Privacy Policy

This Privacy Policy ("Policy") is issued by Lumixc Inc., a Delaware corporation doing business as ClawPocket ("Company," "we," "us," or "our"). It governs the collection, use, disclosure, retention, and protection of personal information obtained through:

• The ClawPocket iOS mobile application ("App");
• Our website located at clawpocket.com and any associated subdomains ("Site");
• Our pre-launch waitlist and email communications;
• Any future platforms, APIs, or services we offer (collectively, the "Services").

This Policy applies to all users globally. Additional rights and disclosures for California, EEA, and UK residents are provided in dedicated sections below. If you do not agree with this Policy, you should not use the Services.

This Policy is incorporated by reference into our Terms of Service and should be read alongside it. In the event of a conflict, this Policy governs with respect to privacy matters.

For purposes of applicable data protection laws, including the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA"), the data controller is:

We act as a data controller in respect of personal data collected directly from you. In circumstances where we process data on behalf of third parties (for example, when executing tasks via connected third-party accounts), we may act as a data processor subject to those third parties' instructions and privacy policies.

We collect information through three channels: information you provide directly, information generated automatically by your use of the Services, and information we receive from third-party sources.

3.1 Information You Provide Directly

• Waitlist registration. Your email address when you join the pre-launch waitlist. This is the primary identifier we hold prior to app launch.
• Account creation. Upon app launch, email address, display name, and password (stored in hashed, salted form — we never store plaintext passwords).
• User-generated content. Text instructions, voice inputs, task descriptions, and any content you submit to the AI agent ("Pocket") within the App. This includes queries, commands, uploaded files, and follow-up messages.
• Support communications. Information you provide when contacting our support team, including the content of your messages and any attachments.
• Feedback and surveys. Any optional feedback, survey responses, bug reports, or feature requests you submit.

3.2 Information Collected Automatically

• Usage data. Features accessed, tasks initiated, session frequency and duration, navigation patterns within the App, and interaction timing.
• Device identifiers. Device model, iOS version, unique device identifier (IDFV — Identifier for Vendor, not IDFA unless you grant ATT permission), screen resolution, and locale settings.
• Network data. IP address, network connection type (Wi-Fi, cellular), and general geographic region derived from IP (country/region level only).
• Performance and diagnostics. Crash reports, error logs, latency measurements, and App performance telemetry to identify and resolve technical issues.
• Session metadata. Time stamps for session start/end, task initiation, and task completion events.

3.3 Information from Third-Party Integrations

ClawPocket is an AI agent designed to connect to external services on your behalf. When you authorize such connections, we may access:

• Calendar data (e.g., Apple Calendar, Google Calendar) — event titles, dates, times, and attendees, solely to complete tasks you request.
• Task and note data (e.g., Reminders, Notion, Todoist) — task titles, due dates, and completion status.
• Messaging metadata (e.g., to read or send messages as instructed) — sender/recipient information and message content where you explicitly authorize it.
• Web browsing data — when you activate the autonomous browsing feature, the URLs visited, page content read, and search queries made on your behalf.
• File and document content — only files you explicitly share with Pocket for the purpose of a specific task.

Important: We access third-party data strictly on a task-by-task, minimum-necessary basis. We do not persistently sync, cache, or index your third-party accounts. Data obtained via integrations is used solely to complete your requested task and is not retained beyond the active session unless you explicitly request memory features.

ClawPocket requests iOS system permissions only when required to provide specific features you choose to use. The App complies with Apple's App Store Review Guidelines and Human Interface Guidelines regarding permission usage. We will always explain why a permission is needed before requesting it.

Permissions We May Request

• Microphone (NSMicrophoneUsageDescription). Required to support voice input so you can speak instructions to Pocket. Audio is processed transiently to generate a text transcript; raw audio is not stored on our servers.
• Notifications (UNUserNotificationCenter). To deliver task completion alerts, reminders, and time-sensitive updates you have requested. You may disable notifications at any time in iOS Settings.
• Calendar (NSCalendarsUsageDescription). To read and create calendar events as part of scheduling tasks you assign to Pocket. We do not read calendar data without an active task request.
• Reminders (NSRemindersUsageDescription). To create and manage reminders as directed by you.
• Contacts (NSContactsUsageDescription). Optionally, to address messages or look up contact information as part of a task you initiate. We never export or upload your contacts to our servers.
• Speech Recognition (NSSpeechRecognitionUsageDescription). To convert your spoken input to text using Apple's on-device or server-side speech recognition.
• FaceID/TouchID (NSFaceIDUsageDescription). To secure your session and authenticate task approvals, processed entirely on-device via iOS's LocalAuthentication framework — biometric data never leaves your device.

