Effective July 3, 2026
NoSaaS LLC ("NoSaaS," "we," "us," or "our") is an AI productivity tools company. PocketClaws is our mobile AI agent platform that connects to your services and works on your behalf, in an isolated, private compute environment you control.
This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use PocketClaws and our associated website and services ("Services") where NoSaaS acts as a data controller. The data controller responsible for your personal data is NoSaaS LLC, 5900 Balcones Drive, Suite 165, Austin, TX 78731, United States.
This Privacy Policy does not apply where NoSaaS acts as a data processor on behalf of a third party. If you are using an app or service powered by PocketClaws on behalf of another organization, that organization's privacy policy governs.
We use your personal data for the following purposes:
We do not use your conversation data or personal data to train our own AI or machine learning models. PocketClaws routes conversations to third-party LLM providers; we do not operate our own models and do not train on your content.
When you use PocketClaws, your conversation content (Inputs and Outputs) is sent to the third-party LLM provider you have selected (e.g., OpenAI, Anthropic, Google Gemini, or others). Your data sent to these providers is governed by their respective terms of service and privacy policies, not this policy. We encourage you to review the privacy practices of your chosen LLM provider.
BYOK (Bring Your Own Key). If you supply your own API key, requests are routed using your key directly to your chosen provider. NoSaaS does not log or store the content of these API calls beyond what is necessary for session management and billing. You are responsible for your usage under your own API key and compliance with your provider's terms.
Built-in Credits. If you use PocketClaws's built-in credit system (i.e., you have not supplied your own API key), your requests are routed through our infrastructure to the selected provider using our API account. In this case, the provider's terms apply to how they handle the content of those requests on our behalf.
NoSaaS will disclose personal data to the following categories of third parties:
Depending on where you live and the laws applicable in your country of residence, you may enjoy certain rights regarding your personal data. To exercise your rights, you may submit a request by emailing [email protected]. After we receive your request, we may verify it by requesting information sufficient to confirm your identity. NoSaaS will not discriminate against you for exercising your privacy rights.
NoSaaS is based in the United States, and we store and process personal data on servers located in the United States. When you access our website or Services, your personal data is transferred to and processed in the United States, and may also be processed in other countries where our service providers operate. Data protection laws in the United States and these other countries may differ from those in your country of residence. By using the Services, you understand that your personal data may be transferred to, stored, and processed in the United States.
Retention. NoSaaS retains your personal data for as long as reasonably necessary for the purposes outlined in this Privacy Policy, to provide the Services, and to meet our legal obligations.
Account deletion. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes such as fraud prevention, dispute resolution, or legal compliance.
VM data. Data stored in your isolated VM environment (artifacts, session data) is associated with your account. Upon account deletion, your VM environment will be destroyed and associated data deleted.
Aggregated or De-Identified Information. We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services, conduct product research, and study usage patterns. This data does not identify individual users and may be retained for longer periods.
Security Controls. We implement appropriate technical and organizational security measures designed to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These measures include encryption at rest and in transit, isolated per-user compute environments (Firecracker microVMs with ZFS storage), encrypted OAuth token and API key storage, and access controls. However, no system is perfectly secure, and we cannot guarantee absolute security.
Our Services are not directed toward, and we do not knowingly collect, use, disclose, sell, or share any information from children under the age of 18. If you become aware that a child under the age of 18 has provided personal data to us while using our Services, please email us at [email protected] and we will investigate and, if appropriate, delete the personal data.
NoSaaS may update this Privacy Policy from time to time. We will notify you of any material changes, as appropriate, and update the Effective Date at the top of this page. We encourage you to review this Privacy Policy periodically.
