NoSaaS is an AI productivity tools company. PocketClaws is our mobile AI agent platform that connects to your services and works on your behalf, in an isolated, private compute environment you control.
This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use PocketClaws and our associated website and services ("Services") where NoSaaS acts as a data controller.
This Privacy Policy does not apply where NoSaaS acts as a data processor on behalf of a third party. If you are using an app or service powered by PocketClaws on behalf of another organization, that organization's privacy policy governs.
1. Collection of Personal Data
Personal data you provide to us directly
- Identity and Contact Data: name and email address when you sign up for a PocketClaws account. We may collect this via OAuth login providers (e.g., Google). We may also assign internal account identifiers (e.g., "USER12345").
- Payment Information: billing information collected if you purchase a Subscription or credits through our website, processed via Stripe. If you purchase through an App Distributor (e.g., Apple App Store, Google Play Store), payment is processed by that distributor and we receive limited purchase confirmation data.
- OAuth Tokens and Service Credentials: when you connect a Claw (an OAuth integration with a third-party service such as Gmail, GitHub, Stripe, or others), we collect and store the OAuth access and refresh tokens required to act on your behalf within that service. These tokens are stored encrypted and are used only to perform Actions you direct the agent to take.
- API Keys (BYOK): if you use the Bring Your Own Key feature to supply your own LLM provider API key, we store your key in encrypted form. We use it solely to route your requests to your chosen provider.
- Conversations and Agent Sessions: the messages you send to the PocketClaws agent, the agent's responses and reasoning, tool calls made, and the results of those tool calls during a session.
- Artifacts: files and other outputs created by the agent on your behalf, which are stored in your isolated VM environment on our infrastructure.
- User Configuration and Preferences: your selected LLM provider and model preferences, Claw configurations, notification settings, and other personalization data.
- Feedback: ideas, suggestions, ratings, or other feedback you provide about our Services.
- Communication Information: if you contact us, we collect your name, contact information, and the contents of your messages.
Personal data we receive automatically from your use of the Services
- Device and App Information: device type, operating system, app version, mobile network, connection type, time zone, IP address (including approximate location derived from IP), and device identifiers.
- Usage Data: dates and times of access, features used, agent sessions initiated, credits consumed, tool calls made, Claws activated, and other information about how you use the Services.
- VM and Compute Metadata: session duration, compute resource utilization associated with your isolated VM environment, and related operational metrics.
- Log and Troubleshooting Information: log files, error reports, the feature being used at the time of an error, and the state of the application when errors occurred.
- Cookies and Similar Technologies: we and our service providers use cookies, scripts, or similar technologies on our website to manage the Services, recognize you, customize your experience, and analyze use of our website.
2. Uses of Personal Data
We use your personal data for the following purposes:
- To provide, maintain, and facilitate the PocketClaws app and related Services, governed by our Terms of Service
- To provide, maintain, and facilitate optional services and features that enhance platform functionality and user experience
- To communicate with you, including to send you information about our Services, updates, and relevant notices
- To create and administer your PocketClaws account
- To facilitate payments for Subscriptions and credits
- To operate your isolated VM environment and maintain the security and integrity of your compute allocation
- To prevent and investigate fraud, abuse, and violations of our Terms of Service, unlawful or criminal activity, and unauthorized access to our systems
- To investigate and resolve disputes
- To investigate and resolve security issues
- To debug and identify and repair errors that impair existing functionality
- To improve the Services and conduct product research, using aggregated and de-identified data
- To enforce our Terms of Service and similar terms and agreements
We do not use your conversation data or personal data to train our own AI or machine learning models. PocketClaws routes conversations to third-party LLM providers; we do not operate our own models and do not train on your content.
3. Third-Party LLM Providers
When you use PocketClaws, your conversation content (Inputs and Outputs) is sent to the third-party LLM provider you have selected (e.g., OpenAI, Anthropic, Google Gemini, or others). Your data sent to these providers is governed by their respective terms of service and privacy policies, not this policy. We encourage you to review the privacy practices of your chosen LLM provider.
BYOK (Bring Your Own Key). If you supply your own API key, requests are routed using your key directly to your chosen provider. NoSaaS does not log or store the content of these API calls beyond what is necessary for session management and billing. You are responsible for your usage under your own API key and compliance with your provider's terms.
Built-in Credits. If you use PocketClaws's built-in credit system (i.e., you have not supplied your own API key), your requests are routed through our infrastructure to the selected provider using our API account. In this case, the provider's terms apply to how they handle the content of those requests on our behalf.