Permissions We Do Not Request

• Camera. ClawPocket does not access your camera.
• Precise Location. We do not request your precise GPS location. Location context used in tasks (e.g., "restaurants near me") relies solely on city-level context you choose to provide or a general city setting in your profile.
• Photos Library. We do not access your photo library unless you explicitly share a photo as part of a task.
• Health data. We do not integrate with HealthKit or access any health or fitness data.
• Bluetooth or NFC. We do not use Bluetooth or NFC peripherals.

All permission requests include an iOS system prompt with a plain-language explanation. You may revoke any permission at any time via Settings → Privacy & Security on your iPhone. Revoking a permission will disable the associated feature but will not affect other App functionality.

ClawPocket's core feature is an autonomous AI agent ("Pocket") that can take actions on your behalf — browsing the web, reading content, executing multi-step tasks, and interacting with connected services. This section discloses specifically how we handle data in the context of agentic operation.

How Agentic Tasks Work

• When you initiate a task, your instruction is sent securely to our backend, which orchestrates the AI agent.
• The agent may make multiple sub-calls to AI model APIs and perform web navigation steps to complete your request.
• Each step is logged temporarily to maintain task context. Logs are purged upon task completion or session expiry (whichever comes first) unless you have enabled session history.
• You may pause, approve individual actions, send messages mid-task, or stop the agent entirely at any point using the in-app controls.

AI Model Processing

• Task instructions and relevant context are transmitted to third-party large language model (LLM) providers to generate responses and action plans.
• We operate under data processing agreements (DPAs) with all AI providers that prohibit the use of your inputs to train or fine-tune their models.
• We do not use your task data to train our own or any third party's AI models.
• We do not store AI conversation history by default. An optional "Memory" feature, when activated by you, will store summarized session context to improve continuity across sessions; this can be deleted at any time from your account settings.

Web Browsing by the Agent

• When Pocket autonomously browses the web on your behalf, it accesses third-party websites using a controlled browser environment on our infrastructure.
• The content viewed (page text, search results) is processed transiently to generate your task output. This content is not indexed, stored, or associated with your account beyond the duration of the task.
• Third-party websites may log server-side requests originating from our infrastructure. Those logs are subject to the third party's own privacy policies.

We use personal information only for the purposes described below. We do not use your information for purposes materially different from those listed here without obtaining your consent first.

• Service delivery. To process your tasks, operate the App, authenticate your account, and deliver outputs and results to you.
• Waitlist management. To notify waitlist members of the App launch, early access invitations, and significant product milestones.
• Customer support. To respond to your support inquiries, investigate issues, and resolve disputes.
• Service improvement. Aggregated, de-identified usage patterns help us identify bugs, optimize performance, and prioritize new features. This analysis does not involve reviewing individual task content.
• Safety and integrity. To detect, investigate, and prevent fraudulent, abusive, or illegal use of the Services, including unauthorized access and policy violations.
• Legal compliance. To meet our obligations under applicable law, respond to lawful legal process, enforce our Terms of Service, and protect the rights, property, and safety of our users and the public.
• Business communications. To send you service-related notices (e.g., policy updates, security alerts) and, with your consent, product updates and announcements. You may opt out of marketing communications at any time.

What we never do: We do not sell your personal information. We do not show you targeted advertising. We do not build advertising profiles. We do not use your task content to train AI models.

For users in the EEA and UK, we process personal data under the following legal bases pursuant to Article 6 of the GDPR:

• Contractual necessity (Art. 6(1)(b)). Processing your account data and task instructions is necessary to deliver the Services you have requested.
• Legitimate interests (Art. 6(1)(f)). We process usage data and diagnostics to improve service quality, maintain security, and prevent abuse, where such interests are not overridden by your fundamental rights. We have conducted legitimate interests assessments (LIAs) for each such processing activity.
• Legal obligation (Art. 6(1)(c)). Where we are required by law to process or retain certain data.
• Consent (Art. 6(1)(a)). For marketing communications and optional features such as Memory. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Service providers (processors). We engage vetted third-party vendors to support our infrastructure, including cloud hosting, database services, email delivery, error monitoring, and analytics. Each provider is bound by a data processing agreement (DPA) restricting use of your data to providing services to us only.
• AI model API providers. Task instructions and necessary context are transmitted to LLM providers strictly to fulfill your requests. These providers are prohibited by contract from using your data for model training.
• Legal and regulatory disclosures. We may disclose information when required by a valid subpoena, court order, or applicable law; to comply with a government investigation; to enforce our Terms of Service; or to protect the safety of any person. Where legally permitted, we will notify you of such requests.
• Business transfers. In connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your personal data may be transferred to a successor entity. We will provide at least 30 days' notice via email and/or prominent in-app notice prior to any such transfer, and you will retain the right to request deletion.
• Aggregated, de-identified data. We may share aggregated statistical data that cannot reasonably be used to identify you (e.g., "X% of users complete tasks in under 30 seconds") for research, marketing, or industry reporting purposes.
• With your explicit consent. In any other circumstances, only with your prior informed consent.

