HolaClaw
Download
LEGAL

Privacy Policy

Effective Date: 18 May 2026

1. Introduction

Endor Software Inc. (“Endor”, “we”, “us”, or “our”) respects your privacy. This Privacy Policy describes the personal data we collect, how we use and share it, and the choices and rights available to you when you use the holaclaw.ai website (the “Website”) and the HolaClaw desktop application (the “Software”), together referred to as the “Services”. For more information about how we use cookies and similar technologies on the Website, please see our Cookie Policy.

For purposes of applicable data protection laws, Endor Software Inc. is the controller of the personal data described in this Privacy Policy.

HolaClaw is designed as a local manager for AI assistants. By design, prompts you send to AI providers, assistant responses, source code, files you access, and most application data remain on your device unless you choose to send them to a third-party AI provider.

The End User License Agreement applicable to the Software is published separately and governs your use of the Software in addition to this Privacy Policy.

If you have any questions about this Privacy Policy, please contact us at privacy@endor.dev.

2. Personal Data We Collect

We collect personal data both when you provide it to us directly and automatically as you use the Services.

We may use third-party web and software analytics services on the Services, such as those of PostHog.

2.1 Personal Data You Provide to Us

When you contact us, join a waitlist, participate in community channels, submit feedback, or otherwise communicate with us, you may provide your name, email address, messages, screenshots, logs, diagnostic information, and any other information you choose to provide.

Please do not send us credentials, API keys, secrets, private file contents, or other sensitive information.

2.2 Personal Data We Collect Through the Website

When you visit the Website, we may collect the following information, depending on your privacy and cookie choices:

  • Usage Information, such as the pages you view, the links you click, the order in which you navigate the Website, the date and duration of your visit, and the referring website or campaign that brought you to the Website;
  • Device Information, such as your browser type and version, operating system, device type, language preferences, and screen size; and
  • Approximate Location Information, such as country, region, or city, derived from your IP address. We use the IP address only to derive approximate location and do not store the IP address after that processing.

We may use analytics tools, including interaction analytics features, to better understand how visitors use and interact with the Website. These tools help us improve functionality, performance, reliability, and the overall user experience. We configure these tools to avoid collecting sensitive information where reasonably possible.

Website analytics operate in a cookieless or anonymous mode by default. If you opt in through the cookie banner, we may also use analytics cookies or similar technologies to improve our understanding of how visitors use the Website.

For more information about cookies and similar technologies used on the Website, including how to manage your preferences, please see our Cookie Policy.

2.3 Personal Data We Collect Through the Software

Software telemetry, including crash reports, is enabled by default. You can disable telemetry during onboarding or later in the Software’s preferences. Disabling telemetry stops further collection of telemetry and crash reports.

When telemetry is enabled, we collect:

  • Usage Information describing how the Software is used, such as which features you interact with and events related to installation, configuration, updates, virtual machine management, skills, and general Software usage;
  • Device Information, such as the operating system, processor architecture, and version of the Software;
  • Diagnostic Information, such as error indicators, crash reports, stack traces, error messages, and performance measurements generated by the Software; and
  • A random identifier generated by the Software so we can understand usage and errors across app sessions. This identifier is not derived from your hardware identifiers and is not intended to identify you directly.

Telemetry events may include information about installation, configuration, updates, feature usage, asset downloads, Software lifecycle events, and interactions with functionality within the Software.

The Software may contact our servers or service providers to check for updates, download new versions, download required assets such as virtual machine disks, send telemetry when enabled, and submit crash reports when telemetry is enabled.

We design telemetry and crash reports to avoid collecting prompts, assistant responses, source code, file contents, credentials, API keys, environment variables, and custom assistant configuration contents. However, crash reports may include technical details such as stack traces, error messages, feature names, file names, or file paths if those details are generated as part of an error. We take steps to minimize this information.

3. How We Use Personal Data

We use the personal data we collect for the following purposes:

  • To operate and improve the Services: providing the functionality of the Website and the Software, diagnosing and resolving technical issues, improving performance and reliability, delivering updates and assets, and developing new features based on how the Services are used;
  • To communicate with you: responding to your inquiries, participating in community discussions, and replying to your correspondence;
  • To secure the Services: detecting and preventing abuse, misuse, fraud, and security threats, and protecting the integrity of the Services;
  • To understand usage: analyzing how the Services are used to measure performance and inform product decisions; and
  • To meet legal obligations: complying with applicable laws, regulations, legal process, and enforcing our agreements.

4. Legal Bases for Processing European Personal Data

If you are located in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland, we only process your personal data where we have a valid legal basis to do so.

We rely on your consent when we set non-essential cookies and similar technologies on the Website, and for any other processing for which we have asked you to give your consent. You may withdraw your consent at any time, and your withdrawal will not affect the lawfulness of processing carried out prior to the withdrawal.

We rely on our legitimate interests to operate, maintain, and improve the Services. Specifically, we have a legitimate interest in understanding how the Services are used, improving existing features, developing new features, diagnosing and resolving technical issues, delivering Software updates and assets, and protecting the security and integrity of the Services. We only rely on our legitimate interests where they are not overridden by your rights and freedoms.