4. How We Disclose Personal Data
NoSaaS will disclose personal data to the following categories of third parties:
- Service Providers and Business Partners: we disclose personal data with service providers and business partners for infrastructure hosting, payment processing (Stripe, RevenueCat), analytics, security, data processing, and other purposes necessary to provide the Services.
- Third-Party LLM Providers: as described in Section 3, your conversation content is sent to the LLM provider you select as a necessary part of delivering the Service.
- As Part of a Significant Corporate Event: if NoSaaS is involved in a merger, acquisition, bankruptcy, or other transfer of business assets, we will disclose your personal data as part of those transactions.
- Third-Party Services via Claws: when you use a Claw to connect a third-party service and authorize the agent to take Actions, information is exchanged with that third-party service as directed by you.
- Pursuant to Legal Requirements, Safety, and Rights: we may disclose personal data to governmental regulatory authorities as required by law, in response to lawful requests, or to assist in investigations. We may also disclose personal data to third parties in connection with claims, disputes, or litigation, when otherwise permitted or required by law, or if we determine its disclosure is necessary to protect health and safety, protect against fraud, enforce our legal rights or the legal rights of others, or meet contractual commitments.
- With Your Consent: we will otherwise disclose personal data when you give us permission or direct us to do so.
5. Rights and Choices
Depending on where you live and the laws applicable in your country of residence, you may enjoy certain rights regarding your personal data. To exercise your rights, you may submit a request by emailing [email protected]. After we receive your request, we may verify it by requesting information sufficient to confirm your identity. NoSaaS will not discriminate against you for exercising your privacy rights.
- Right to know: the right to know what personal data NoSaaS processes about you, including the categories of personal data, the categories of sources from which it is collected, the business or commercial purposes for collection, and the categories of third parties to whom we disclose it.
- Access and data portability: the right to request a copy of the personal data NoSaaS processes about you, subject to certain exceptions. In certain cases and subject to applicable law, you have the right to port your information.
- Deletion: the right to request that we delete personal data collected from you when you use our Services, subject to certain exceptions. You can also delete individual conversations and artifacts directly within the app. Conversation history deleted in-app will be removed immediately from your view and purged from our back-end systems within 30 days.
- Correction: the right to request that we correct inaccurate personal data NoSaaS retains about you, subject to certain exceptions.
- Objection: the right to object to processing of your personal data, including processing conducted on the basis of legitimate interests. Where such a right applies, we will no longer process your personal data unless we demonstrate compelling legitimate grounds which override your interests, or for the establishment, exercise, or defense of legal claims.
- Restriction: the right to restrict our processing of your personal data in certain circumstances.
- Withdrawal of consent: where NoSaaS's processing of your personal data is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing that occurred before withdrawal.
- Automated decision-making: NoSaaS does not engage in decision-making based solely on automated processing or profiling in a manner that produces a legal effect or significantly affects you in a similar way.
- Sale and targeted advertising: NoSaaS does not "sell" your personal data as that term is defined by applicable laws and regulations. We do not share your personal data for the purpose of targeted advertising to promote third-party products or services.
6. Data Transfers
When you access our website or Services, your personal data may be transferred to our servers in the United States, or to other countries where our service providers operate.
Where information is transferred outside the European Economic Area ("EEA") or the UK, we ensure it benefits from an adequate level of data protection by relying on:
- Adequacy decisions: Decisions from the European Commission under Article 45 GDPR (or equivalent decisions under other laws) recognizing that a country outside the EEA offers an adequate level of data protection.
- Standard contractual clauses: We rely on Standard Contractual Clauses approved by the European Commission to transfer information to certain service providers and partners in countries without an adequacy decision.
7. Data Retention, Lifecycle, and Security
Retention. NoSaaS retains your personal data for as long as reasonably necessary for the purposes outlined in this Privacy Policy, to provide the Services, and to meet our legal obligations.
Account deletion. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes such as fraud prevention, dispute resolution, or legal compliance.
VM data. Data stored in your isolated VM environment (artifacts, session data) is associated with your account. Upon account deletion, your VM environment will be destroyed and associated data deleted.
Aggregated or De-Identified Information. We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services, conduct product research, and study usage patterns. This data does not identify individual users and may be retained for longer periods.
Security Controls. We implement appropriate technical and organizational security measures designed to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These measures include encryption at rest and in transit, isolated per-user compute environments (Firecracker microVMs with ZFS storage), encrypted OAuth token and API key storage, and access controls. However, no system is perfectly secure, and we cannot guarantee absolute security.
