Privacy Policy
This Privacy Policy explains how Micelclaw ("we", "us", "our") handles information across our website (micelclaw.com) and our self-hosted software product (Micelclaw OS). We are based in Madrid, Spain, and comply with the EU General Data Protection Regulation (GDPR).
1. Our core principle
Your data stays on your hardware. Micelclaw OS is self-hosted software. Your notes, emails, calendar events, contacts, photos, files, diary entries, conversations, and any other personal content are stored exclusively on your own device. We never have access to this data, cannot read it, and do not transfer it to our servers.
2. What we collect and why
2.1 Website (micelclaw.com)
| Data | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Email address (waitlist) | Notify you about launch and product updates | Consent (Art. 6(1)(a)) | Until you unsubscribe or we delete the list |
| Page views, referrer, country (via Cloudflare Web Analytics) | Understand website traffic. No cookies, no personal identifiers, no IP tracking | Legitimate interest (Art. 6(1)(f)) | Aggregated, no personal data stored |
2.2 Payments (LemonSqueezy)
When you purchase a subscription or Cloud Credits, payment processing is handled by Lemon Squeezy Inc. ("LemonSqueezy"), which acts as the Merchant of Record. LemonSqueezy collects:
- Name, email, billing address
- Payment method details (card number, PayPal, etc.)
- VAT/tax identification (where required)
We do not store your payment details. We receive from LemonSqueezy: your email, transaction ID, product purchased, and license key metadata. LemonSqueezy's privacy policy applies to payment data: lemonsqueezy.com/privacy
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email, transaction ID, product purchased | Fulfill your order, manage your license | Contract performance (Art. 6(1)(b)) | Duration of your account + 5 years (tax obligations) |
2.3 License server (api.micelclaw.com)
When you register for a free license or activate a paid license, our server processes:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email, hashed password | Account authentication | Contract performance (Art. 6(1)(b)) | Until account deletion |
| License key, tier (free/pro/plus) | License validation and feature access | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Hardware fingerprint (hashed) | Prevent license abuse. Not reversible to identify your device | Legitimate interest (Art. 6(1)(f)) | Until account deletion |
| Heartbeat check (every 14 days) | Verify license status | Contract performance (Art. 6(1)(b)) | Not stored (real-time check) |
2.4 Cloud Credits (AI proxy — api.micelclaw.com)
When you use Cloud Credits, your AI requests are routed through our proxy to third-party AI providers (Anthropic, OpenAI, Google, DeepSeek, xAI). We process:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| AI request content (prompt, context) | Forward to AI provider and return the response | Contract performance (Art. 6(1)(b)) | Not stored. Streamed in real-time and discarded |
| Token count, model used, cost | Billing and credit deduction | Contract performance (Art. 6(1)(b)) | 12 months |
Important: When you use Cloud Credits, your AI request content passes through our proxy server to reach the AI provider. We do not log, store, or read this content — it is streamed through and discarded. However, the third-party AI provider's privacy policy applies to how they handle your data. If you want zero data exposure to external servers, use BYOK (Bring Your Own Keys) or local models via Ollama — both are available on all tiers, including free.
2.5 Micelclaw OS (the self-hosted product)
We do not collect any data from your Micelclaw OS instance unless you explicitly initiate one of the services above (license registration, Cloud Credits, cloud backup).
All processing — AI embeddings, search, knowledge graph, entity extraction, photo analysis, sync connectors — happens locally on your hardware. When using BYOK API keys or local models (Ollama), your data never leaves your device.
2.6 Telemetry (opt-in only)
Micelclaw OS may include optional, opt-in crash reporting (via Sentry). This is disabled by default and collects no data unless you explicitly enable it in Settings. If enabled, it sends anonymized crash reports (stack traces, OS version, no personal content). You can disable it at any time.
3. Third-party services
| Service | Role | Data shared | Their privacy policy |
|---|---|---|---|
| Cloudflare | CDN, DNS, web analytics | Aggregated page views (no personal data) | cloudflare.com/privacypolicy |
| Buttondown | Email newsletter/waitlist | Email address | buttondown.com/legal/privacy |
| LemonSqueezy | Payment processing (MoR) | Name, email, billing, payment method | lemonsqueezy.com/privacy |
| Sentry (opt-in) | Crash reporting | Anonymized stack traces | sentry.io/privacy |
| AI providers (via Cloud Credits) | AI model inference | Request content (streamed, not stored by us) | Per provider |
4. Cookies
micelclaw.com does not use cookies. Cloudflare Web Analytics is cookieless and does not track individual users.
LemonSqueezy may set cookies during the checkout process under their domain.
5. Your rights (GDPR)
As an EU resident, you have the right to:
- Access — Request a copy of the personal data we hold about you
- Rectification — Correct inaccurate personal data
- Erasure — Request deletion of your personal data ("right to be forgotten")
- Restriction — Request we limit processing of your data
- Portability — Receive your data in a structured, machine-readable format
- Object — Object to processing based on legitimate interest
- Withdraw consent — For consent-based processing (e.g., waitlist), at any time
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD): aepd.es
6. Data transfers
Our license server and AI proxy are hosted in the EU. When you use Cloud Credits, your AI request is forwarded to the selected AI provider, which may process data outside the EU. These providers maintain adequate safeguards (Standard Contractual Clauses or equivalents).
7. Data security
- License server communications are encrypted via TLS
- Passwords are hashed (bcrypt)
- Hardware fingerprints are hashed and not reversible
- AI request content is streamed and never stored on our servers
- Payment data is handled entirely by LemonSqueezy; we never see your card number
8. Children
Micelclaw is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, contact [email protected] and we will delete it.
9. Changes to this policy
We may update this Privacy Policy. Changes will be posted on this page with an updated date. For significant changes, we will notify you via email (if you're on the waitlist or are a customer).
10. Contact
For any privacy-related questions or requests:
Email: [email protected]
Location: Madrid, Spain