GameClaw

Privacy Policy

Last updated: 2026-05-12 · Draft v1

Draft.

This document reflects our actual data practices but has not been reviewed by a lawyer. We're publishing the draft so users can audit what we collect; legal-quality language will follow before public launch. Email privacy@gogameclaw.com with questions.

1. What we collect

  • Account info — email address, hashed password (for credentials sign-in), OAuth subject ID (for Google / Apple sign-in), optional display name.
  • Game credentials you link — the cookies, tokens, or API keys you paste during account linking. These are encrypted at rest with AES-256-GCM before being written to our database. The decryption key lives in Google Secret Manager, not in our codebase.
  • Task activity — records of every adapter call we make on your behalf: timestamp, game, capability, success/failure, error message, optional reward text. Used for the dashboard, weekly digest, and abuse / quota detection.
  • Usage counters — monthly task and AI Planner call counts. Used for billing quota enforcement.
  • Payment metadata — PayPal subscription ID, plan ID, payment status. We never see your card number. PayPal handles the entire payment surface.
  • Demand signals — anything you submit through the /demand form, including optional email for follow-up.

2. What we DON'T collect

  • Your game password or PayPal password. Never. The game cookies you paste are session tokens, not credentials.
  • Card numbers — see above.
  • Cross-site tracking pixels / Facebook SDK / Google Analytics— we don't use them. Cloud Run + first-party cookies only.
  • Your in-game chat or social-graph data. We only touch the public BBS-side APIs and signin / redeem endpoints.

3. How we use it

  • To execute the daily reward / BBS / planner tasks you ask us to run.
  • To enforce monthly task and AI Planner quotas per your subscription tier.
  • To detect anomalies (high failure rate per vendor → automatic circuit-breaker open) and protect your account from suspicious automation patterns.
  • To generate optional weekly digests (Markdown report rendered in your dashboard) summarizing what we did for you.
  • To respond to /demand submissions you opt in to.

4. How we protect it

  • Encryption at rest — AES-256-GCM for every credential row.
  • HTTPS-only in transit — TLS terminated at Google Frontend; the service certificate is managed by Google.
  • Secret Manager — all service-side keys (database password, NextAuth signing secret, encryption master key, PayPal client secret, Anthropic API key) are mounted from Google Secret Manager via secretKeyRef; they never appear in env-var dumps or container images.
  • Least-privilege IAM — the Cloud Run service account can only read secrets it's explicitly granted, not the whole project.

5. Third parties

We share data with these processors only as needed:

  • Anthropic — the AI Planner and weekly Reporter send your prompt and your account list (game slugs + UIDs, no credentials) to Claude. Anthropic does not train on our API traffic.
  • PayPal — billing subscription state. PayPal receives your email and the GameClaw subscription tier identifier.
  • Google Cloud — our infrastructure provider (Cloud Run, Cloud SQL, Secret Manager).
  • Game vendors you connect — HoYoverse, Kurogames, Hypergryph. We call their public web APIs on your behalf with your provided credentials.

6. Your rights

  • Export — email privacy@gogameclaw.comand we'll send you a JSON of everything tied to your account within 30 days.
  • Delete — request deletion of your account and all linked data via the same email. We'll wipe within 30 days. PayPal subscription records that we're legally required to retain are kept for the period mandated by applicable tax law (typically 7 years) but anonymized — the link from PayPal ID to your email is severed.
  • Re-link — you can unlink a game at any time from the dashboard. The encrypted credential row is deleted immediately.

7. Game vendor ToS

GameClaw automates daily check-ins and other low-risk web tasks that most game vendors tolerate. We do NOTautomate PvP play, account leveling, or anything that violates a game vendor's terms of service. By linking your game account, you accept that you are responsible for compliance with that vendor's ToS; we make a best-effort attempt to stay within the lines but cannot guarantee immunity from vendor action.

8. Children

GameClaw is not directed at children under 13. If you believe we have collected data from a minor, email privacy@gogameclaw.comand we'll delete it.

9. Changes

We'll update this page when our practices change and email notification to active subscribers. Material changes are flagged with a banner in the dashboard for 30 days.

10. Contact

Email privacy@gogameclaw.com.