Privacy Policy

Last updated: 31 March 2026

1. Introduction

MultiClaw is an AI agent desktop automation platform developed and operated by AiCoaches dot com LLC (referred to in this policy as "MultiClaw", "we", "us", or "our"). MultiClaw is a Multiplai.tech product. This Privacy Policy explains how we collect, use, share, and protect personal data when you use our products and services.

Our products include the MultiClaw desktop application, the MultiClaw Cloud web platform, the MultiClaw Chrome Extension, and the cloud virtual desktops on which your AI agents run (collectively, the "Services"). This policy applies to all of these.

We are committed to protecting your personal data and handling it in a transparent, lawful manner in accordance with the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and other applicable privacy laws.

Please read this policy carefully. If you have questions, please contact us through our website.

2. Who We Are (Data Controller)

For the purposes of UK GDPR and EU GDPR, the data controller is:

AiCoaches dot com LLC
Trading as MultiClaw
Contact: https://multiclaw.io

As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing is carried out lawfully.

3. What Personal Data We Collect

We only collect personal data that is necessary for providing and improving our Services. Below is a complete description of the categories of data we collect and how they arise.

3.1 Account and Identity Data

When you create a MultiClaw account, we collect your name and email address. We use this information to identify your account, authenticate you into the Services, and communicate with you about your account.

3.2 Workspace and Team Data

When you create or join a workspace on MultiClaw Cloud, we collect workspace metadata, including workspace name, team membership, and role assignments. This data is stored on MultiClaw Cloud and is necessary to operate the multi-user workspace features.

3.3 Technical and Access Data

When you access MultiClaw Cloud or our marketing website, our servers automatically record IP addresses and browser user agent strings in standard server logs. These logs help us diagnose technical issues, detect abuse, and maintain the security of our infrastructure. Server log data is retained for 90 days, after which it is deleted.

3.4 Agent Conversation Data

When you run AI agents through MultiClaw, the conversation content (your instructions to agents and agent responses) is handled as follows:

• Local conversations (run entirely on your device without cloud sync) are stored on your device only and are never transmitted to MultiClaw's servers.
• Synced conversations (where you have enabled cloud sync) are stored on MultiClaw Cloud to enable access across devices and team collaboration.

We transmit your conversation content to third-party AI model providers to generate agent responses. Please see Section 6 (Data Sharing) and Section 9 (AI-Specific Disclosures) for details. Your conversation data is never used to train AI models operated by AiCoaches dot com LLC.

3.5 Workflow Recording Data

The MultiClaw Chrome Extension can record browser-based workflows to create automations. Workflow recordings capture the sequence of browser interactions (clicks, navigation, form inputs) performed during a recording session. This data is stored locally on your device and, if you choose to upload a workflow to MultiClaw Cloud, is stored on the cloud platform. You control when recordings are made and what is uploaded.

3.6 Browser Extension Data

The MultiClaw Chrome Extension is used to record workflows and facilitate browser automation. The extension only captures browser activity during an active recording session that you have explicitly started. The extension does not monitor your browsing activity at any other time, does not collect browsing history, and does not send passive telemetry.

3.7 Communications Data

If you contact us by email or through any support channel, we retain the content of your communications, your email address, and any other personal data you choose to include in your message. This data is used solely to respond to your enquiry and to maintain a record of our communications.

3.8 Data We Do Not Collect

The MultiClaw desktop application does not collect usage analytics, telemetry, or crash reports for transmission to our servers. Crash logs are saved locally on your device only and are never automatically uploaded. We do not collect payment card numbers or banking details directly — any payment processing is handled by our payment processor under their own privacy policy.

4. Legal Bases for Processing

Under UK GDPR and EU GDPR, we must have a valid legal basis for each processing activity. The following table sets out our legal basis for each category of processing:

Where we rely on legitimate interests, we have carried out a balancing test and are satisfied that our interests are not overridden by your rights and interests. You have the right to object to processing carried out on legitimate interest grounds — see Section 11 (Your Rights).

5. How We Use Your Data

We use your personal data only for the purposes described at the time of collection and set out in this policy. Specifically, we use your data to:

• Create and maintain your account and workspace.
• Provision, operate, and maintain the Services, including provisioning cloud desktops and running AI agents on your behalf.
• Authenticate you when you sign in to MultiClaw Cloud or the desktop application.
• Send you service-related communications, including security alerts, account notifications, and billing information. We do not send marketing emails without your explicit consent.
• Maintain audit logs to support administrative governance and workspace security oversight.
• Diagnose and resolve technical problems using server log data.
• Detect, investigate, and prevent fraudulent, abusive, or illegal activity on our platform.
• Comply with our legal obligations.
• Respond to your support and enquiry communications.

