1. Who we are
ClawTools is an open-source project developed and maintained by Arpit (GitHub: arpit0515). The software is available at github.com/arpit0515/claw-tools under the MIT license.
When we say "ClawTools", "we", "us", or "our" in this document, we mean the ClawTools open-source project and its maintainers.
2. The fundamental principle
ClawTools is self-hosted software. You download and run it on your own hardware (e.g. a Raspberry Pi, Linux server, or your own computer). This means:
- We have no servers that process your data
- We never receive your email or calendar content
- We never see your OAuth tokens or credentials
- We cannot access your data even if we wanted to
All data flows directly between your device and the third-party services you connect (Google, Microsoft). ClawTools is purely a local intermediary running on hardware you control.
3. Data we access on your behalf
When you connect Google or Microsoft accounts, ClawTools requests OAuth tokens that allow it to access the following data on your local device only:
| Scope / Permission | What it accesses | Why it's needed |
|---|---|---|
| gmail.readonly | Read Gmail messages and metadata | To list, search and summarise your emails for your AI agent |
| calendar.readonly | Read Google Calendar events | To fetch your schedule for morning briefings and planning |
| Microsoft Mail.Read | Read Outlook/Exchange email | Same as Gmail - read-only access for your AI agent |
| Microsoft Calendars.Read | Read Outlook Calendar events | Same as Google Calendar - schedule access for briefings |
We request read-only scopes only. ClawTools cannot send emails, create calendar events, delete data, or modify anything in your accounts. Ever.
4. How your credentials are stored
OAuth tokens are stored locally in the following location on your device:
~/.picoclaw/tokens/user@gmail.com.json
~/.picoclaw/tokens/user@microsoft.com.json
~/.picoclaw/tokens/user@company.com.json
These files are owned by your user account on your device. We strongly recommend:
- Ensuring the token directory has permissions set to
700(owner read/write only) - Running ClawTools under a dedicated system user
- Enabling full-disk encryption on your device
Tokens are refreshed automatically and silently. Refresh tokens are stored alongside access tokens. Tokens persist on your device until you explicitly delete them or revoke access - there is no automatic expiry or deletion by ClawTools. You can revoke access at any time from your Google or Microsoft account settings.
5. What Google's data policies require us to disclose
ClawTools' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- Data from Gmail APIs is used solely to display email summaries and content to you, the user who installed ClawTools
- Your email data is never transferred to third parties
- Your email data is never used for advertising or marketing purposes
- Your email data is never used to train AI or ML models
- Your email data is never sold or shared with data brokers
- Human access to your email content is not possible - ClawTools has no human operators
ClawTools' use of Google user data is limited to the functionality described in this policy and the product itself.
6. Third-party services your data passes through
How it works today (self-hosted)
In the current self-hosted version of ClawTools, your agent runs entirely on your own hardware (e.g. a Raspberry Pi or personal computer). When you ask your agent to summarise emails or calendar events, that data travels directly from your device to the LLM provider you have personally configured. It does not pass through any ClawTools server. ClawTools has no visibility into, access to, or copy of that data at any point.
This data transfer happens only at your explicit request, using the provider you chose and credentials you entered yourself. You are in full control of which provider receives your data and when.
What this means for Google data specifically
Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Gmail and Google Calendar data accessed via ClawTools is used solely to provide the agent features you request. It is never used for advertising, profiling, or AI model training by ClawTools, and is never transferred to any party other than your personally configured LLM provider at your explicit direction.
Cloud-hosted version (coming soon - updated policy will apply)
A future version of ClawTools will offer an optional cloud-hosted agent service where your agent runs on ClawTools infrastructure rather than your own hardware. When this launches, this section will be updated before the service goes live to fully describe how data is handled in that environment, including data residency, retention periods, encryption in transit and at rest, and the legal basis for processing under GDPR and applicable laws.
In the cloud-hosted model, data will pass through ClawTools servers before reaching your configured LLM provider. Users will be asked to explicitly consent to this updated data flow before enrolling. Self-hosted users will not be affected.
LLM provider policies
Regardless of which mode you use, you should review the privacy policy of your configured LLM provider. ClawTools does not control, audit, or make any guarantees about how these providers handle data. For sensitive use cases, we recommend providers that offer zero-data-retention API plans.
7. Website analytics
The ClawTools website (claw-tools.dev) does not use tracking cookies, third-party analytics, or advertising scripts. No personal data is collected when you visit this website.
Standard server access logs (IP address, request path, user agent) may be retained for up to 30 days for security and debugging purposes. These are never shared with third parties.
8. GitHub repository
The ClawTools source code is hosted on GitHub. If you interact with the repository (filing issues, submitting pull requests, leaving comments), your GitHub username and any content you post becomes visible to anyone on GitHub, subject to GitHub's Privacy Policy.
9. Children's privacy
ClawTools is a developer tool not intended for use by children under 13. We do not knowingly collect information from children. If you believe a child has used ClawTools to connect a Google or Microsoft account, you can revoke access via the respective account's security settings.
10. Changes to this policy
We may update this privacy policy from time to time. Changes will be posted at this URL with an updated effective date. For significant changes, we will post a notice in the GitHub repository. Continued use of ClawTools after changes constitutes acceptance of the updated policy.
11. Your rights
Data retention
ClawTools stores only OAuth tokens on your local device. These are retained for as long as you choose to use ClawTools. No data is retained on ClawTools servers - there are no ClawTools servers involved in the self-hosted version.
Email content, calendar events, and any other data fetched via Google or Microsoft APIs is never written to disk by ClawTools. It exists only in memory during an active agent session and is discarded when the session ends or the process exits.
To remove everything ClawTools has stored:
- Delete the token files:
rm -rf ~/.picoclaw/tokens/ - Revoke Google access at myaccount.google.com/permissions
- Revoke Microsoft access at account.live.com/consent/Manage
If you are located in the EU/EEA, you have rights under GDPR. Since we process no personal data on our servers, those rights are exercised directly with Google and Microsoft, who act as data controllers for their respective services.
12. Contact
We'll respond as quickly as we can.