We rely on performance of a contract where we have entered into an agreement with you and processing is necessary to perform it, and on compliance with legal obligations where processing is necessary to comply with a legal obligation to which we are subject.

5. How We Disclose Personal Data

We may share personal data in the following circumstances:

  • Service providers. With service providers that process personal data on our behalf and in accordance with our instructions. As of the effective date of this Privacy Policy, we use PostHog for analytics, interaction analytics features, telemetry, and crash reporting, and Cloudflare for hosting, storage, content delivery, and certain infrastructure and traffic routing functions used to operate the Services. These providers may process technical usage information, device information, and diagnostic information on our behalf in connection with operating and improving the Services.
  • Legal and safety reasons. Where we believe in good faith that doing so is required or permitted by applicable law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Endor, our users, or others.
  • Corporate transactions. In connection with a merger, acquisition, reorganization, sale of assets, or other corporate transaction.

Some service providers we use to operate our business, such as hosting, storage, content delivery, email, productivity, development, community, or AI-related service providers, may process personal data outside the EEA, the UK, or Switzerland. In some cases, technical usage or analytics-related data may be transmitted through infrastructure providers that support the delivery and operation of the Services. Where required, we rely on appropriate transfer mechanisms, such as the European Commission’s Standard Contractual Clauses or other legally recognized safeguards.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising.

6. Your Choices

You can manage your Website cookie preferences at any time using the cookie banner or by clicking Cookie settings in the footer of the Website. For more information about cookies and similar technologies used on the Website, please see our Cookie Policy.

If you do not opt in to analytics cookies, certain limited privacy-preserving analytics may continue operating without analytics cookies where permitted by applicable law. Analytics features that require consent are enabled only after consent has been provided.

You can disable Software telemetry, including crash reports, during onboarding or at any time from within the Software’s preferences.

You can ask us to stop contacting you by emailing us at privacy@endor.dev.

7. Your Privacy Rights

Subject to applicable law, you may have the right to:

  • access the personal data we hold about you;
  • request that inaccurate personal data be corrected;
  • request that your personal data be deleted;
  • restrict or object to our processing of your personal data;
  • receive the personal data you have provided to us in a portable format; and
  • withdraw any consent you have previously given.

To exercise any of these rights, please contact us at privacy@endor.dev. We will respond to your request as required by applicable law and may need to verify your identity before acting on it.

You also have the right to complain to a Data Protection Authority about our collection and use of your personal data. For more information, please contact your local Data Protection Authority in the EEA or the UK.

8. U.S. State Privacy Rights

If you are a resident of a U.S. state with an applicable comprehensive privacy law, you may have the right, subject to applicable law and verification of your identity, to:

  • know what personal information we have collected about you;
  • request deletion or correction of that information; and
  • opt out of the sale or sharing of your personal information.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws.

Where required by applicable law, you may also have the right to appeal our decision regarding your privacy request.

To exercise any of these rights, contact us at privacy@endor.dev.

9. Third Parties

The Website and the Software may contain links to, or allow you to connect with, third-party websites, services, communities, or AI providers. Those third parties operate under their own privacy notices and terms, and we are not responsible for their privacy practices.

The Software allows you to configure an AI provider during onboarding. You may use your own API key, your own subscription, OpenRouter, another compatible provider, or a local model.

When you choose a third-party AI provider, prompts, assistant responses, and related content may be sent directly from your device to that provider as necessary for the provider to operate the model. Those providers process your information under their own privacy notices and terms.

If you use OpenRouter or another routing provider, your requests may be processed by one or more underlying model providers selected through that service.

We may provide community spaces, such as Discord servers, where users can discuss the Software and help each other. Endor team members or other users may participate in those communities, but they are not official support channels. If you post messages, screenshots, logs, or other information in those communities, that information may be visible to other community members and processed by the platform under its own privacy notice.

10. Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

We determine retention periods based on the type of information involved, the purposes for which it is processed, our relationship with you, operational and security needs, and applicable legal requirements.

Website analytics, Software telemetry, diagnostic information, and personal data you provide through email, forms, or community participation are retained only for as long as reasonably necessary for those purposes. When such information is no longer needed, we delete, aggregate, anonymize, or de-identify it where appropriate.

11. Security

We use reasonable technical and organizational measures designed to protect personal data, including transmission over HTTPS, data minimization practices, restricted access controls, and infrastructure security measures.

We configure certain analytics and diagnostic tools to minimize the collection of personal data and, where appropriate, exclude or mask sensitive information.

No system is fully secure, however, and we cannot guarantee absolute security.

If we become aware of a personal data breach affecting your personal data, we will notify you and/or the relevant authorities where required by applicable law.

12. Children’s Privacy

The Services are not directed at children under the age of 16, and we do not knowingly collect personal data from children under the age of 16.

If you believe that a child has provided personal data to us, please contact us at privacy@endor.dev and we will take appropriate steps to delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and revise the effective date at the top.

14. Contact

If you have any questions about this Privacy Policy or our handling of personal data, please contact us at:

Endor Software Inc.
Email: privacy@endor.dev