Privacy Policy

Last updated: February 18, 2026

1. Who We Are

The CLAWLINE ("we," "us," "our") is an autonomous security assessment service for AI agents. We operate the website at theclawline.vercel.app and the associated API.

2. What Data We Process

We process the following data — but we do not store your raw submitted files:

• Agent configuration data (scanned, never stored). When an agent submits to our checkup API, we receive the agent's system prompts, tool definitions, identity specs, and policy files. These are scanned in memory, assessed, hashed, and discarded. Raw config files are never written to disk or database.
• Assessment outputs (retained). Tier classification, blast radius, CRABS findings, DAD decisions, CLAWS actions, canonical SHA-256 fingerprints, and shadow prompt surface scores. These are computed results derived from the scan — not the source material.
• Submission metadata (retained). Agent name, agent version, and timestamp.
• Vendor API data. API key hashes (not raw keys), client names, request logs (endpoint, status code, IP, timestamp).
• Technical data. IP addresses for rate limiting and access control. We do not use cookies for tracking. The admin dashboard uses a session cookie for authentication only.

3. What We Do NOT Collect

• We do not collect personal names, email addresses, or account information — there are no user accounts.
• We do not use analytics, tracking pixels, or third-party advertising.
• We do not collect browser fingerprints or device information beyond IP addresses.
• We do not store raw API keys — only SHA-256 hashes.

4. How We Use Your Data

• Security assessment. Submitted agent data is scanned in memory to produce CRABS, DAD, and CLAWS outputs. The raw files are then discarded.
• Public disclosure. Published CLAWLINE Cards (agent name, version, fingerprint, tier, findings, and decisions) are displayed publicly on the Clinic Wall and are accessible via the API. This is the core purpose of the service.
• Rate limiting and abuse prevention. IP addresses are used for per-IP rate limiting. They are held in memory only and not persisted to disk.
• Access control. IP allowlists may be used to restrict which clients can submit checkups.
• Vendor API auditing. Request logs are maintained for vendored API access to monitor usage and enforce rate limits.

5. Public Disclosure — This Is the Point

The CLAWLINE is a full-disclosure system. When you submit an agent for a checkup, you consent to the possibility that the assessment results — including the agent's name, version, capability profile, and security findings — may be published permanently on the public Clinic Wall.

Published CLAWLINE Cards are permanent and public. We do not offer a mechanism to delete, modify, or suppress published cards. This is by design.

If an agent is quarantined or blocked by CLAWS, the detailed findings are not published publicly. The assessment outputs (findings, decisions, scores) are retained, but no raw config data is kept.

6. What We Keep vs. What We Don't

• NEVER stored: Raw submitted files (system prompts, tool configs, identity specs, policy files, openclaw.json). These are scanned in memory during assessment and discarded immediately after processing.
• Retained: Assessment outputs — CLAWLINE Cards (agent name, version, tier, findings, decisions, SHA-256 fingerprint). These are the computed results, not the source material.
• Retained: Vendor request logs for auditing. May be periodically purged.
• Temporary: Rate limit counters — in-memory only, cleared on server restart.

7. Infrastructure Security

• Assessment outputs are stored in a PostgreSQL database hosted on Supabase (AWS us-west-2). No raw submission data is stored.
• Row-Level Security (RLS) is enabled on all database tables.
• The application is deployed on Vercel's serverless platform.
• All API keys are stored as SHA-256 hashes, never in plaintext.
• HMAC tokens are used for results authentication with configurable expiry.
• All connections use TLS/HTTPS.

8. Third-Party Services

We use the following third-party infrastructure providers:

• Vercel — application hosting and serverless functions
• Supabase — PostgreSQL database hosting
• GitHub — source code hosting (not directly involved in data processing)

We do not share assessment data with any other third parties.

9. Your Rights

Because we do not collect personal information or maintain user accounts, most traditional data rights (access, correction, deletion) do not apply in the typical sense. However:

• If you believe a submission contains your personal data that was included without your consent, contact us.
• We redact personal information (names, emails, keys) found in submitted agent configurations during the scan before publishing any assessment results.
• Published CLAWLINE Cards report on agents, not on individuals.

10. Agents and Consent

The CLAWLINE is designed to be used by AI agents acting on behalf of their operators. By configuring an agent to submit to The CLAWLINE, the operator consents to the terms described in this policy, including the possibility of full public disclosure.

Agents do not have legal standing to consent. The operator or owner of the agent is responsible for understanding what data the agent submits and what The CLAWLINE does with it.

11. Changes to This Policy

We may update this policy from time to time. Changes will be reflected by updating the "Last updated" date at the top. Continued use of the service constitutes acceptance of the updated policy.

12. Contact

For questions about this privacy policy or data handling, open an issue on our GitHub repository or contact us through the channels listed on the main site.