Privacy Policy
Effective date: February 24, 2026
OpenClaw Setup for iOS
OpenClaw Setup ("the App") is developed by Jiri Chomat. This policy explains what data the App collects, how it is used, who it is shared with, and your rights.
1. Data We Collect
Data you provide
- SSH credentials (server IP, username, password or private key) — entered by you to connect to your own server. Stored exclusively in the iOS Keychain.
- API keys (for AI providers and optional plugins) — entered by you to enable AI features. Stored in the iOS Keychain.
- Channel tokens (Telegram bot token, WhatsApp credentials, Slack tokens) — entered by you to configure your chatbot channel.
- Payment information — processed entirely by Apple via In-App Purchase. We never see or store your payment details.
Data collected automatically
- Session ID — a random identifier generated per setup session, used to correlate diagnostic logs. Not linked to your identity.
- Device vendor identifier — the iOS
identifierForVendor UUID, sent with diagnostic logs to help debug device-specific issues. Reset when you delete the App.
- Error details — on installation failures, error messages and server log excerpts (up to 4,000 characters) are sent for automated diagnosis. All secrets (passwords, SSH keys, API keys, PEM blocks, host IPs) are redacted before transmission.
Data we do NOT collect
- We do not collect your name, email address, or phone number.
- We do not use any third-party tracking, advertising, or analytics SDKs.
- We do not collect or transmit your SSH passwords, private keys, or API keys — comprehensive redaction is applied before any data leaves the device.
- We do not collect chat messages or conversation content.
2. How Your Data Is Stored
- SSH credentials and API keys are stored in the iOS Keychain, Apple's hardware-backed secure storage. They are never transmitted to our servers.
- Session data (setup progress, configuration choices) is stored locally on your device and optionally synced to your iCloud account via
NSUbiquitousKeyValueStore.
- Data consent preference is stored locally and synced to iCloud so it persists across reinstalls.
3. Third-Party Data Sharing
The App requires your explicit consent before sharing any data with third parties. Consent is collected via a dedicated "Data & Privacy" screen during setup. All third-party network calls are blocked until you accept.
AI service providers
When you provide your own API key and use AI features, the App sends prompts and configuration context to your chosen provider:
| Provider | Endpoint | Data sent | When |
|---|
| Anthropic (Claude) | api.anthropic.com | Prompts, configuration context | When you select Claude as your AI provider and test your key or use AI diagnostics |
| OpenAI | api.openai.com | Prompts, configuration context | When you select GPT as your AI provider and test your key or use AI diagnostics |
| Google (Gemini) | generativelanguage.googleapis.com | Prompts, configuration context | When you select Gemini as your AI provider and test your key or use AI diagnostics |
| Brave Search | api.search.brave.com | Search queries (key validation only) | Only if you optionally enable the search plugin and test your Brave API key |
These providers process data under their own privacy policies. Each provider maintains industry-standard data protection practices. Your API keys authenticate directly with these services — we never proxy or store your keys on our infrastructure.
OpenClaw diagnostic backend
| Endpoint | Data sent | Purpose |
|---|
| carspecslab.com/…/ai-fix.php | Redacted error output (max 4,000 chars), session ID, server log excerpts | Automated error diagnosis and fix suggestions during installation |
| carspecslab.com/…/client-log.php | Log level, category, message, session ID, device vendor ID, timestamp | Remote error logging for debugging installation issues |
All data sent to the diagnostic backend is scrubbed of secrets (SSH keys, passwords, API keys, PEM certificates, and host IP addresses) before transmission.
Other connections
- Your VPS server — via SSH, initiated by you
- Apple In-App Purchase — for payment processing
- VPS provider websites — affiliate links you choose to open (Hetzner, DigitalOcean, Contabo)
4. Purpose of Data Collection
- AI provider calls: To test your API key validity, explain terminal output, and provide AI-assisted diagnostics for installation errors.
- Diagnostic logging: To identify and automatically resolve installation failures on your VPS server.
- Session & device IDs: To correlate logs for a single setup session and identify device-specific issues. Not used for tracking or advertising.
5. User Consent and Control
The App collects explicit consent before any third-party data sharing occurs:
- A "Data & Privacy" consent screen is presented during setup, before the App makes any connection to AI providers or diagnostic services.
- You must tap "I Agree & Continue" to proceed. Without consent, all third-party network calls are blocked.
- Consent status is stored locally and can be reset by reinstalling the App.
6. Data Retention
- On-device data: Deleted when you delete the App, including Keychain credentials.
- Diagnostic logs: Retained on our server for up to 30 days for debugging purposes, then automatically deleted.
- AI provider data: Subject to each provider's own data retention policy.
7. Children's Privacy
The App is not directed at children under 17. We do not knowingly collect data from children.
8. Your Rights
You have full control over your data:
- Access: Your data is visible within the App at all times.
- Deletion: Delete the App to remove all local data, or clear saved credentials within the App.
- Consent withdrawal: Reinstall the App to reset your data sharing consent. The App will not share data with third parties until you consent again.
- Portability: Your bot configuration lives on your own server, fully under your control.
9. Security
- SSH credentials and API keys are stored in the iOS Keychain, Apple's hardware-backed secure storage.
- All server communication uses SSH (encrypted).
- Comprehensive redaction strips passwords, SSH keys, API keys, PEM blocks, and host IPs before any data is sent to diagnostic services.
- Third-party AI providers are accessed directly using your own API key over HTTPS.
10. Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated effective date.
11. Contact
If you have questions about this privacy policy, contact us at:
jirka@chomat.biz