If you have questions about this Privacy Policy, your personal data, or your rights, please contact us:
Brazil residents may lodge a complaint with the Brazilian Data Protection Authority (ANPD).
| Purpose | Type of Data | Legal Basis |
|---|---|---|
| To provide, maintain and facilitate Products and Services governed by Terms of Service | Identity and Contact Data, Payment Information, OAuth Tokens, Conversation Data, Artifacts, VM Metadata | Contract |
| To provide optional features that enhance platform functionality and user experience | Identity and Contact Data, Conversation Data, User Preferences | Consent; Legitimate interests |
| To communicate with you and to promote our Services | Identity and Contact Data, Communication Information, Device Information | Where necessary to perform a contract; Consent when asked; Legitimate interests |
| To create and administer your PocketClaws account | Identity and Contact Data, Payment Information | Contract |
| To facilitate payments | Identity and Contact Data, Payment Information | Contract |
| To prevent and investigate fraud, abuse, and Terms of Service violations | Identity and Contact Data, Payment Information, Conversation Data, Device Information | Legitimate interests; Legal obligation |
| To investigate and resolve disputes | Identity and Contact Data, Conversation Data | Legitimate interests; Legal obligation |
| To investigate and resolve security issues | Identity and Contact Data, Device Information, Conversation Data | Legal obligation; Legitimate interests |
| To debug and identify and repair errors | Device Information, Log Data | Legitimate interests |
| To improve the Services and conduct product research (aggregated/de-identified only) | Aggregated usage data | Legitimate interests |
| To enforce our Terms of Service and similar agreements | Identity and Contact Data, Conversation Data, Device Information | Contract; Legitimate interests |
These disclosures supplement the information above and apply to California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").
Categories of personal information we collect. In the preceding 12 months, we have collected the categories of personal information described in Section 1, which correspond to the following statutory categories: identifiers (e.g., name, email, account identifier, IP address, device identifiers); commercial information (e.g., Subscription and credit purchases); internet or other electronic network activity (e.g., usage and log data); geolocation data (approximate location derived from IP address); the contents of your agent conversations and your communications with us; and the account-credential information described below.
Sensitive Personal Information. Some information we collect is "sensitive personal information" under the CPRA, specifically: account log-in credentials and access tokens (the OAuth access and refresh tokens and the LLM provider API keys you supply to connect Claws or use Bring-Your-Own-Key), and the contents of your agent conversations. We use and disclose sensitive personal information only for the purposes permitted under CPRA § 7027(m) — namely, to provide the Services you request, operate your account and isolated VM environment, secure our systems, and prevent fraud and abuse. We do not use or disclose sensitive personal information to infer characteristics about you, and we do not use it for any purpose that would give rise to the right to limit its use.
Sources and purposes. The sources from which we collect personal information, and the business and commercial purposes for which we use it, are described in Sections 1 and 2. The categories of third parties to whom we disclose personal information are described in Section 4.
No sale or sharing. We do not "sell" your personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months.
Your California rights. Subject to certain exceptions, you have the right to: (1) know and access the specific pieces and categories of personal information we have collected about you; (2) request deletion of your personal information; (3) request correction of inaccurate personal information; (4) opt out of the sale or sharing of personal information (not applicable, as we do not sell or share); and (5) limit the use of sensitive personal information (we already limit such use to the permitted purposes described above). We will not discriminate or retaliate against you for exercising any of these rights.
How to exercise your rights. Submit a request by emailing [email protected]. We may need to verify your identity before fulfilling your request. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide proof of authorization and may require you to verify your own identity directly with us.
Consent. By expressly consenting to this Privacy Policy, you confirm you have read, understand, and consent to the collection, use, processing, and disclosure of your personal data in accordance with this Privacy Policy. We will only collect, use, and disclose your personal data with your consent, unless otherwise permitted or required by law. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Cross-jurisdictional Transfers. By providing us with personal data, you acknowledge and agree that your personal data may be transferred or disclosed to other jurisdictions for processing and storage outside of Canada, including to the United States, where laws regarding the protection of personal data may be less stringent than the laws in your jurisdiction.
Contact. If you have any questions about our processing of your personal data, or to exercise your rights, please contact us at [email protected].
Legal Bases. Depending on the specific purpose of the processing, we may rely on different grounds than those listed under Section 11, where permitted by and in accordance with the Brazilian General Data Protection Law (LGPD). For example, we may rely on the "exercise of legal rights" basis to process personal data associated with customer complaints and to enforce our Terms of Service.
Data Subject's Rights under LGPD:
International Data Transfers. NoSaaS is headquartered in the United States. Any information we hold about you will be transferred to, used, processed, and stored in the United States and other countries and territories. We will rely on standard contractual clauses (SCCs) for our data transfers where required under LGPD.