What is OneClickClaw?

OneClickClaw is a managed hosting platform for OpenClaw AI agents. It deploys multi-channel AI assistants on dedicated EU-hosted VPS infrastructure in Denmark with zero DevOps knowledge required. Plans start from EUR 14.99/month (or EUR 12.49/month with annual billing).

Do I need technical skills to use OneClickClaw?

No. OneClickClaw is designed for non-technical users. A 3-step wizard handles deployment automatically. The dashboard provides point-and-click server management. No command line or SSH required.

What AI models does OneClickClaw support?

OneClickClaw uses a BYOK (Bring Your Own Key) model. You can use any model from OpenAI (GPT-4o, GPT-4), Anthropic (Claude Opus, Sonnet, Haiku), xAI (Grok), or OpenRouter (100+ models). You provide your own API key and pay your provider directly.

Where are OneClickClaw servers located?

All servers are hosted in Denmark (European Union) on Webdock infrastructure with AMD EPYC processors, NVMe SSD storage, and DDR5 RAM. This ensures GDPR compliance and EU data residency.

What messaging platforms are supported?

OpenClaw supports 16+ messaging platforms including Telegram, WhatsApp, Web Chat, Microsoft Teams, LINE, Viber, Signal, IRC, Matrix, and more. A single instance can handle multiple channels simultaneously.

How much does OneClickClaw cost?

Three plans: Starter at EUR 14.99/month (2 vCPU, 4GB RAM), Hobbyist at EUR 25.99/month (4 vCPU, 8GB RAM), and Pro at EUR 49.99/month (8 vCPU, 16GB RAM). Annual billing available with up to 20% discount (EUR 12.49, 20.99, 39.99/month). No setup fees, 14-day money-back guarantee. AI API costs are separate (paid directly to your provider).

What is the refund and cancellation policy?

All sales are final. OneClickClaw does not offer refunds or free trials, as dedicated servers are provisioned immediately upon signup. You can cancel anytime with one click via the Stripe Billing Portal, and your service stays active until the end of your billing period. Exceptions apply for billing errors or extended outages.

Is OneClickClaw affiliated with OpenClaw?

No. OneClickClaw is an independent managed service. It is not affiliated with, endorsed by, or part of the OpenClaw project. OpenClaw is open-source software under the MIT license. OneClickClaw provides automated deployment and management convenience.

How long does deployment take?

Typically 3-5 minutes. After payment, a dedicated VPS is automatically provisioned, the OS is configured, OpenClaw is installed, your API keys are injected, and health checks are run. A real-time status page tracks progress.

Is my data secure on OneClickClaw?

Yes. API keys are encrypted at rest with Fernet/AES encryption. All traffic uses HTTPS. Each customer has a dedicated server (not shared). Google OAuth for authentication. GDPR compliant. No tracking cookies or analytics. Servers hosted in Denmark EU.

Privacy Policy - OneClickClaw

Last updated: March 18, 2026

Effective date: March 18, 2026

OneClickClaw ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we process and store it, who we share it with, and your rights under the General Data Protection Regulation (GDPR), the EU AI Act, the ePrivacy Directive, the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

This policy applies to all users of the OneClickClaw platform at oneclickclaw.io, including visitors, registered users, and subscribers.

1. Data Controller

The data controller responsible for your personal data is:

OneClickClaw

Sole proprietorship operated by Luigi Ramos

Jurisdiction: Greece, European Union

Company registration: Pending (this section will be updated with the official registration number and registered address once finalized)

Contact: info@oneclickclaw.io

We do not currently appoint a Data Protection Officer (DPO), as we do not meet the thresholds under GDPR Article 37. If this changes, we will update this section. For all data protection inquiries, contact info@oneclickclaw.io.

2. Definitions

"Service" refers to the OneClickClaw platform, website, dashboard, APIs, AI chatbots, OpenClaw News blog, and all related services accessible at oneclickclaw.io.
"OpenClaw" refers to the open-source AI assistant gateway software (MIT license) that we deploy and manage on your behalf.
"BYOK" (Bring Your Own Key) means that you provide your own AI provider API key (e.g., Anthropic, OpenAI) to power your OpenClaw instance. We do not provide AI model access.
"Instance" refers to a dedicated virtual private server (VPS) provisioned and managed by us on your behalf.
"Personal data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).

3. Data We Collect

We collect and process the following categories of personal data. For each category, we explain what is collected, why, and the legal basis under GDPR.

