Legal
Privacy Policy
Last updated: March 20, 2026
1. Introduction
MyEcomClaw ("we," "our," "us") is a managed OpenClaw deployment service for e-commerce. We deploy OpenClaw — the open-source AI agent framework — on your own private server with pre-built skills for Shopify, WooCommerce, and major marketplaces. This Privacy Policy explains how we collect, use, store, and protect your information when you visit our website at myecomclaw.com and use our services.
Our service has a unique data architecture: your ecommerce data stays on your own server. We never store your store data, order data, customer data, or inventory data on our infrastructure. This policy covers both the limited data we do collect and how your data is handled on your own infrastructure.
2. Data We Collect
We collect a limited set of data directly from you to operate our business and deliver the managed service. This data is stored on MyEcomClaw systems.
2.1 Account Information
| Data | Purpose | Retention |
|---|---|---|
| Name, email, business name | Account management, communications | Duration of account + 30 days |
| Shopify store URL | Service delivery, integration | Duration of account |
| Payment information | Billing (processed by Stripe — never stored by us) | Handled entirely by Stripe |
| Support communications | Customer support, service improvement | 2 years |
2.2 Website Usage Data
When you visit our website, we may collect anonymized usage data including pages visited, time spent, browser type, device type, referring URL, and approximate geographic location. This data is collected through privacy-focused analytics and does not include personally identifiable information.
3. Data on Your Server (Not Stored by MyEcomClaw)
This is the most important section of this policy. MyEcomClaw deploys OpenClaw agents on your own private server (VPS or Mac Mini). All of your ecommerce data remains on your infrastructure at all times.
| Data Type | Where It Lives | Our Access |
|---|---|---|
| Orders, customers, inventory, products | Your Shopify store + your server | Never stored by MyEcomClaw |
| Agent configuration and rules | Your server | Via Tailscale VPN for maintenance |
| Agent action logs | Your server | Via Tailscale VPN for debugging |
| API keys (Shopify, LLM, integrations) | Your server (environment variables) | Via Tailscale VPN for setup/rotation only |
| BYOK LLM API keys | Your server (environment variables) | MyEcomClaw never copies these off your server |
MyEcomClaw accesses your server remotely via Tailscale VPN for maintenance, configuration, updates, and support purposes only. You can revoke this access at any time.
4. How We Use Your Data
We use the limited data we collect (Section 2) for the following purposes:
- Deliver, maintain, and improve our managed OpenClaw service
- Process payments and manage your subscription
- Provide customer support and respond to inquiries
- Send service-related communications (onboarding, updates, maintenance notices)
- Send marketing communications (only with your consent; you can unsubscribe anytime)
- Analyze website usage to improve our site experience (anonymized data only)
- Comply with legal obligations and prevent fraud
- Track agency referrals and calculate partner commissions
We do not sell, rent, or trade your personal information to third parties. We do not use your ecommerce data (which resides on your server) for any purpose — we do not have access to it outside of authorized maintenance sessions.
5. API Key Handling (BYOK Model)
MyEcomClaw operates on a Bring Your Own Key (BYOK) model by default. Here is how credentials are handled:
- Shopify API keys — Generated via Shopify Custom App and stored as environment variables on your server. We configure these during setup via Tailscale VPN but do not retain copies.
- LLM API keys (BYOK) — You provide your own OpenAI or Anthropic API key. It is stored on your server only. We never see, copy, or store these keys.
- LLM API keys (Managed Credits) — If you choose our optional Managed Credits add-on, we provision an API key and place it on your server. The key operates on your infrastructure.
- Integration OAuth tokens — OAuth 2.0 flows for Shopify and other integrations are handled through Composio, which manages token storage, encryption, and refresh (SOC 2 Type 2 compliant, ISO 27001 certified).
You can revoke MyEcomClaw's access at any time through your Shopify admin panel and by removing our Tailscale connection.
6. Third-Party Services
We use the following third-party services to operate our business. Each has its own privacy policy governing how it handles data:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing for MyEcomClaw billing | Payment method, billing address |
| Rewardful | Affiliate and agency referral tracking | Referral source, conversion data |
| Composio | API integration and OAuth management | OAuth tokens and API scopes |
| Anthropic / OpenAI | LLM providers powering agents (via your BYOK key) | Prompts sent from your server using your API key |
| Tailscale | VPN for remote server maintenance | Network metadata (no ecommerce data) |
| Shopify | Ecommerce platform API | Store data accessed via authorized Custom App API |
| Your hosting provider | Your agent infrastructure (e.g., Hetzner, DigitalOcean) | All agent data resides on your server, encrypted at rest |
| Analytics provider | Website usage analytics | Anonymized usage data (no PII) |
Note: LLM providers (Anthropic, OpenAI) may process order details, customer names, and product information as part of agent prompts. These API calls originate from your server using your API keys, not from MyEcomClaw infrastructure. Please review your LLM provider's privacy policy and data retention practices.
