Privacy Policy

1. Introduction

This Privacy Policy explains how Ghumaan Ventures, LLC ("Company," "we," "us," or "our"), operating as Lobstir, collects, uses, and protects your information when you use our managed AI agent hosting platform ("Service").

By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

When you sign in with Google OAuth, we collect:

• Name — your Google account display name
• Email address — used for account identification and communication
• Profile picture URL — displayed in the dashboard

We do not receive or store your Google password.

2.2 Billing Information

Payment processing is handled entirely by Stripe. We store only:

• Your Stripe customer ID (for linking your account to your subscription)
• Subscription plan, status, and billing interval

We do not store credit card numbers, bank account details, or other payment credentials. All payment data is managed by Stripe under their Privacy Policy.

2.3 Agent Configuration

When you create and configure AI agents, the following data is stored within your isolated container volumes:

• Agent configuration (provider, model, channels, policies)
• Personality files (SOUL.md, IDENTITY.md, USER.md)
• Scheduled task definitions
• Channel session data (e.g., WhatsApp authentication)

This data resides on Docker volumes associated with your containers and is not accessed by Lobstir staff except for debugging with your explicit consent.

3. LLM API Keys

Lobstir uses a Bring Your Own Key (BYOK) model. Your LLM API keys are:

• Stored only in your container's configuration file on the persistent volume
• Passed directly to the OpenClaw process inside your isolated container
• Never logged in application logs or error reports
• Never transmitted to Lobstir servers beyond the initial write to your container config
• Deleted permanently when you destroy your agent

We cannot see, access, or recover your API keys after they are written to your container configuration.

4. Channel Messages

Messages from connected channels (WhatsApp, Telegram, Discord, Slack) are:

• Processed entirely inside your isolated container by the OpenClaw instance
• Not intercepted, read, or stored by Lobstir's infrastructure
• Sent directly between the channel platform and your container via encrypted connections

We have no visibility into the content of messages your agents send or receive. Message handling is governed by your channel platform's own privacy policies and your agent's configuration.

5. Cookies

We use a single session cookie (lobstir_session) for authentication purposes only. This cookie:

• Is HTTP-only (not accessible to JavaScript)
• Is secure in production (HTTPS only)
• Expires after 30 days
• Contains only a random session identifier

We do not use tracking cookies, advertising cookies, or analytics cookies.

6. Third-Party Services

The Service integrates with the following third parties:

Each third party operates under their own privacy policy. We encourage you to review them.

7. Server Logs

Our servers maintain basic operational logs that may include:

• IP addresses of incoming requests
• Request timestamps and HTTP methods
• API endpoint paths (not request bodies)
• Error messages for debugging

Server logs are retained for up to 30 days and are used exclusively for debugging and security monitoring. We do not use analytics platforms, tracking pixels, or behavioral profiling.

8. Data Retention

• Account data (name, email, avatar) — retained while your account is active
• Container data (config, volumes) — deleted permanently when you destroy an agent
• Billing records — retained as required by applicable tax and financial regulations
• Server logs — retained for up to 30 days

When you delete your account, we delete your user record, session data, and tank ownership records. Any remaining container data is permanently destroyed.

9. Data Security

We protect your data through:

• TLS encryption on all connections
• Isolated Docker containers per tenant with dropped capabilities
• SSH key-only access to servers (no password authentication)
• UFW firewall restricting access to ports 22, 80, and 443 only
• Automatic security updates on server infrastructure

10. Data Sharing

We do not:

• Sell your personal data to anyone
• Share data with advertisers
• Use your data for training AI models
• Provide data to data brokers

We may disclose information only if required by law, legal process, or to protect the safety and security of our users and the Service.

11. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the right to:

• Access — request a copy of your personal data
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — request export of your data in a machine-readable format
• Objection — object to processing of your data

To exercise any of these rights, email us at support@lobstir.ai. We will respond within 30 days.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For privacy-related questions or requests, contact us at:

Ghumaan Ventures, LLC
Email: support@lobstir.ai