GuardClaw Privacy Notice (Public Beta)

1. Data Controller

TAKE INTEREST Inc. ("we", "us") is the data controller for data collected through GuardClaw cloud services. For customer personal data processed on behalf of your organization, we act as a data processor. A Data Processing Addendum (DPA) is available upon request at legal@takeinterest.ai.

2. Scope

This notice covers GuardClaw local runtime behavior (CLI, shell wrapper, MCP server) and optional GuardClaw Cloud features (account, billing, usage, receipts, agent management, and environment management).

3. Legal Basis for Processing

We process personal data on the following legal bases under GDPR Article 6:

Contract performance: Account data, billing data, workspace data, and agent management data are processed to provide the service you requested.

Legitimate interest: Security telemetry, anomaly detection, receipt metadata, and control event audit logs are processed for the security and integrity of the service and the broader community. You can object to telemetry processing by disabling it.

Consent: Security improvement training data (anonymized detection telemetry used to improve models) is processed only with your opt-in consent, which you can withdraw at any time.

4. Data Processed

Account data: email, display name, tenant and workspace identifiers.

Billing data: Stripe customer and subscription identifiers and billing events. We do not store payment card numbers; these are handled entirely by Stripe.

Usage and audit data: decision counts, usage events, receipt metadata, and receipt content hashes.

Agent management data: agent identifiers, hostname, operating system, software version, process identifiers, agent state, heartbeat timestamps, CPU and memory usage metrics, runtime duration, failure counts, anomaly scores, and anomaly detection levels.

Environment data: environment names, status, runtime type, risk scores, agent counts, and security event counts.

Agent control data: control command records including actor user identifiers, actor IP addresses, actions taken, reasons, and acknowledgment timestamps.

Threat report data: user-submitted threat descriptions, tool names, sample inputs, severity assessments, and reporter identifiers. PII redaction is applied to submissions before storage.

Community threat patterns: approved patterns derived from reviewed threat reports, distributed to all authenticated users.

API key metadata: key prefix, name, and permissions. Plaintext API keys are never stored; only cryptographic hashes are persisted.

Anonymous telemetry (opt-out): decision counts, threat scores, timing, platform, and version. No prompts, commands, file paths, or PII.

Telemetry is enabled by default to help improve security patterns for the community. You can disable it at any time with guardclaw telemetry disable.

5. What We Do Not Intentionally Collect by Default

We do not collect: raw prompt content through telemetry, raw command content through telemetry uploads, or file paths, environment variables, or working directory names through telemetry.

Other product features (audit receipts, agent heartbeats, and control event logs) may store operational security records required for policy enforcement and traceability. Agent control events include actor IP addresses for audit purposes.

6. Automated Decision-Making

GuardClaw performs automated decision-making as part of its core security function:

Pattern-based threat detection: Inputs are matched against security detection patterns to identify potential threats. Matches result in deny, ask, or allow decisions.

Anomaly scoring: Agent behavior is scored for anomalies based on resource usage patterns and behavioral signals.

Automatic agent lifecycle management: Agents that exceed configured resource limits or anomaly thresholds may be automatically paused or terminated.

These are security measures designed to protect your infrastructure, not profiling or automated individual decision-making under GDPR Article 22. No decisions produce legal or similarly significant effects on individuals. You can review detection results in your dashboard and configure policy thresholds.

7. Retention and Deletion

During the public beta, all users have access to the Free tier retention window of 7 days for decision receipts, usage events, and agent monitoring data.

Security research retention: With your opt-in consent, anonymized and aggregated data (containing no PII, prompts, or raw commands) may be retained beyond the standard access window for the purpose of improving security detection patterns. This data cannot be used to identify you or reconstruct your original inputs. You can withdraw consent at any time, after which no new data will be retained for this purpose.

Account deletion marks tenant status as deleted, cancels any active subscriptions, and initiates cleanup following configured retention policies. Agent status records are retained while active and marked terminal after inactivity. Billing records may persist in Stripe per their privacy policy.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.

Rectification: Request correction of inaccurate personal data.

Erasure: Request deletion of your personal data (subject to legal retention requirements).

Restriction: Request restriction of processing in certain circumstances.

Portability: Request your data in a structured, machine-readable format. Data export is available via authenticated API endpoints.

Objection: Object to processing based on legitimate interest. You can disable telemetry at any time.

Withdraw consent: Where processing is based on consent (e.g., security improvement data), you may withdraw consent at any time without affecting the lawfulness of prior processing.

Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

To exercise these rights, contact legal@takeinterest.ai or use the account management features in the dashboard.

9. Cookies and Tracking Technologies

GuardClaw uses essential cookies and local storage for authentication via Firebase. These are strictly necessary for the service to function and cannot be disabled while using the service.

Mixpanel analytics on the dashboard does not use cookies and has IP tracking disabled. Sentry error reporting may set a session identifier for error correlation. We do not use advertising cookies or third-party tracking pixels.

10. Subprocessors

Google Cloud/Firebase (auth, storage, infrastructure), United States.

Stripe (billing and subscription workflows), United States.

Mixpanel (anonymous product analytics on dashboard; no PII, IP tracking disabled), United States.

Sentry (error and crash reporting for CLI and dashboard; stack traces only, no PII), United States.

11. International Transfers

Data is processed in the United States by TAKE INTEREST Inc. and our subprocessors (Google Cloud, Firebase, Stripe, Mixpanel, Sentry). For transfers from the EEA, UK, or Switzerland, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable. You can request a copy of the applicable transfer safeguards by contacting us.

12. California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information we collect and how it is used, request deletion of your personal information, opt out of the sale or sharing of personal information, and not be discriminated against for exercising your privacy rights.

We do not sell or share personal information as defined under the CCPA/CPRA. To exercise your rights, contact legal@takeinterest.ai.

13. Children

GuardClaw is not intended for use by individuals under 13 years of age (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Changes to This Notice

We may update this notice by posting the revised version at this URL and updating the "Last updated" date. For material changes, we will provide at least 30 days notice via email or in-product notification.

Contact

TAKE INTEREST Inc.
Email: legal@takeinterest.ai