The App integrates a limited number of third-party SDKs and services. We disclose these integrations in the interest of transparency:

• Neon (PostgreSQL database). Used to store waitlist email addresses and account data. Data is stored in encrypted form within the United States. Neon is SOC 2 Type II compliant.
• Apple Push Notification Service (APNs). Used to deliver push notifications to your device. APNs is operated by Apple Inc. and subject to Apple's Privacy Policy.
• AI model providers. We utilize one or more large language model providers under DPAs. Specific providers are disclosed in our operational documentation and may be updated as our infrastructure evolves.
• Error monitoring. We use a crash reporting service to receive anonymized stack traces and error logs. No personal identifying information is included in crash reports.

We do not integrate any advertising networks, social media tracking SDKs, or behavioral analytics tools. We do not include Facebook/Meta, Google Analytics, or any ad attribution SDKs in the App.

The App does not use any third-party SDKs that trigger Apple's App Tracking Transparency (ATT) requirement through access to the IDFA.

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Our specific retention practices are:

• Waitlist email addresses. Retained from registration until either (a) you unsubscribe or request deletion, (b) the App reaches general availability and transition to account management occurs, or (c) 24 months of inactivity, whichever comes first.
• Account data. Retained for the duration of your active account plus 90 days following account deletion, to allow for dispute resolution and recovery from accidental deletion. After 90 days, data is permanently purged.
• Task data and AI interactions. Not retained beyond the active session by default. Optional Memory data is retained until you delete it via account settings.
• Usage logs and diagnostics. Retained for up to 90 days in identifiable form, then aggregated and de-identified for product analytics for up to 24 months.
• Legal hold data. Where we receive a valid legal hold order, relevant data may be retained beyond normal retention periods solely to comply with that obligation.
• Financial and transactional records. Retained for 7 years as required by applicable tax and financial regulations.

To request deletion of your data, contact us at privacy@clawpocket.com. We will confirm receipt within 5 business days and complete deletion within 30 calendar days unless a legal exception applies.

We implement a defense-in-depth approach to security, employing technical, administrative, and organizational measures proportionate to the sensitivity of the data we process.

Technical Safeguards

• Encryption in transit. All data transmitted between the App and our servers uses TLS 1.3. We enforce certificate pinning in the iOS App to prevent man-in-the-middle attacks.
• Encryption at rest. Database data is encrypted at rest using AES-256. Passwords are hashed using bcrypt with a per-user salt.
• Access controls. Internal access to production systems and personal data follows a least-privilege model with mandatory MFA for all engineering personnel.
• Network security. Production infrastructure is isolated behind virtual private networks with firewall rules restricting inbound access.
• On-device security. Sensitive session tokens are stored in the iOS Keychain, never in unprotected storage or iCloud-synced locations.

Administrative Safeguards

• Privacy and security training is mandatory for all employees and contractors with access to personal data.
• We conduct periodic internal security reviews and maintain an incident response plan.
• Third-party vendors are vetted for security posture prior to onboarding and subject to contractual security obligations.

Data Breach Response

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users without undue delay and, where required, notify applicable regulatory authorities within 72 hours in compliance with GDPR Article 33. Notifications will include the nature of the breach, categories of data affected, likely consequences, and remediation measures taken.

To report a security vulnerability, contact us at security@clawpocket.com. We follow responsible disclosure principles and will acknowledge reports within 48 hours.

Regardless of your location, we honor the following rights for all users:

• Right to know. You may request a summary of the personal information we hold about you and how it is used.
• Right to access. You may request a copy of your personal data in a portable, machine-readable format (JSON or CSV).
• Right to correction. You may request correction of inaccurate or incomplete data we hold about you.
• Right to deletion. You may request erasure of your personal data subject to legal retention requirements.
• Right to restrict processing. You may request that we limit our use of your data in certain circumstances.
• Right to object. You may object to processing based on legitimate interests or direct marketing at any time.
• Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
• Right to opt out of marketing. Every marketing email includes a one-click unsubscribe link. You may also email us to be removed from all marketing lists.

To exercise any right, contact privacy@clawpocket.com with the subject line "Privacy Rights Request." We will verify your identity before processing the request and respond within 30 calendar days (45 days for complex requests, with notice).

We will not discriminate against you for exercising any privacy right.

If you are a California resident, you have rights under the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA").