3.1 Account Data (Google OAuth)

We use Google OAuth as our sole authentication method. When you sign in, Google provides us with:

Email address (used as your account identifier)
Display name (shown in your dashboard)
Profile photo URL (shown in your dashboard)
Google user ID (internal reference, never displayed)

We do not access your Google Drive, Gmail, contacts, or any other Google service data. We request only the minimum "profile" and "email" OAuth scopes.

3.2 Billing and Payment Data

All payment information (credit/debit card numbers, expiration dates, CVV) is collected and processed exclusively by Stripe. We never see, receive, or store your full card details.
We store: your Stripe customer ID, subscription ID, subscription status, plan type (tier), billing interval (monthly or annual), invoice amounts, invoice dates, and payment failure status.
Stripe may collect additional data under its own privacy policy, including your IP address, browser fingerprint, and device data for fraud prevention.

3.3 Server and Deployment Data

Server IP address, instance identifier, server name, and provisioning status.
Server performance metrics (CPU, RAM, disk usage, bandwidth) displayed in your dashboard.
Deployment logs and error reports used for troubleshooting and service reliability.
Server action history (start, stop, reboot, snapshot, destruction) with timestamps.

3.4 API Keys (BYOK)

Your AI provider API key (e.g., Anthropic, OpenAI) is encrypted at rest using AES/Fernet symmetric encryption before being transmitted to your dedicated server.
Your key is stored only on your dedicated VPS instance, not in our central database. We access it solely to configure your OpenClaw installation.
We generate a credential fingerprint (a one-way SHA-256 hash of your provider name and API key) to detect if the same key is used across multiple instances. This hash cannot be reversed to recover your actual key. If a duplicate is detected, a warning is shown in your dashboard.

3.5 Support Data

Support tickets: subject, description, category, priority, attachments, and all messages exchanged between you and our team.
When you submit a support ticket, our AI-powered assistant may generate an initial response (see Section 5 for details on AI-powered services). Your ticket content, together with contextual account data (your name, plan, subscription status, and server status), is processed to generate a relevant response.
Bug reports: description text, screenshot image uploads, page context, and submission timestamp. Screenshots may contain visible screen content and are stored securely.

3.6 AI Chatbot Data

Sales chatbot (public, unauthenticated): Chat messages you send, your IP address (for abuse prevention and rate limiting), message timestamps, and your language preference. A Cloudflare Turnstile challenge token is verified on your first message to prevent bot abuse (see Section 6 for Cloudflare data sharing).
Support chatbot (authenticated users): Chat messages, your user ID, timestamps, language, and contextual data about your subscription (tier, server status) to provide relevant answers.
Both chatbots require your consent before the first interaction. A consent banner is displayed explaining that messages are processed by AI and stored. You may decline to use the chatbot without any impact on other services.
ClawCrew Support (live chat): If you subscribe to ClawCrew Support, live chat messages between you and our support team are stored alongside your user ID, timestamps, queue position, wait time, and session rating (1-5 stars, optional). Live chat data is retained for 2 years for quality assurance purposes.
Credit usage: We track AI support credit consumption (credits used, credit type, timestamps) to manage your monthly allocation and provide usage analytics. Credit data is associated with your user account and retained for the duration of your subscription plus 90 days.
Automated secret detection: Chat messages are automatically scanned for sensitive patterns (API keys, tokens, credentials). Detected secrets are redacted (replaced with placeholder text) in the stored message to protect your security.
Feedback data: If you rate chatbot responses (thumbs up/down), we store your rating, message reference, and timestamp to improve response quality.
Token usage analytics: We track per-conversation token consumption (input/output tokens) for quality monitoring, cost optimization, and credit accounting.

3.7 Newsletter and Email Tracking Data

If you subscribe to our OpenClaw News blog newsletter, we collect your email address and subscription timestamp.
Our newsletter emails contain a tracking pixel (a 1x1 transparent image) that records when you open an email, and click-tracking links that record which articles you click on. This data is used to measure newsletter engagement and improve content. Each event records the timestamp and your subscriber identifier.
You can unsubscribe at any time using the link in every newsletter email. Upon unsubscription, we stop sending emails and stop tracking. Your subscriber record is retained only to prevent re-enrollment without your consent.