We will not use your personal data for purposes incompatible with those listed above without your prior consent or a new valid legal basis.

6. Data Sharing and Sub-processors

We do not sell your personal data to any third party. We share personal data only in the circumstances described below.

6.1 Infrastructure Sub-processors

We use a limited set of third-party infrastructure providers (sub-processors) to operate the Services. These include cloud hosting providers, database providers, and email delivery services. All sub-processors are engaged under data processing agreements that require them to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures.

A list of sub-processors will be made available when the Service is generally available. We will provide at least 30 days' notice of any new sub-processors that we intend to engage.

6.2 AI Model Providers

To generate agent responses, your conversation content and agent instructions are transmitted to third-party AI model providers (large language model APIs). These providers act as data processors and process your data solely to generate completions. We select providers whose data processing agreements prohibit the use of your data for training their models. The specific providers in use are listed in our sub-processor register.

6.3 Legal and Regulatory Disclosure

We may disclose personal data where required to do so by applicable law, court order, or regulatory authority, or where we believe disclosure is necessary to protect our legal rights, prevent fraud, or protect the safety of any person.

6.4 Business Transfers

In the event of a merger, acquisition, asset sale, or other corporate restructuring, your personal data may be transferred to the successor entity. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

7. International Data Transfers

MultiClaw Cloud is hosted on Amazon Web Services (AWS). By default, cloud desktop instances run in the us-east-1 (Virginia, USA) region. If you require your data to be hosted in the European Union, an EU region is available on request — please contact us through our website.

Because the United States is not subject to a UK or EU adequacy decision for all processing contexts, transfers of personal data to US-based infrastructure are protected by the following mechanisms:

• Standard Contractual Clauses (SCCs) — the EU Commission's 2021 SCCs (Module 2: controller to processor) are incorporated into our data processing agreements with US-based sub-processors.
• UK International Data Transfer Agreement (UK IDTA) — for transfers from the United Kingdom, we rely on the UK IDTA, or the EU SCCs with the UK Addendum, as applicable.

We conduct transfer impact assessments for transfers to third countries and implement any additional supplementary measures required to ensure an essentially equivalent level of protection.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Upon expiry of these periods, personal data is securely deleted or anonymised. Where deletion is technically delayed (for example, in backup systems), data remains subject to this policy until deletion is complete.

When you close your account, you have a 30-day window to export your data before deletion. Please see Section 11 for instructions on how to request a data export.

9. AI-Specific Disclosures

Because MultiClaw is an AI agent automation platform, we want to be transparent about how your data is handled in the context of AI operations.

9.1 Your Data Is Not Used for AI Training

AiCoaches dot com LLC does not use your conversation content, instructions, workflows, or any other personal data to train, fine-tune, or evaluate AI models. We select AI model providers who contractually commit to the same restriction.

9.2 How Agent Conversations Are Processed

When an AI agent executes a task, your instructions and prior conversation context are sent to a third-party AI model provider to generate a response. This processing is governed by:

• The legal basis of contract performance — generating agent responses is an essential part of the Service you have contracted for.
• Data processing agreements between AiCoaches dot com LLC and the AI model provider, incorporating SCCs where the provider is based outside the UK/EU.

9.3 Agent Actions on Third-Party Services

When an AI agent performs tasks that involve accessing third-party services (for example, browsing websites, submitting forms, or interacting with connected applications), the agent acts as your delegate. Any personal data disclosed to or retrieved from third-party services in the course of agent execution is governed by the third party's own privacy policy. We are not responsible for the privacy practices of websites or services that your agents interact with at your direction.

9.4 Human Oversight

MultiClaw's task execution model is designed with human oversight: agents draft a plan before taking any action, and you must approve the plan before execution begins. This approval gate is a deliberate design decision to keep you informed and in control of agent behaviour.

9.5 No Automated Decision-Making with Legal Effect

We do not use automated decision-making processes (including profiling) that produce decisions with a legal or similarly significant effect on you as an individual (within the meaning of Article 22 UK GDPR / EU GDPR). Agents execute tasks that you have directed and approved; they do not make decisions about you.

10. Cookies and Tracking Technologies

10.1 Marketing Website (multiclaw.io)

Our marketing website uses analytics cookies to help us understand how visitors use the site. These cookies are not set until you have given your consent via our cookie consent banner. You can withdraw your consent at any time by clicking the cookie preferences link in the site footer.

We do not use advertising or retargeting cookies on our marketing website.

10.2 MultiClaw Cloud Web App

The MultiClaw Cloud web application uses session cookies only. These cookies are strictly necessary to keep you signed in and to maintain your session state. They do not track your activity across other websites, are not used for advertising, and do not require separate consent under PECR.

10.3 Desktop Application

The MultiClaw desktop application is a native application and does not use browser cookies. As described in Section 3.8, it does not collect telemetry or usage analytics.

11. Your Privacy Rights

11.1 Rights Under UK GDPR and EU GDPR

If you are located in the United Kingdom, the European Economic Area, or another jurisdiction with comparable data protection laws, you have the following rights in respect of your personal data:

• Right of access — You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification — You have the right to ask us to correct personal data that is inaccurate or incomplete.
• Right to erasure ("right to be forgotten") — You have the right to request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected.
• Right to data portability — You have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
• Right to restrict processing — You have the right to ask us to pause processing of your personal data in certain circumstances, for example while you contest its accuracy.
• Right to object — You have the right to object to processing based on our legitimate interests, including profiling. We will cease processing unless we have compelling legitimate grounds that override your rights, or processing is necessary for legal claims.
• Right to withdraw consent — Where we rely on consent as the legal basis for processing (for example, for analytics cookies or marketing emails), you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
• Right not to be subject to solely automated decisions — As described in Section 9.5, we do not make decisions about you based solely on automated processing with legal or similarly significant effects.

To exercise any of these rights, please contact us through our website. We will respond to your request within one calendar month. We may need to verify your identity before processing your request.

11.2 Rights of California Residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

• Right to know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it.
• Right to delete — You may request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct — You may request correction of inaccurate personal information we hold.
• Right to opt out of sale or sharing — We do not sell or share your personal information with third parties for cross-context behavioural advertising. No opt-out is required because we do not engage in these activities.
• Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, please contact us through our website. We will acknowledge receipt within 10 business days and respond within 45 calendar days.

Categories of personal information collected in the past 12 months: identifiers (name, email address, IP address), internet or other electronic network activity information (server logs, session data), and commercial information (subscription tier, billing records). We have not sold or shared any personal information in the past 12 months.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Our security programme is designed in alignment with ISO/IEC 27701 (the international standard for privacy information management).

Security measures include encryption of data in transit using TLS, access controls limiting data access to authorised personnel who require it to perform their role, and regular review of our security practices.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within the timeframe required by applicable law (for example, within 72 hours under UK GDPR or EU GDPR where those regimes apply), and will notify you directly if the breach is likely to result in a high risk to you, without undue delay.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

13. Children's Privacy

The Services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected personal data from a child under 16, please contact us through our website and we will delete that data promptly.

14. Third-Party Links and Integrations

The Services may contain links to third-party websites or integrate with third-party platforms (for example, via planned MCP tool integrations when available). Clicking on those links or interacting with those integrations may allow third parties to collect data about you. We do not control the privacy practices of third parties and are not responsible for their privacy policies or data handling. We encourage you to review the privacy policies of any third-party services you use.

15. Governing Law and Supervisory Authority

This Privacy Policy is governed by applicable law. Where UK GDPR applies, the relevant supervisory authority is the Information Commissioner's Office (ICO).

Right to lodge a complaint: If you have a concern about how we have handled your personal data, you have the right to lodge a complaint with:

• UK residents and UK data subjects: the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
• EU/EEA residents: your national data protection authority. A directory of EU supervisory authorities is available at edpb.europa.eu.

We would always appreciate the opportunity to address your concerns directly before you contact a supervisory authority — please contact us through our website first.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. For material changes — for example, changes to the categories of data we collect, new uses of your data, or new sub-processors — we will provide at least 30 days' advance notice by email to the address associated with your account, and by posting a notice on our website.

The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you may close your account before the changes take effect.

17. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact us through our website. Additional dedicated support channels are being established and will be made available as the Service develops.

We will make reasonable efforts to respond promptly to privacy-related enquiries, and to formal data subject access requests within the legally required timeframe of one calendar month.