Privacy Policy

Last updated: April 2026

1. Introduction

RightClaw.ai ("RightClaw", "we", "us", or "our") is operated by Right Servers Inc., a Canadian company headquartered in Waterloo, Ontario. We are committed to protecting your privacy and handling your data in a transparent and secure manner.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use:

• Our website: https://rightclaw.ai

• Our management dashboard

• Our platform and services (collectively, the "Services")

Privacy inquiries: support@rightservers.com

By using our Services, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Services.

2. Data Controller and Processor Roles

Right Servers Inc. acts in different capacities depending on the type of data being processed:

As a Data Controller (account and billing data): Right Servers Inc. determines the purposes and means of processing your account information, billing data, and platform usage data. We are the data controller for this category of data.

As a Data Processor (hosted VM data): For data you store, process, or generate on your hosted virtual machine — including data your AI agent processes — Right Servers Inc. acts as a data processor on your behalf. You (the customer) are the data controller for that data. You determine what is processed, how, and for what purpose. We process it solely by operating your VM and do not access, monitor, or share it.

This split model is important for your own compliance obligations: if you process personal data on your VM, you are the controller, responsible for lawful basis, data subject requests, and applicable privacy law compliance.

3. Information We Collect

3.1 Account Information (Right Servers as Controller)

• Full name

• Email address

• Company name (if applicable)

• Billing address

• Billing information (processed via third-party payment providers — we do not store full card numbers)

3.2 Usage & Interaction Data (Right Servers as Controller)

• Platform activity and usage patterns (e.g., dashboard logins, feature usage)

• Logs and diagnostics data (e.g., uptime, resource usage for billing and service management)

3.3 VM and AI Agent Data (Right Servers as Processor)

Your AI agent runs on a dedicated virtual machine provisioned exclusively for your account. Prompts, instructions, and data you submit to your AI agent are processed directly between your VM and the third-party AI provider(s) you configure. Right Servers does not have access to, collect, or store your AI conversations, prompts, or completions.

We retain VM infrastructure metrics (resource usage, uptime logs) solely for billing and service management. This does not include the content of your AI interactions.

3.4 Technical Data

• IP address

• Browser type and version

• Device information

• Operating system

• Referring URLs

3.5 Cookies & Tracking Technologies

We use cookies and similar technologies to maintain session state, improve platform performance, analyze usage patterns, and enhance user experience. For full details, see our Cookie Policy.

4. How We Use Your Information

We use your information to:

• Provide, operate, and maintain the Services

• Provision and manage your hosted environment

• Process transactions, billing, and invoicing

• Send service notifications (maintenance, security alerts, renewals)

• Provide customer support

• Improve platform performance, features, and user experience

• Monitor security, detect fraud, and prevent abuse

• Comply with legal and regulatory obligations

• Enforce our Terms of Service

We do not use your information for advertising. We do not sell your personal data.

5. AI & Data Processing

5.1 AI Processing Architecture

• Your AI agent runs on a dedicated VM provisioned exclusively for your account

• User inputs are processed by AI systems configured by you (e.g., OpenAI, Anthropic, Google)

• This processing occurs directly between your VM and the AI provider — Right Servers does not intercept, store, or have access to AI conversations or completions

• Each customer's environment is isolated from other customers

5.2 Model Training

We do not use customer data to train any AI models. We do not provide customer data to third parties for model training. Third-party AI providers you connect may process data per their own privacy policies — review those before configuring your agent.

5.3 Data Responsibility

You are responsible for:

• Having the legal right to submit any data into the platform

• Not submitting restricted or regulated data without appropriate safeguards

• Complying with all applicable laws regarding data you process through the Services

• Reviewing and accepting the privacy policies of any third-party AI providers you connect

5.4 Accuracy Disclaimer

AI-generated outputs may be incomplete, inaccurate, or misleading. They should not be relied upon as the sole basis for critical decisions and should be reviewed by a qualified human before action is taken.

6. Commercial Electronic Messages (CASL)

Right Servers Inc. complies with Canada's Anti-Spam Legislation (CASL) as the primary applicable anti-spam framework. We will only send commercial electronic messages to you with your express or implied consent, and all messages will include an unsubscribe mechanism. To withdraw consent or report an issue, contact support@rightservers.com.