7. Cookies & Analytics
7.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Essential cookies | Strictly necessary | Site functionality, authentication | Session |
| Analytics cookies | Performance | Anonymized site usage tracking | Up to 12 months |
| Referral tracking | Functional | Rewardful affiliate attribution | 90 days |
7.2 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling essential cookies may affect site functionality. We do not use cookies for advertising or cross-site tracking.
8. Data Retention & Deletion
| Data Category | Where Stored | Retention Period |
|---|---|---|
| Account information | MyEcomClaw systems | Duration of account + 30 days |
| Billing records | MyEcomClaw systems (via Stripe) | 7 years (tax/accounting requirements) |
| Support tickets | MyEcomClaw systems | 2 years, then purged |
| Agent configurations and logs | Your server | You control (90-day default, configurable) |
| Ecommerce data (transient) | Your server (in agent memory) | Duration of processing only |
| Website analytics (anonymized) | Analytics provider | Indefinite (no PII) |
When you terminate your account, MyEcomClaw account information is deleted within 30 days. Your server, agent deployment, and all ecommerce data remain yours — OpenClaw is MIT licensed, so you can continue running your agents independently.
9. GDPR Compliance (European Economic Area)
If you are located in the European Economic Area (EEA), the following applies:
9.1 Legal Basis for Processing
- Contract performance (Article 6(1)(b)) — Processing is necessary to deliver our managed OpenClaw service.
- Legitimate interest (Article 6(1)(f)) — Website analytics, fraud prevention, and service improvement.
- Consent (Article 6(1)(a)) — Marketing communications (you can withdraw consent at any time).
- Legal obligation (Article 6(1)(c)) — Tax and accounting record retention.
9.2 Data Controller and Processor Roles
For your ecommerce data (orders, customers, inventory), you are the data controller. MyEcomClaw acts as a managed service provider — we configure and maintain software on your infrastructure but do not store or process your ecommerce data on our servers. A Data Processing Agreement (DPA) is available upon request.
9.3 Data Residency
Because MyEcomClaw deploys agents on your own server, you control where your data resides. If you choose an EU-based VPS provider (e.g., Hetzner EU), your data residency requirements are met natively. Note that LLM API calls via BYOK keys may transmit data to US-based providers (Anthropic, OpenAI) — our DPA addresses this.
9.4 International Data Transfers
MyEcomClaw account data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and/or other appropriate transfer mechanisms. Your ecommerce data resides on your own infrastructure and is not transferred by MyEcomClaw.
10. CCPA Compliance (California)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides additional rights:
- Right to know — You can request details about the personal information we collect and how it is used.
- Right to delete — You can request deletion of your personal information, subject to legal retention requirements.
- Right to opt out of sale — We do not sell your personal information. There is no sale to opt out of.
- Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.
Under the CCPA, MyEcomClaw acts as a service provider. All ecommerce data resides on your own server and never leaves your infrastructure.
11. Data Security
We implement appropriate technical and organizational measures to protect the data we process:
- All server access is via encrypted Tailscale VPN connections
- API keys and credentials are stored as environment variables on your server, never in code repositories
- Agent deployments run in Docker-sandboxed environments
- Payment processing is handled entirely by Stripe (PCI DSS compliant) — we never see or store card data
- OAuth tokens for Shopify and integrations are managed by Composio (SOC 2 Type 2, ISO 27001)
- Website communications are encrypted via TLS/HTTPS
- We apply the principle of least privilege for all API scopes
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
12. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
- Access — Request a copy of the personal data we hold about you
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your data (subject to legal retention requirements)
- Portability — Request your data in a structured, machine-readable format
- Restriction — Request that we limit how we process your data
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Withdraw consent for marketing communications at any time
To exercise any of these rights, contact us at privacy@myecomclaw.com. We will respond within 30 days.
For data on your own server (agent configurations, ecommerce data, logs), you have full control. You can access, modify, or delete this data at any time through your server's SSH/admin access. OpenClaw is MIT licensed — you own everything on your server.
13. Children's Privacy
Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
15. Contact Us
If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us:
- Email: privacy@myecomclaw.com
- General support: support@myecomclaw.com
- Website: myecomclaw.com
For GDPR inquiries, you also have the right to lodge a complaint with your local data protection authority.
OpenClaw is a trademark of the OpenClaw Foundation. MyEcomClaw is an independent service and is not affiliated with, endorsed by, or sponsored by the OpenClaw project. Shopify is a trademark of Shopify Inc.