Your data. Your rules.

Nacre Labs ("Nacre", "we", "us") operates nacre.sh, a managed hosting service for OpenClaw. This policy explains what personal data we collect when you use the service or visit our site, and what we do with it. It applies to the marketing site, customer dashboard, APIs, and any emails we send you.

For GDPR purposes, we are the data controller for account data and the data processor for anything that sits on your VM.

We collect three buckets of data, and nothing outside of them:

This is the list most privacy policies don't write. We think it matters:

• Your conversations with OpenClaw — inbound messages, replies, attachments. These live on your VM's disk, encrypted at rest. We don't stream them, index them, train on them, or analyze them.
• Your memory files and skills. Whatever you teach your OpenClaw instance stays in /data on your VM.
• Your LLM API keys. If you choose server-side storage, we encrypt them with pgsodium — we can't read them either. You can also inject them via the web terminal so they only ever touch your VM.
• Third-party platform tokens. Telegram, Discord, Slack, WhatsApp credentials sit on your VM.
• Behavioural ad tracking. No Facebook Pixel, no TikTok tag, no Google Ads remarketing.

• Run your account. Provision your VM, show you dashboards, send receipts, let you log in.
• Billing. Charge the card, calculate taxes, generate invoices, handle refunds.
• Keep the service working. Detect crashed VMs, trigger restores from backup, page the on-call.
• Email you. Transactional only — welcome, payment, incident. No drip campaigns unless you opt in.
• Improve the product. Aggregated usage metrics (which plans churn, which regions are popular). Never per-user content.
• Comply with the law. Tax records, lawful-access requests, abuse reports.

We do not sell your data. We do not share it for advertising. We do not train models on it.

If you're in the EU/UK, our lawful bases are:

• Contract — to deliver the service you signed up for.
• Legitimate interest — keeping the service secure and operational, and understanding aggregate product usage.
• Legal obligation — tax, accounting, and regulatory records.
• Consent — optional marketing emails and analytics cookies (opt-in, revocable anytime).

We use a small set of vendors to run the service. Every one is listed publicly — with role, location, and certifications — on our Security page.

View the full sub-processor list

Changes to this list are announced by email 30 days before they take effect. You can terminate service without penalty if a new sub-processor is unacceptable to you.

Pick your VM region during signup — SG, US, or EU — and that's where your VM and its backups live. Control plane data (account, billing) replicates between the US and EU for reliability.

For transfers out of the EEA/UK, we rely on the EU Standard Contractual Clauses and the UK Addendum, executed as part of the DPA. A signed copy is available from your dashboard under Settings → Compliance.

We use the absolute minimum. Four cookies, total, and we'll list them:

• nacre_session — session auth. Strictly necessary.
• nacre_csrf — CSRF protection. Strictly necessary.
• nacre_theme — remembers light/dark. Preference.
• nacre_consent — your cookie choice itself. Strictly necessary.

We do not use Google Analytics, Hotjar, Mixpanel, Segment, or any cross-site tracker. Product metrics come from self-hosted PostHog with IP anonymization and a shared 30-day retention.

Whether or not GDPR/CCPA applies to you, we honour these rights for every user:

• Access — download your full account payload as JSON (Settings → Export).
• Portability — your /data directory exports as an encrypted tarball, on demand.
• Rectification — fix any field from the dashboard, or email us.
• Erasure — delete your account any time, with a 90-day safety window.
• Restriction & objection — opt out of anything not strictly necessary.
• Complain — to us first (we'll fix it), or to your local supervisory authority.

We respond to rights requests within 30 days, usually within two business days.

Encryption in transit (TLS 1.3) and at rest (volume-level + pgsodium for secrets). Dedicated VMs, no shared kernels. Nightly off-cloud backups. Quarterly DR drills. Full detail on the Security page. Vulnerability reports to security@nacre.sh.

Nacre is a B2B developer tool. It is not directed at anyone under 16, and we do not knowingly collect data from children. If you believe we have, email us and we'll erase it immediately.

If we change anything material — new sub-processor, new data use, new retention window — we email every active customer 30 days in advance. Cosmetic changes (typos, re-wording) we just update in place with a new effective date.

Previous versions are archived at /legal/history.

Postal mail: Nacre Labs, Attn: Privacy, 1309 Coffeen Avenue STE 1200, Sheridan, WY 82801, USA.