3.8 Device and Security Data

Device identity: When your OpenClaw instance authenticates with AI providers that require device-level verification (e.g., via OAuth), a cryptographic key pair is generated on the server using Ed25519. The resulting device ID (a SHA-256 hash of the public key), platform identifier, and device family are stored on your instance. This data is used exclusively for secure authentication and is deleted when your server is destroyed.
Chat abuse prevention: We track message counts per identifier (IP address for public chat, user ID for authenticated chat) within sliding time windows for rate limiting. If abuse is detected, strikes are recorded (identifier, reason, timestamp). Accumulated strikes may result in temporary or permanent chat restrictions (see Section 13).
Cloudflare Turnstile: On your first sales chat message, your browser interaction data and IP address are sent to Cloudflare for bot verification. Cloudflare processes this data under its own privacy policy. We receive only a pass/fail result.

3.9 Notification Preferences

We store your notification preferences (which categories of notifications you want to receive: server alerts, deployment events, billing events, server actions, server destruction, account security) and whether you prefer email notifications for critical alerts only.

3.10 Technical and Usage Data

Minimal technical data: your IP address (logged by our hosting provider), browser type and version (from HTTP headers), pages visited, and request timestamps.
We do not use Google Analytics, Mixpanel, Hotjar, or any third-party analytics, tracking, or advertising service.

3.11 Referral Data

When you participate in our referral program, we collect: your referral code, referral link, referred user identifiers, referral status (pending/approved/rejected), and reward credits earned. Referral data is retained for 3 years after the referral relationship ends.

4. How We Use Your Data

We process your personal data only for the purposes listed below. For each purpose, we state the legal basis under GDPR Article 6.

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Create and manage your account	Google OAuth data	Contract performance (b)
Provision and manage your server	Account, API keys, deployment data	Contract performance (b)
Process payments and manage subscriptions	Billing data (via Stripe)	Contract performance (b)
Send transactional emails (deployment, billing, security)	Email address, event data	Contract performance (b)
Provide customer support (tickets and AI chatbot)	Support data, account context	Contract performance (b)
Detect duplicate API keys across instances	Credential fingerprint (hash only)	Legitimate interest (f)
Prevent abuse and protect platform security	IP address, rate limit counters, strikes	Legitimate interest (f)
Bot prevention (Cloudflare Turnstile)	IP address, Turnstile token	Legitimate interest (f)
Send newsletter (OpenClaw News blog updates)	Email address, engagement data	Consent (a)
Measure newsletter engagement	Open and click tracking data	Consent (a)
Improve the Service and fix bugs	Technical data, error logs	Legitimate interest (f)
Comply with legal and tax obligations	Billing records	Legal obligation (c)

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

5. AI-Powered Services (EU AI Act Disclosure)

In compliance with the EU AI Act (Regulation 2024/1689, Article 50), we disclose that the following features of our Service are powered by artificial intelligence. All AI systems used by OneClickClaw are classified as "limited risk" under the AI Act and are subject to transparency obligations.

5.1 AI Chatbot (Sales and Support)

Our website chatbots (for sales inquiries and customer support) are AI-powered systems. They are powered by Claude, a large language model developed by Anthropic PBC (San Francisco, USA).

The chatbot identifies itself as an AI assistant in the first message of every conversation.
No human operator is involved in generating chat responses.
Chat messages are transmitted to the Anthropic API for response generation. Anthropic processes this data as a subprocessor. Under Anthropic's commercial API terms, your messages are not used to train their AI models.
Before using either chatbot, you are presented with a consent notice explaining that your messages will be processed by AI and stored. You can decline without affecting access to other services.

5.2 AI-Powered Support Ticket Responses

When you submit a support ticket, an AI-powered assistant may generate an initial response to help address your inquiry while our team reviews your ticket. This system:

Is powered by Claude (Anthropic). Your ticket content, name, plan details, and server status are sent to the Anthropic API to generate a contextual response.
Generates responses that are clearly marked as automated. A human support team member reviews and follows up on all tickets.
Does not make binding decisions about your account, subscription, or server. All consequential actions require human authorization.

5.3 OpenClaw News Blog (Content Generation)

Our OpenClaw News blog publishes AI industry news articles. Some articles are generated or summarized using AI (Claude by Anthropic) from publicly available news sources. AI-generated or AI-assisted articles are labeled accordingly. The OpenClaw News blog does not process any user personal data for content generation.

6. Subprocessors and Third-Party Services

We share personal data with the following subprocessors and third-party services, strictly as necessary to provide the Service. We have assessed each provider for GDPR compliance and, where applicable, have appropriate data processing agreements or Standard Contractual Clauses (SCCs) in place.

