Legal

Privacy Policy

We collect only what's needed to run your personal AI assistant with the open source OpenClaw project: account data, credentials (encrypted), and usage metrics. We do not store LLM request/response content or sensitive data from your conversations. You can export, delete, or opt out of marketing at any time.

Last updated: 2026-02-08

Who we are

OpenClaw Setup is operated by Lemon AI LLC, a company in the United States.

  • Address: 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801
  • Privacy contact: legal@lemon-ai.com
  • Support: via email

What we collect

  • Google OAuth account data — email addresses, name, profile picture when you sign in
  • Telegram bot token + allowlist IDs — to connect OpenClaw to your bot and restrict access
  • LLM provider credentials (API keys) — stored encrypted (AES-256-GCM) and isolated from your agent; your assistant never has direct system access to these keys
  • Workspace files — stored in your instance for your personal AI assistant to use
  • Environment variables — optional configuration you provide for your assistant's runtime
  • Usage metrics — from OpenClaw gateway (tokens, cost by model); no request/response content
  • Analytics identifiers — when you consent (Google Analytics, PostHog)

What we do not store

  • We do not store LLM request or response content in our platform database
  • We do not store sensitive data from your conversations with your assistant
  • Usage/spend data only — no conversation content

Security

  • Encryption at rest — AES-256-GCM for credentials and sensitive data
  • Key isolation — credentials accessed via proxy; your agent never sees raw API keys
  • Allowlist-only access — only people you approve can message your bot on Telegram (or other messaging platforms when supported)
  • Instance isolation — your instance is not publicly reachable; no direct system access from the internet
  • No cross-user access — your personal AI assistant runs in isolation from other users

Support access

Support can access your account or instance only upon your explicit request or permission, via email. We do not access your data without your consent.

Retention

  • Soft-deleted accounts/config — metadata retained for 90 days
  • Logs — only the operator (Gregory) has access; stored on the machine running the pod; default Kubernetes retention applies

Cookies and tracking

  • Authentication — JWT in HTTP-only cookie for session
  • Analytics — Google Analytics and PostHog with consent popup; you can opt out

To opt out of analytics: decline the consent popup when shown, or use your browser's privacy settings. We honor Do Not Track where supported.

Email and marketing

Newsletter and marketing emails can be opted out at any time from your dashboard or via the unsubscribe link in emails. Your email addresses are used only for account management and optional marketing communications.

Subprocessors and third parties

We rely on the following categories of third parties:

  • Auth — Google
  • Messaging — Telegram (with support for WhatsApp and other messaging platforms planned)
  • LLM providers — the ones you configure (OpenAI, Anthropic, etc.)
  • Hosting and infrastructure — Kubernetes, cloud providers
  • Analytics — Google Analytics, PostHog

Each has its own privacy policy. We choose providers with strong safeguards and do not sell your data.

Data deletion and export

  • Export — You can export your workspace and configuration at any time from the dashboard. Secrets are excluded or redacted.
  • Deletion — Request account deletion via legal@lemon-ai.com. We will delete your data and confirm. Metadata may be retained for 90 days per our retention policy.

Questions

For privacy questions or requests, contact us at legal@lemon-ai.com.

Cookie preferences