← Back to home

Privacy Policy

Last updated: February 18, 2026

TL;DR — We can't read your data. No one can.

Your health data is encrypted on your device before it ever leaves it. The relay server stores only encrypted blobs. Even if it were compromised, the data would be unreadable without your password.

1. Who we are

ClawPulse is an open-source project that provides a privacy-first bridge between your smartphone's health and activity data and AI agents (such as OpenClaw). The iOS app and relay server are the two components of this system.

2. What data we collect

The relay server stores:

  • A SHA-256 hash of your token (UUID) — used as a lookup key. The original token is never stored.
  • An encrypted binary blob — your health data encrypted with AES-256-GCM on your device. The server cannot decrypt it.
  • A creation timestamp and TTL (time-to-live) — used to auto-expire and delete your data.

The relay server never stores:

  • Your name, email, or any identifying information.
  • Your raw health data (sleep, heart rate, steps, etc.).
  • Your encryption password.
  • Your IP address (beyond what standard server logs contain).

3. How encryption works

All encryption and decryption happens on your devices — never on the server:

  • Your password is processed with PBKDF2 (100,000 iterations) to derive a 256-bit AES encryption key.
  • Data is encrypted with AES-256-GCM before being uploaded.
  • Decryption only happens on your OpenClaw agent, using the password you configured.
  • The relay server is a dumb pipe — it cannot read, modify, or analyze your data.

4. Data retention

Encrypted blobs are automatically deleted after the TTL you set in the app (default: 48 hours). You can also delete your data at any time using the "Nuke" button in the app, which immediately removes all server-side data associated with your token.

5. HealthKit data

The iOS app accesses Apple HealthKit data only with your explicit permission. Each data type (sleep, heart rate, steps, etc.) requires a separate permission grant. You control exactly what is shared. HealthKit data is never shared with third parties and is only used to build the encrypted payload sent to your configured relay server.

6. Third-party services

If you use the hosted relay server (managed by us), your encrypted data transits Cloudflare's network. Cloudflare may log connection metadata (IP addresses, timestamps) per their own privacy policy.

If you self-host the relay server, you are solely responsible for the privacy and security of your deployment.

7. Your rights

You can delete all your data at any time from the app (Nuke button). Because we store no identifying information, we cannot respond to data access requests — we genuinely cannot link any stored blob to any person without the original token.

8. Open source

Both the server and the iOS app are open source. You can verify our privacy claims by reading the code at github.com/rodrigocava/clawpulse. Trust, but verify.

9. Changes to this policy

If we make material changes to this policy, we will update the "Last updated" date above and, where possible, notify users via the app. Continued use after changes constitutes acceptance of the updated policy.

10. Contact

Questions about this policy? Open an issue on GitHub.

Privacy Policy Terms of Service ← Home