Provider	Purpose	Data Shared	Location	Safeguards
Webdock	VPS infrastructure	Server provisioning requests, server metadata	Denmark, EU	EU-based, GDPR applies
Stripe	Payment processing	Email, payment method details, billing data	USA	SCCs, PCI-DSS Level 1
Google	Authentication (OAuth 2.0)	OAuth token exchange (email, name, photo)	USA	SCCs, EU Data Boundary
Anthropic	AI chatbot, support auto-reply, content generation	Chat messages, ticket content, account context	USA	SCCs, zero-retention API policy
Resend	Transactional email, newsletter delivery	Email address, email content, delivery metadata	USA	SCCs
Neon	Production database hosting	All platform data (encrypted in transit and at rest)	USA	SCCs, SOC 2
Replit	Application hosting	Application runtime data, HTTP requests	USA	SCCs
Cloudflare	Bot protection (Turnstile)	IP address, browser interaction data	USA (global CDN)	SCCs, ISO 27001
Porkbun	Domain registration, DNS management	Subdomain records (instance IPs)	USA	ICANN accredited

7. International Data Transfers

Your personal data is primarily stored in the European Union:

Your OpenClaw server: Hosted on Webdock infrastructure in Denmark, EU.
Production database: Hosted on Neon in the USA, with data encrypted in transit (TLS) and at rest.
Application hosting: Hosted on Replit in the USA.

Several of our subprocessors are based in the United States. For each US-based subprocessor, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) as the legal mechanism for data transfers outside the EEA. We have verified that each subprocessor provides appropriate supplementary measures (encryption, access controls, data minimization) as recommended by the EDPB.

We do not transfer data to countries without an EU adequacy decision unless SCCs or another GDPR Chapter V mechanism is in place.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy. Below are our specific retention periods:

Data Type	Retention Period	Reason
Account data	While your account is active + 30 days	Service provision
Server and deployment data	Deleted within 30 days after server destruction	Service provision
Billing records	7 years after the transaction	Greek tax law (N.4174/2013, Art. 13)
Support tickets	90 days after resolution, or on account deletion	Service quality
API keys	Deleted immediately when server is destroyed	Security
AI chatbot conversations	2 years, then automatically anonymized	Quality assurance, abuse prevention
Live chat sessions (ClawCrew)	2 years	Quality assurance, support improvement
Credit usage logs	Duration of subscription + 90 days	Billing accuracy, usage analytics
Chat abuse data (strikes, bans)	Strikes: 24 hours. Bans: duration of ban + 30 days	Platform safety
Newsletter subscriber data	Until you unsubscribe + 30 days	Re-enrollment prevention
Newsletter tracking data (opens, clicks)	12 months	Content improvement
Notification data	90 days	User experience
Technical logs (IP, user agent)	30 days	Security, debugging
Bug report screenshots	2 years	Support quality, issue tracking
Chatbot feedback ratings	2 years	Response quality improvement
Token analytics	1 year	Quality monitoring, cost optimization
Referral data	3 years after relationship ends	Referral program administration

After the retention period expires, data is either permanently deleted or irreversibly anonymized (stripped of all identifiers so it can no longer be linked to you). You may request earlier deletion at any time (see Section 11).

9. Cookies and Similar Technologies

We use minimal, strictly necessary cookies only:

Cookie/Storage	Purpose	Type	Duration
Authentication token	Keep you signed in	Strictly necessary	Session
Theme preference	Light/dark mode choice	Functional (localStorage)	Persistent
Chatbot consent	Remember your chat consent choice	Functional (localStorage)	Persistent
cf_clearance (Turnstile)	Cloudflare bot verification	Strictly necessary	30 minutes

We do not use:

Tracking or analytics cookies (no Google Analytics, no Mixpanel, no Hotjar)
Advertising or retargeting cookies
Third-party social media cookies
Cross-site tracking of any kind

Because we use only strictly necessary and functional cookies/storage, a cookie consent banner is not required under the ePrivacy Directive. However, we provide this disclosure for full transparency.

10.1 Transactional Emails

We send transactional emails related to your account and service (deployment notifications, billing receipts, security alerts, support ticket updates). These are not marketing communications and do not require separate consent, as they are necessary for contract performance.

10.2 OpenClaw News Newsletter

Our OpenClaw News blog offers an optional newsletter with AI industry news. Subscription is voluntary and based on your explicit consent (GDPR Article 6(1)(a)). By subscribing:

You consent to receiving periodic emails about OpenClaw News blog articles.
You consent to email engagement tracking (open and click tracking) as described in Section 3.7. You can withdraw this consent at any time by unsubscribing.
Every email includes a one-click unsubscribe link. Upon unsubscribing, we stop all newsletter emails and tracking immediately.
Unsubscribing from the newsletter does not affect your account or access to any other part of the Service.