8. Children
Our Services are not directed toward, and we do not knowingly collect, use, disclose, sell, or share any information from children under the age of 18. If you become aware that a child under the age of 18 has provided personal data to us while using our Services, please email us at [email protected] and we will investigate and, if appropriate, delete the personal data.
9. Changes to Our Privacy Policy
NoSaaS may update this Privacy Policy from time to time. We will notify you of any material changes, as appropriate, and update the Effective Date at the top of this page. We encourage you to review this Privacy Policy periodically.
10. Contact Information
If you have questions about this Privacy Policy, your personal data, or your rights, please contact us:
If you live in the European Economic Area, UK, or Switzerland, you have the right to lodge a complaint with the supervisory authority in the place where you live or work. A full list of EU supervisory authorities' contact details is available at edpb.europa.eu. UK residents may lodge complaints with the UK Information Commissioner's Office. Brazil residents may lodge complaints with the Brazilian Data Protection Authority (ANPD).
11. Legal Bases for Processing
| Purpose |
Type of Data |
Legal Basis |
| To provide, maintain and facilitate Products and Services governed by Terms of Service |
Identity and Contact Data, Payment Information, OAuth Tokens, Conversation Data, Artifacts, VM Metadata |
Contract |
| To provide optional features that enhance platform functionality and user experience |
Identity and Contact Data, Conversation Data, User Preferences |
Consent; Legitimate interests |
| To communicate with you and to promote our Services |
Identity and Contact Data, Communication Information, Device Information |
Where necessary to perform a contract; Consent when asked; Legitimate interests |
| To create and administer your PocketClaws account |
Identity and Contact Data, Payment Information |
Contract |
| To facilitate payments |
Identity and Contact Data, Payment Information |
Contract |
| To prevent and investigate fraud, abuse, and Terms of Service violations |
Identity and Contact Data, Payment Information, Conversation Data, Device Information |
Legitimate interests; Legal obligation |
| To investigate and resolve disputes |
Identity and Contact Data, Conversation Data |
Legitimate interests; Legal obligation |
| To investigate and resolve security issues |
Identity and Contact Data, Device Information, Conversation Data |
Legal obligation; Legitimate interests |
| To debug and identify and repair errors |
Device Information, Log Data |
Legitimate interests |
| To improve the Services and conduct product research (aggregated/de-identified only) |
Aggregated usage data |
Legitimate interests |
| To enforce our Terms of Service and similar agreements |
Identity and Contact Data, Conversation Data, Device Information |
Contract; Legitimate interests |
12. Regional Supplemental Disclosures
Supplemental Disclosures for Residents of Canada
Consent. By expressly consenting to this Privacy Policy, you confirm you have read, understand, and consent to the collection, use, processing, and disclosure of your personal data in accordance with this Privacy Policy. We will only collect, use, and disclose your personal data with your consent, unless otherwise permitted or required by law. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Cross-jurisdictional Transfers. By providing us with personal data, you acknowledge and agree that your personal data may be transferred or disclosed to other jurisdictions for processing and storage outside of Canada, including to the United States, where laws regarding the protection of personal data may be less stringent than the laws in your jurisdiction.
Contact. If you have any questions about our processing of your personal data, or to exercise your rights, please contact us at [email protected].
Supplemental Disclosures for Residents of Brazil
Legal Bases. Depending on the specific purpose of the processing, we may rely on different grounds than those listed under Section 11, where permitted by and in accordance with the Brazilian General Data Protection Law (LGPD). For example, we may rely on the "exercise of legal rights" basis to process personal data associated with customer complaints and to enforce our Terms of Service.
Data Subject's Rights under LGPD:
- Confirmation of whether your data is being processed
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or erasure of data that is unnecessary, excessive, or processed in non-compliance with the provisions of the law
- Portability of personal data to a third party, as long as this does not infringe on our trade secrets
- Information about the public and private entities with which we shared data
- Information about the possibility to refuse to provide consent and the respective consequences, when applicable
- Withdrawal of your consent, carried out free of charge
- Request a review of decisions made solely based on automated processing of personal data
International Data Transfers. NoSaaS is headquartered in the United States. Any information we hold about you will be transferred to, used, processed, and stored in the United States and other countries and territories. We will rely on standard contractual clauses (SCCs) for our data transfers where required under LGPD.
Supplemental Disclosures for Residents of the European Economic Area, UK, and Switzerland
You have additional rights under applicable data protection law, including GDPR. To exercise these rights, please contact [email protected]. You also have the right to lodge a complaint with your local supervisory authority.