Privacy policy

What PingClaw does

PingClaw sends your phone's GPS location to a server so your AI assistant can answer location-aware questions. You control when sharing is on or off.

Sign-in

The hosted service (pingclaw.me) uses Sign in with Apple or Sign in with Google for authentication. When you sign in, PingClaw receives only a unique, opaque identifier from your provider. PingClaw does not request or store your email address, phone number, contacts, photos, or other account data.

The web dashboard does not use social sign-in directly. Instead, you generate a short-lived code on your phone and enter it on the website. This ensures your web session is always linked to the same account as your phone.

If you use a self-hosted PingClaw server, authentication uses a pairing token generated by the server. No Apple or Google account is involved — no identity data leaves your device or your server.

Location data

• Only your most recent location is stored — there is no location history.
• Location data is held in ephemeral storage (in-memory cache) and expires automatically after 24 hours. It is never written to a permanent database.
• Your most recent location is replaced every time your phone sends an update.
• Your location is accessible only through your own account.
• If you self-host, location data never leaves your own server.

What PingClaw does not do

• Does not sell, share, or provide your data to third parties.
• Does not use your data for advertising.
• Does not track you when sharing is off.
• Does not store location history.

Authentication tokens

Your account may have up to three token types:

• Pairing token — used by the iOS or Android app to authenticate with the server.
• API key — used by your AI agent (e.g. via MCP or ChatGPT) to read your location.
• Web session — issued when you sign in on the web dashboard.

API keys can be rotated at any time from your dashboard, which immediately invalidates the previous value. Pairing tokens are reissued when you sign in again on the app. All tokens are stored as irreversible SHA-256 hashes — the plaintext is shown once at creation and cannot be retrieved.

Webhooks and OpenClaw gateway

If you configure a webhook, PingClaw stores the webhook URL and the secret you provide. The secret is stored in plaintext (not hashed) because PingClaw must replay it on every outbound POST so your receiver can verify the request came from PingClaw.

If you configure an OpenClaw gateway destination, PingClaw stores the gateway URL, the hook token you provide, the hook path, and your chosen action mode. The hook token is stored in plaintext for the same reason — PingClaw sends it as a Bearer token on every location push to your gateway.

Account deletion

You can delete your account at any time from within the app or web dashboard. This permanently removes your account, your sign-in identities, your authentication tokens, your webhook configuration, your OpenClaw gateway configuration, and your cached location from the server. Deletion is immediate and irreversible.

What is stored on the server

• Account data: a unique user ID and the dates the account was created and last updated. Stored in the database.
• Sign-in identities (hosted service only): for each provider you've used (Apple, Google), the provider name and a provider-issued opaque identifier. No email or personal information is stored. Self-hosted servers do not store sign-in identities.
• Authentication tokens: SHA-256 hashes of your pairing token, API key, and web sessions. The plaintext is never stored. Stored in the database.
• Webhook (if configured): the URL and secret you supplied. Stored in the database.
• OpenClaw gateway (if configured): the gateway URL, hook token, hook path, and action mode you supplied. Stored in the database.
• Current location: your most recent location only. Stored in ephemeral memory with a 24-hour expiry. Never written to the database.
• Transient caches: to reduce load, the server temporarily caches token lookups (5-minute expiry), webhook configurations (5-minute expiry), and one-time sign-in codes (5-minute expiry). These caches contain no data beyond what is already in the database and expire automatically.
• Rate limit counters: to prevent abuse, the server stores temporary per-IP request counters (1-hour expiry) and per-user location request counters (1-minute expiry). These contain only an identifier and a count, no location or personal data.

The hosted service at pingclaw.me uses PostgreSQL for persistent data and Redis for ephemeral caches. Self-hosted servers use SQLite and in-memory storage — a single file and process with no external dependencies.

Standard web request metadata (IP address, User-Agent) may be observed by our hosting infrastructure; PingClaw does not durably store it in the application database.

Contact

Questions about this policy? Email [email protected].