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR regarding your personal data:

Right of access (Art. 15): Request a copy of the personal data we hold about you, including the purposes of processing, categories of data, recipients, and retention periods.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). We will comply unless we have a legal obligation to retain the data (e.g., billing records for tax purposes).
Right to restriction of processing (Art. 18): Request that we limit the processing of your data in certain circumstances (e.g., while we verify accuracy).
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., newsletter, chatbot), you can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to lodge a complaint (Art. 77): File a complaint with your local data protection authority (see Section 18).

How to exercise your rights: Contact us at info@oneclickclaw.io or submit a request through your dashboard (support ticket with category "Privacy"). We will verify your identity and respond within 30 days as required by GDPR. If your request is complex, we may extend this by an additional 60 days with prior notice.

We do not charge a fee for exercising your rights, unless requests are manifestly unfounded or excessive (GDPR Article 12(5)).

12. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

Right to know: You can request information about the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it.
Right to delete: You can request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).
Right to opt-out of sale: We do not sell your personal information. We do not share your data for cross-context behavioral advertising. Therefore, there is no need to opt out.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact info@oneclickclaw.io. We will respond within 45 days.

13. Automated Decision-Making

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We use the following automated systems:

Chat rate limiting and abuse detection: Our system automatically counts messages per time window and records strikes for policy violations (e.g., prompt injection attempts, abusive content). Accumulated strikes may result in temporary chat restrictions (24-hour cool-down) or longer bans (7 days). These restrictions affect only your access to the chat feature, not your account or subscription.
Payment failure handling: Stripe automatically retries failed payments according to its dunning schedule. After repeated failures, your subscription may be suspended. This is managed by Stripe, not by us.
Secret detection and redaction: We automatically scan chat messages for accidentally shared API keys and credentials, redacting them to protect your security. Legal basis: legitimate interest in data security.
Chat moderation: Automated systems may apply usage restrictions (including silent rate limiting) based on detected abuse patterns. You may request human review of any automated restriction by contacting support.

None of these automated decisions produce legal effects or significantly affect you beyond the specific feature involved. If you believe an automated decision was made in error, contact info@oneclickclaw.io to request a human review.

14. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit: All communications between your browser and our servers use TLS 1.2 or higher.
Encryption at rest: API keys are encrypted using AES/Fernet symmetric encryption. Database connections use encrypted channels.
Access control: Server SSH access uses key-based authentication only (no passwords). Administrative access is restricted to authorized personnel.
Input validation: All user inputs are sanitized to prevent injection attacks (SQL injection, XSS, prompt injection).
Rate limiting: API endpoints and chat features are rate-limited to prevent abuse.
Dedicated infrastructure: Each customer's OpenClaw instance runs on a dedicated VPS, isolated from other customers.
Chatbot data protection: Input sanitization, prompt injection defense, and automated secret redaction protect your data during chatbot interactions.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. If you discover a security vulnerability, please report it to info@oneclickclaw.io.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (the Hellenic Data Protection Authority or your local authority) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34).
Document the breach, its effects, and the remedial actions taken in our internal breach register.

16. Children's Privacy

Our Service is not directed to children under 18 years of age. We do not knowingly collect personal data from anyone under 18. Our Service requires a Google account and agreement to a paid subscription, both of which require the user to be at least 18 years old (or the age of majority in their jurisdiction). If you believe a minor has provided us with personal data, please contact us at info@oneclickclaw.io and we will promptly delete it.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

We will update the "Last updated" date at the top of this page.
For material changes (e.g., new categories of data collection, new subprocessors, changes to your rights), we will notify you via email at least 14 days before the changes take effect.
For minor changes (e.g., clarifications, formatting), we will update the page without separate notice.

We encourage you to review this page periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

18. Supervisory Authority

If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is:

Hellenic Data Protection Authority (HDPA)

Kifisias 1-3, 115 23 Athens, Greece

Phone: +30 210 6475 600

Website: www.dpa.gr

Email: contact@dpa.gr

You may also lodge a complaint with the supervisory authority in your country of residence, your place of work, or the place of the alleged infringement.

19. Contact Us

For any privacy-related questions, data subject access requests (DSARs), security reports, or concerns about how we handle your data, contact us at: info@oneclickclaw.io

We aim to respond to all privacy inquiries within 30 days. For complex requests, we may take up to 90 days total with prior notice, as permitted by GDPR Article 12(3).

Privacy Policy