Privacy

sidanclaw is a shared brain for your team. Its value depends on remembering your business, which means we store data. This page explains exactly what, and what controls you have.

What's stored where

Three zones, three trust levels. You can wipe or export everything inside zones 1 and 2. Zone 3 only ever sees the turn it answers.

Zone 01
You

Your device, browser, channel apps. Nothing that doesn't reach us.

  • Browser localStorage (UI prefs)
  • Channel app installs you control
Control: 100% yours
Zone 02
sidanclaw database

GCP Postgres in asia-east1. Workspace-scoped, RLS-enforced, fully exportable and deletable.

  • Account: email, plan, payment method
  • Sessions: message text, metadata
  • Memory + KB: workspace-scoped facts
  • Channel credentials: AES-256-GCM encrypted
Control: Settings → Privacy
Zone 03
Google Gemini

Inference only. Per-turn prompts go to Gemini under terms that forbid training on customer data.

  • System prompt + selected context
  • Your current turn
  • No retention beyond the response
Control: API contract

What we store

Account data

your email, display name (Google OAuth), and any timezone we infer.

Conversation history

every message in every session, per channel.

Memories

structured facts the assistant has extracted about you ("lives in Hong Kong", "prefers markdown").

Channel credentials

encrypted at rest with AES-256-GCM. The plaintext token is never logged or stored.

Usage

per-turn token counts and cost, used for budget tracking.

Your controls

Settings → Privacy → Memories

search, edit, or delete any individual memory. "Delete all" wipes them in bulk.

Settings → Privacy → Delete account

removes your user row, all sessions, all memories, all channel integrations, all assistants you own (cascading delete). Irreversible.

From any chat, ask "forget that" or "delete the memory about X". The assistant uses its deleteMemory tool.

Retention

Tier 2 anonymous shadow users (API path, Slack/Telegram unidentified) are auto-pruned 30 days after their last session.

Identified users persist until you delete the account.

Backend logs (analytics events, error reports) follow Cloud Run defaults, typically 30 days.

Third parties

Inference is primarily Google's Gemini API; when Gemini returns a retryable error we may fall back to Anthropic's Claude Haiku to keep your reply moving (model-training is forbidden in both contracts). Web research uses Brave Search, Serper, or Tavily depending on the query; the X-aware urlReader / xSearch tools route through xAI (Grok); JS-heavy pages may go through Jina Reader. Connector calls go through the connector's own provider (Google Calendar, Gmail, Notion, GitHub, …). Distribution providers (Meta, X) are listed in the full Privacy Policy. We don't sell data, ever.