrets

Your instance is a dedicated server

Each BlitzClaw instance runs on a dedicated virtual server provisioned for your account. Your conversations, files, memory, and configuration live on this server.

Secrets you store

You may store API keys, tokens, or other credentials on your instance (via the dashboard or by instructing your assistant). These secrets are stored on your server in plain text configuration files. They are not encrypted at rest by BlitzClaw.

Our access to your server

BlitzClaw maintains SSH (root) access to your instance for:

  • Provisioning and initial setup
  • Software updates
  • Troubleshooting and support (when you report issues)
  • Service monitoring and health checks

This means we technically have the ability to read any data on your instance, including conversation history, stored secrets, and files your assistant has created or accessed. We do not routinely access this data and only do so for legitimate operational purposes.

We are working toward time-limited, user-granted support access and audit logging for all server access events. These features are not yet available.

Browser relay

If you use the browser relay feature (Chrome extension), session data including cookies from your browser is transmitted through our relay server to your instance. This data passes through our infrastructure in transit. We do not store or log browser session data, but we technically have the ability to inspect it in transit.

End-to-end encryption for the browser relay is planned but not yet implemented.

What this means for you

Do not store highly sensitive credentials (bank passwords, government IDs, medical records) on your instance. Treat your BlitzClaw instance like a computer managed by a trusted IT provider — convenient and useful, but not a vault.

10. Security

We implement basic technical and organizational measures including:

  • TLS encryption for data in transit
  • SSH key-based access to instances
  • Access controls and authentication via Clerk

As noted in our Terms of Service, BlitzClaw is experimental software that has not undergone formal security audits. Data stored on your instance (including secrets and credentials) is not encrypted at rest by BlitzClaw. Provider-level disk encryption may be available depending on the infrastructure provider.

No system is 100% secure. You are responsible for securing your account credentials and any secrets you store in your instance.

11. Children

BlitzClaw is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has provided data, contact us for deletion.

12. Changes

We may update this policy. Material changes will be notified via email at least 14 days before taking effect.

13. Contact

For privacy inquiries: support@blitzclaw.com
General support: support@blitzclaw.com