Privacy & data

ClawMobile is built around demonstrations, and demonstrations are sensitive by nature. This page is the straight answer on what’s captured and how it’s handled.

What a recording contains

A demonstration trace can include:

• Screenshots of every step
• Touch coordinates (taps, swipes) from getevent
• App and window state (package + activity)
• Typed text — including passwords or codes entered during the demo

Caution

Treat a recording as if it contains secrets, because it can. Prefer logging into accounts outside of an active recording.

Privacy invariants

These are hard rules in the codebase, not aspirations:

• Recordings, logs, generated trace directories, API keys, and bot tokens never go into commits. .gitignore covers the artifact paths, and new artifact locations must be added in the same change.
• Recordings are opt-in in the hosted product. Nothing is uploaded unless you turn on demo collection in account settings.
• Sessions are isolated and ephemeral. Each runs in its own container with a per-session workspace; on end the workspace is wiped and the container destroyed.
• Skill sharing never exposes a recording. A share link is a presigned, time-limited URL to the generalized skill JSON only.

Where data lives

Data	Location	Lifetime
Live session workspace	Orchestrator node (/var/clawmobile/sessions/)	Until session end, then wiped
Induced skills	Cloudflare R2 (per-user prefix, versioned)	Until you delete them
Opt-in recordings	Cloudflare R2 (separate bucket)	Time-limited retention
Account + skill index	Cloudflare D1	Until account deletion

Credentials

API keys are stored hashed (bcrypt); the plaintext is shown once at generation. The agent never bakes ADB keys into images — they’re generated at boot and injected at container start.

Deleting your data

Use the danger zone in account settings to remove your account, which deletes your skills, index rows, and any opt-in recordings.