Privacy Policy

Effective: February 20, 2026

1. Controller

The controller responsible for data processing on this website is:

Allonsy GmbH
Haldesdorfer Str. 14, 22179 Hamburg, Germany
Managing Director: Hendrik Kleinwaechter
HRB 149247, Amtsgericht Hamburg
Email: datenschutz@clawy.io

2. Data We Collect

We collect and process the following categories of personal data:

Account Data

  • Email address
  • Username
  • Hashed password (bcrypt — we never store plaintext passwords)

Server Logs

  • IP address
  • Timestamps of requests
  • HTTP method and requested URL
  • Browser user agent string

VM Metadata

  • Resource usage statistics (CPU, memory, disk)
  • VM state and configuration metadata

Data We Do NOT Collect

We do not access, monitor, or process any data stored or processed inside your virtual machines. Your VM is your private environment.

3. Legal Basis for Processing

We process your personal data on the following legal bases under Art. 6(1) GDPR:

  • Contract performance (Art. 6(1)(b)): Account data is necessary to provide the service you registered for
  • Legitimate interest (Art. 6(1)(f)): Server logs are processed for security, abuse prevention, and service stability
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain data by law (e.g., tax or commercial regulations)

4. Cookies

Clawy uses a single session cookie that is strictly necessary for the functioning of the service (authentication). This cookie is essential and does not require consent under Art. 5(3) of the ePrivacy Directive. We do not use any tracking, analytics, or advertising cookies.

5. Data Retention

  • Account data: Retained until you delete your account
  • Server logs: Automatically deleted after 90 days
  • VM metadata: Deleted 30 days after VM or account deletion

6. Sub-processors

We use the following sub-processors to provide the service:

Sub-processor Purpose Location
Hetzner Online GmbH Infrastructure hosting (dedicated servers) Germany
Let's Encrypt / ZeroSSL TLS certificate issuance EU / USA*

* TLS certificate issuance involves only domain validation data (domain name, public key). No personal data is transferred.

7. International Data Transfers

All personal data is stored and processed on servers located in Germany. We do not transfer personal data to countries outside the European Union or European Economic Area.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation and a copy of data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate data
  • Right to erasure (Art. 17): Request deletion of your personal data
  • Right to restriction (Art. 18): Request restriction of processing
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interest

To exercise any of these rights, contact us at datenschutz@clawy.io.

9. Right to Lodge a Complaint

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority. Our competent authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22, 7. OG, 20459 Hamburg
Phone: +49 40 428 54-4040
Email: mailbox@datenschutz.hamburg.de
Website: datenschutz-hamburg.de

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or an in-app notice. The current version is always available at this URL.