7. Third-Party Services

We use third-party providers including:

• AI providers (e.g., OpenAI, Anthropic, Google) — configured and connected by the customer directly from their VM

• Payment processors (e.g., Stripe) — PCI-DSS compliant

• DNS and security (Cloudflare) — DNS, CDN, and DDoS protection

• Hosting and infrastructure providers — enterprise VMware infrastructure

• Analytics tools — for website and platform usage analysis

These providers may process your data under their own privacy policies. We select providers that maintain appropriate security and privacy practices.

8. Data Sharing & Disclosure

We do not sell your personal data. We never have and never will.

We may share data only in the following limited circumstances:

• Service providers and vendors necessary to operate the platform (subject to confidentiality obligations)

• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests

• Safety and rights: To protect the rights, property, or safety of Right Servers, our customers, or the public

• Business transfers: In connection with a merger, acquisition, or sale of assets; your data would remain subject to this Privacy Policy

9. Data Retention

• Account data: For the duration of your active account

• Billing records: Up to 7 years after account closure for tax and legal compliance

• Service logs: For a reasonable period necessary to provide the Services and resolve disputes

• VM data: Retained 30 days post-termination, then permanently deleted; you may request a copy during this period

• Legal obligations: As required by applicable law

We may anonymize data for aggregate analytics. Anonymized data is not personal data and may be retained indefinitely.

10. Data Security

We implement industry-standard security measures including:

• Encryption in transit (SSL/TLS) and encrypted storage for sensitive account data

• Access controls and role-based authentication

• Firewalls, intrusion prevention, and SSH hardening

• Isolated customer environments — each customer VM is fully separated

• Regular security updates applied to all managed infrastructure

Breach notification: In the event of a data breach affecting your personal information, we will notify you as required by applicable law, including PIPEDA's mandatory breach reporting requirements. Breaches posing a real risk of significant harm will be reported to the Office of the Privacy Commissioner of Canada and affected individuals.

No system is 100% secure. You are responsible for maintaining the security of your account credentials and API keys stored on your VM.

11. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data

• Correction: Request correction of inaccurate or incomplete data

• Deletion: Request deletion of your personal data (subject to legal retention obligations)

• Restriction: Request that we restrict processing of your data

• Objection: Object to our processing

• Portability: Request your data in a structured, machine-readable format

• Withdraw consent: Withdraw consent for non-essential processing at any time

• Complaint: Lodge a complaint with your local data protection authority

Canadian residents (PIPEDA — primary framework): PIPEDA (Personal Information Protection and Electronic Documents Act) is the primary privacy law governing our handling of your personal information. You may make a complaint to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

California residents (CCPA/CPRA):

• Categories of personal information collected: Identifiers (name, email, IP address), commercial information (billing records), internet/network activity (usage logs), geolocation data (region selection), and inferences drawn from the above.

• Notice at Collection: We collect these categories for the business purposes described in Section 4.

• Your rights: Know what personal information we collect, request deletion, correct inaccurate personal information, opt out of the sale or sharing of personal information (we do not sell or share), limit use of sensitive personal information, and non-discrimination for exercising your rights.

• Enforcement: Rights under the CCPA may be enforced through the California Privacy Protection Agency (CPPA).

EU/EEA residents (GDPR): Our legal basis for processing is contractual necessity (to provide the Services) and legitimate interest (security, fraud prevention). You have all rights listed above and may lodge a complaint with your local supervisory authority.

UK residents (UK GDPR): Our processing of UK personal data is subject to the UK GDPR and Data Protection Act 2018. For transfers of UK personal data to third countries, we use the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses as appropriate.

To exercise any rights, contact: support@rightservers.com. We will respond within 30 days (or as required by applicable law).

12. International Data Transfers

Right Servers operates infrastructure in Canada and the United States.

• Account and billing data: Stored on servers in Canada

• VM infrastructure: Located in the region you select at signup

For transfers of EU/EEA personal data to jurisdictions without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. For UK personal data transfers, we use the UK IDTA or UK Addendum as applicable.

13. Changes to This Policy

We will notify users of material changes by updating the "Last Updated" date, providing notice in the platform dashboard, and sending email notification to active customers at least 30 days before material changes take effect.

14. Contact Us

Right Servers Inc.
Operating as RightClaw.ai
Waterloo, Ontario, Canada

Privacy inquiries: support@rightservers.com
Website: https://rightservers.com

---

This Privacy Policy is designed to comply with PIPEDA (Canada, primary), CCPA/CPRA (California), GDPR (EU/EEA), and UK GDPR. Right Servers Inc. is committed to maintaining compliance as regulations evolve.