Privacy Policy
Last updated: February 15, 2026
Purple Horizons LLC ("we", "us") operates HireOpenClaw. This Privacy Policy explains what data we collect, how we use it, and your rights.
1. Data We Collect
Account Data
- Email address — for authentication (magic link login) and account identification
- Session tokens — stored in cookies for authentication
Bot Data
- Bot configuration — personality files (SOUL.md), settings, connected services
- Conversation history — messages between you and your Bot, stored in the Bot's container
- Generated content — text, images, videos created by your Bot
- Memory files — your Bot maintains memory files to provide continuity across sessions
API Keys & Secrets
- Third-party API keys you provide (ElevenLabs, Metricool, etc.) are encrypted with AES-256-GCM before storage
- Secret values are never displayed after initial entry — only masked previews
- Platform-level API keys (managed by us) are similarly encrypted
Usage Data
- Token usage (input/output tokens per AI model)
- Bot activity timestamps
- Feature usage for billing purposes
2. How AI Agents Process Your Data
🤖 Important: AI Data Processing
Your AI employee (Bot) is an autonomous agent that processes data to perform tasks. This means:
- Your Bot reads your messages, files, and connected data to carry out instructions
- Your Bot sends data to AI model providers (see Section 3) for text generation
- Your Bot may store information in its memory files to maintain context across conversations
- Your Bot may access third-party services using API keys you provide
You control what your Bot has access to. We recommend reviewing its memory files and connected services regularly.
3. Third-Party AI Providers
Your Bot's conversations are processed by third-party AI model providers. Here's how they handle your data:
| Provider |
What's Sent |
Data Policy |
| Anthropic (Claude) |
Conversation messages, system prompts |
Does NOT train on API data. 30-day retention for safety. Policy → |
| OpenAI |
Conversation messages (if OpenAI model selected) |
API data NOT used for training (since March 2023). Policy → |
| fal.ai |
Image/video generation prompts |
Prompts processed for generation only. Policy → |
| OpenRouter |
Routed to various models |
Varies by model. Policy → |
We route API calls through our proxy server to inject API keys server-side. This means your Bot's API keys never leave our infrastructure — but conversation content does pass through to the AI provider.
4. How We Use Your Data
- To provide the Service — running your Bots, processing conversations, generating content
- Authentication — magic link emails, session management
- Billing — tracking usage for invoicing
- Support — admin impersonation (audit-logged) to troubleshoot issues
- Service improvement — aggregate usage statistics (never individual conversations)
What We Do NOT Do
- ❌ We do NOT train AI models on your data
- ❌ We do NOT sell your data to third parties
- ❌ We do NOT read your Bot conversations (except during admin support, which is audit-logged)
- ❌ We do NOT share individual usage data
5. Data Storage & Security
- Bot data is stored in isolated Docker containers — each Bot has its own filesystem
- Secrets are encrypted with AES-256-GCM at rest
- Sessions use cryptographically random tokens with 30-day expiry
- Backups are stored in S3-compatible storage with provider-managed security controls
- Infrastructure runs on AWS (US-East-1) with standard security practices
6. Data Retention
| Data Type | Retention |
|---|
| Account data | Until account deletion |
| Bot conversations | Until Bot deletion + 30-day backup window |
| Bot memory files | Until Bot deletion |
| API keys/secrets | Until deleted by user or account termination |
| Usage data | 12 months for billing, then aggregated |
| Backups | 30 days after Bot termination |
| Audit logs | 12 months |
7. Your Rights
All Users
- Access — View all data your Bot has stored (memory files, conversation history)
- Backup — Export your Bot's complete workspace at any time
- Delete — Delete your account and all associated data
- Portability — Your Bot's configuration files are standard formats you can take elsewhere
California Residents (CCPA)
- Right to know what personal information we collect
- Right to delete your personal information
- Right to opt-out of sale of personal information (we don't sell data)
- Right to non-discrimination for exercising your rights
EU/UK Residents (GDPR)
- All rights above, plus right to rectification and restriction of processing
- Legal basis: contract performance (providing the Service) and legitimate interest (security, billing)
- Data transfers to US are covered by standard contractual clauses with our providers
8. Cookies
We use a single essential cookie:
- session — Authentication cookie. Required for the Service to function. 30-day expiry. No tracking cookies, no analytics cookies, no third-party cookies.
9. Children
The Service is not intended for users under 18. We do not knowingly collect data from minors.
10. Changes
We may update this Privacy Policy. Material changes will be notified via email or dashboard notice at least 14 days before taking effect.
11. Contact
Privacy questions or data requests:
Purple Horizons LLC · Miami, FL · Terms of Service