Privacy Policy

One Frequency Inc. (“Claw GRC,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Claw GRC platform, website, APIs, and related services (collectively, the “Service”).

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, organization name, and billing information. If you authenticate via a third-party provider (e.g., Google, GitHub), we receive basic profile information from that provider.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, API calls made, timestamps, IP addresses, browser type, and device information.

Compliance Data

When you use the Service, you may upload or generate compliance data including framework configurations, control implementations, evidence artifacts, assessment results, agent registration data, and audit trail logs. This data is owned by you and processed solely to provide the Service.

Agent Interaction Data

If you connect AI agents via MCP or the Agent Protocol API, we collect agent metadata, interaction logs, trust scores, and chain-hashed audit records. All agent interactions are logged with tamper-evident chain hashing for audit integrity.

2. How We Use Your Information

• Service delivery: To operate, maintain, and improve the Claw GRC platform, including compliance scoring, evidence management, and report generation.
• Security: To detect, prevent, and respond to security incidents, fraud, and abuse.
• Analytics: To understand usage patterns and improve the Service. We use aggregated, anonymized analytics and do not sell individual usage data.
• Communication: To send transactional emails, security alerts, and product updates. You can opt out of non-essential communications at any time.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. How We Share Your Information

We do not sell your personal information. We do not share your compliance data with third parties except in the following circumstances:

• With your consent: When you explicitly authorize us to share data (e.g., sharing audit reports with your auditors).
• Service providers: With trusted infrastructure partners (Google Cloud Platform, Stripe for billing) who are contractually bound to protect your data.
• Legal requirements: When required by law, subpoena, or legal process.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with advance notice.

4. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Compliance data retention is configurable per organization and can be set to match your regulatory requirements.

Audit trail data is retained for a minimum of 7 years to satisfy SOC 2 and regulatory requirements. Upon account termination, non-audit data is deleted within 90 days. You may request earlier deletion, subject to legal retention obligations.

5. Your Rights

Depending on your jurisdiction, you may have the following rights under GDPR, CCPA, and other applicable data protection laws:

• Right to access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to portability: Export your compliance data in machine-readable formats (JSON, CSV) at any time via the API or dashboard.
• Right to object: Object to processing of your personal data for specific purposes.
• Right to restrict processing: Request limitation of processing in certain circumstances.

To exercise any of these rights, contact us at privacy@clawgrc.com. We will respond within 30 days.

6. Security Measures

We implement comprehensive security measures to protect your data:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• SOC 2 Type II certified infrastructure on Google Cloud Platform
• PostgreSQL Row-Level Security (RLS) enforcing strict multi-tenant data isolation
• Tamper-evident SHA-256 chain hashing on all audit records
• Regular penetration testing and vulnerability assessments
• Access controls with Firebase Authentication, role-based permissions, and API key management
• Secrets managed via GCP Secret Manager (never stored in code)

7. Cookies and Tracking

We use essential cookies required for authentication and session management. We use anonymized analytics to understand Service usage. We do not use third-party advertising trackers. You can control cookie preferences through your browser settings.

8. International Data Transfers

Your data is processed and stored on Google Cloud Platform infrastructure in the United States. For EU/EEA users, transfers are governed by Standard Contractual Clauses (SCCs) and our Data Processing Agreement. If you require data residency in a specific region, contact us about our enterprise deployment options.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before changes take effect. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related inquiries or to exercise your data rights: