Privacy Policy

Last updated: March 23, 2026

What Clawback is

Clawback is a Claude Code channel plugin that delivers webhook events and cron-scheduled prompts to your local Claude Code session. It consists of a hosted server and a local plugin.

What we collect

When you use Clawback, the server stores:

Account info — your GitHub user ID, email, and name (from GitHub OAuth)
Connection tokens — stored as SHA-256 hashes (the plaintext is shown once and never stored)
Webhook source configs — slug, verification type, event routing rules, and session tags
Webhook secrets — encrypted at rest with AES-256-GCM
Cron definitions — schedule, prompt, label, and session tag
Event records — webhook payloads and cron prompts as they pass through, with status and timestamps
Activity log — source, path, skill, summary, and timing for processed events

What we don't collect

We don't track your browsing or usage beyond what's listed above
We don't sell or share your data with third parties
We don't use your data for advertising
We don't store your GitHub access token (OAuth is used only for authentication)

How webhook data flows

When an external service sends a webhook, the payload passes through the Clawback server to your local Claude Code session. Event records are stored temporarily for delivery reliability — once acknowledged, the payload is retained only in the activity log summary (a short text string you provide).

Data retention

Event records and activity logs are retained indefinitely for your account. You can delete your account and all associated data by revoking your connection tokens and contacting us.

Security

All connections use TLS (WSS/HTTPS)
Webhook secrets are encrypted at rest (AES-256-GCM)
Connection tokens are hashed (SHA-256) before storage
OAuth sessions are signed with a server secret

Infrastructure

Clawback runs on Fly.io with a managed Postgres database. Data is stored in the United States (Dallas, TX region).

Contact

For questions about this policy, reach out via GitHub Issues.