Categories of Personal Information Collected (Past 12 Months)

• Identifiers — email address, device identifier (IDFV), IP address.
• Internet/electronic activity — usage data, session logs, crash reports.
• Audio/electronic data — voice inputs (transiently, not stored).
• Inferences — aggregated feature usage patterns for service improvement (de-identified).

We do not collect Social Security numbers, financial account numbers, health data, racial or ethnic origin, political opinions, religious beliefs, or biometric identifiers.

Your California Rights

• Right to know — categories and specific pieces of personal information collected, disclosed, sold, or shared.
• Right to delete — personal information we have collected, subject to exceptions.
• Right to correct — inaccurate personal information.
• Right to opt out of sale or sharing — We do not sell or share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Services.
• Right to non-discrimination — we will not deny service, charge different prices, or provide a lesser quality of service for exercising your CCPA rights.

To submit a CCPA request, email privacy@clawpocket.com with "CCPA Request" in the subject line. We will respond within 45 calendar days. Authorized agents may submit requests with proof of written authorization from the consumer.

Shine the Light (California Civil Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes.

If you are located in the European Economic Area ("EEA") or the United Kingdom ("UK"), the GDPR and UK GDPR respectively apply to our processing of your personal data.

• Data subject rights. In addition to the universal rights described in Section 12, you have the right to lodge a complaint with your national data protection authority (DPA). A list of EU DPAs is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.
• Data transfers. See Section 16 regarding our approach to international data transfers, including the use of Standard Contractual Clauses.
• Automated decision-making. We do not make solely automated decisions that produce legal or similarly significant effects on you without human review. The AI agent acts on your explicit instructions and does not make autonomous decisions that affect your legal rights.
• Data Protection Officer. Given our current size and processing activities, we are not required to appoint a DPO. However, all data protection inquiries are handled by our designated privacy team at privacy@clawpocket.com.

ClawPocket is not directed to, and we do not knowingly collect personal information from, children under the age of 13 in the United States (or the applicable minimum age in other jurisdictions — 16 in certain EEA member states). The Services are intended for users who are at least 13 years old, or older where required by local law.

We do not knowingly market to children. The App is rated 17+ on the Apple App Store, which provides a first-level age gate. If we learn we have inadvertently collected personal information from a child under the applicable age of consent, we will:

• Promptly delete that information from our systems;
• Notify the child's parent or guardian where we have contact information available;
• Review the circumstances to prevent recurrence.

If you believe we may have collected information from a child under the applicable age limit, please contact us immediately at privacy@clawpocket.com.

We are headquartered in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs). We incorporate the European Commission's approved SCCs (2021/914/EU) into our data processing agreements with service providers receiving EEA personal data.
• UK International Data Transfer Agreements (IDTAs). For transfers from the UK, we use the ICO-approved IDTA or the addendum to EU SCCs.
• Adequacy decisions. Where the European Commission or UK Secretary of State has recognized a third country as providing adequate protection, we rely on that adequacy decision.

You may obtain a copy of the safeguards we use for international transfers by contacting us at privacy@clawpocket.com.

Under Apple's App Tracking Transparency framework (ATT, introduced in iOS 14.5), apps must request permission before tracking users across apps and websites owned by other companies for advertising purposes.

ClawPocket does not engage in cross-app or cross-website tracking for advertising purposes. We do not access the IDFA (Identifier for Advertisers). Accordingly, we do not present an ATT permission prompt. We use only the IDFV (Identifier for Vendor), which is scoped to our app and cannot be used to track you across other companies' apps.

We have no advertising partnerships, affiliate tracking, or retargeting integrations. This reflects our commitment to a tracking-free experience for our users.

We reserve the right to modify this Policy at any time. The nature and extent of notification we provide will be proportionate to the significance of the change:

• Material changes — changes that meaningfully affect your rights or how we use your data — will be communicated by email to your registered address and/or via an in-app notice at least 30 days before the change takes effect. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.
• Non-material changes — such as clarifications, corrections, or updates to reflect new legal requirements — will be reflected by updating the "Last updated" date at the top of this page without separate notice.

We maintain a version history of this Policy. If you would like to review prior versions, contact us at privacy@clawpocket.com.

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our privacy team:

We aim to acknowledge all privacy inquiries within 2 business days and resolve them within 30 calendar days. For complex requests, we may extend this period by up to 45 additional days with notice.

If you are not satisfied with our response, you have the right to:

• Lodge a complaint with your national or state data protection authority;
• Seek a judicial remedy before a court of competent jurisdiction;
• Contact the FTC (US), ICO (UK), or your applicable EEA supervisory authority.

This Privacy Policy was drafted with reference to GDPR (EU 2016/679), UK GDPR, CCPA/CPRA (California Civil Code § 1798.100 et seq.), COPPA (15 U.S.C. § 6501 et seq.), Apple App Store Review Guidelines, and general iOS data minimization best practices.