Privacy Policy
This policy explains how Clanker Cloud handles account, billing, analytics, social sign-in, and related service data. Version 2026-07-14.
2026-07-14
This policy applies to Clanker Cloud accounts, desktop downloads, optional supporter billing, analytics cookies, and related hosted services.
Who we are and our role
Clanker Cloud is a product of Nov 1337 Labs, Inc. We are a controller for account administration, website, security, support, and business records. When we process customer content on a business customer’s documented instructions through Standard hosted inference, sandboxes, the remote relay, or a contracted protected service, the applicable service agreement and executed Data Processing Addendum must define our processor or service-provider role and the customer’s instructions. Publishing this policy does not mean that a DPA, BAA, CJIS agreement, certification, or protected environment already exists for any customer.
Account and service data we collect
We collect the information needed to operate Clanker Cloud: email or username, display name, password hash or linked OAuth metadata, session and security metadata, account tier, transaction references, selected region, the yes-or-no sensitive-data onboarding answer, protection status, device enrollment and remote-action metadata, support communications, and waitlist email, optional name or message, and submission metadata. We do not ask which profession, case, patient, investigation, or regulated-data category is involved in the onboarding answer.
Hosted prompts, responses, and diagnostics
The control plane does not retain hosted prompt or response content by default. If an authorized user explicitly submits feedback or enables content diagnostics, that submitted content may be retained for no more than 30 days and then deleted. Security and action audit metadata excludes prompt and response payloads by default. Customer-specific protected orders may set a shorter or different documented retention policy.
Purposes and legal bases
We process data to perform the service contract and requested actions; protect accounts, users, and infrastructure under our legitimate interests and corresponding customer interests; meet legal obligations; and, for optional analytics or other consent-based features, based on consent. You may withdraw analytics consent at any time without affecting earlier lawful processing. The sensitive-data answer recommends an infrastructure boundary; it is not used to inspect or restrict the substance of your work.
Connected infrastructure and credentials
Clanker Cloud is designed to keep cloud credentials and infrastructure control local-first. Credentials and operational context should remain on your machine unless you explicitly submit data to our hosted services or support channels. Desktop workspace and chat content is stored in local application files and SQLite and is not application-level encrypted today. Organizations handling regulated data must enforce managed full-disk encryption, device access, backup, recovery, and wipe controls on approved endpoints.
Current subprocessors and service providers
Current providers include Cloudflare for website delivery, the Worker proxy, Workers AI voice transcription and speech, and the shared Standard sandbox service; Supabase for the website waitlist; Google Cloud for the Standard account control plane, Cloud SQL remote relay, hosted-inference transport, legacy GCP runtime or state where applicable, and future contracted protected runtimes; Google Gemini Developer API for Standard hosted inference; Google and GitHub for optional social sign-in; Google Analytics only after opt-in; Stripe for payments; and the customer’s selected infrastructure or model providers when explicitly connected. See the public Subprocessor and Transfer Register for purposes, data categories, and boundary details. A protected order identifies the approved subset, locations, support access, and replacement process.
Web-to-desktop remote control
When you enable web access to an enrolled Secretary or Cerebro desktop, the relay temporarily processes the instruction, enrolled instance identifier, response, status, actor, and limited diagnostics. Requests stop being accessible after their two-minute expiry; physical cleanup follows the once-per-minute cleanup cycle. Response content is removed after delivery, while orphaned terminal rows become cleanup-eligible after one hour. Security and action audit metadata contains no instruction or response payload by default and is retained for 90 days unless a protected customer contract sets another period. Protected and sovereign accounts currently reject remote relay use.
Analytics and cookies
Google Analytics is not loaded before you opt in and is never loaded on the authenticated portal origin or sensitive account, Secretary, Cerebro, sandbox, or portal routes. If you accept analytics on the public website, Google may use cookies and process pages viewed, approximate location, device and browser signals, and interaction timing. Funnel analytics excludes raw backend errors, prompts, responses, credentials, and remote instructions. You can decline or withdraw from Cookie settings at any time. YouTube videos are click-to-load from youtube-nocookie.com; the page warns before loading because Google/YouTube will then receive network and device information.
Retention schedule and deletion
Account profile and authentication records are kept while the account exists and removed from live systems promptly after verified account deletion. The database currently retains 14 successful automated backups, normally about 14 days at the daily schedule. The seven-day soft-delete recovery window applies only to deleted Google Cloud Storage object generations. Cloudflare R2 sandbox objects are deleted directly and are not recoverable after deletion. Manual backups, outages, legal holds, and provider recovery behavior can change the final deletion date and are handled under the applicable contract. These recovery copies are not used for analytics or restored except for disaster recovery or legal necessity. Waitlist entries are kept until launch outreach is complete, the person asks us to remove the entry, or the entry is no longer needed. Opt-in diagnostic content is retained for at most 30 days. Application action and security audit metadata is retained for 90 days by default. Separately, restricted cloud-provider administrative and data-access audit logs are retained for 365 days as security and compliance evidence. The application does not intentionally add prompt or response bodies to those audit records, but provider-generated fields depend on the enabled service and are reviewed as part of protected onboarding; the records may contain account, caller, or resource identifiers. Remote payload retention is described above. Transaction, tax, dispute, legal-hold, or fraud-prevention records may be retained separately for the period required by applicable law; access is restricted and they are not used for product analytics.
Your privacy rights
Depending on applicable law, you may request access, correction, deletion, restriction, objection, and portability; withdraw consent; and complain to your local data-protection authority. You can also update region and data settings, disable remote desktop access, revoke analytics consent, and delete the account. We may verify identity and may decline or limit a request only where law permits or requires it.
International transfers and regional boundaries
Standard is a shared global service and the account region is not a residency guarantee. Providers may process data in other countries under their applicable transfer mechanisms. For protected customers, the signed order and DPA identify the approved region, subprocessors, transfer mechanism such as applicable Standard Contractual Clauses, encryption and support-access controls. A plan purchase or region selector alone does not establish this boundary.
Data Processing Addendum and protected orders
A business customer acting as controller must execute an applicable DPA with us before submitting personal data to any hosted Clanker Cloud feature. A DPA applies only when signed by authorized parties; this policy does not create one. A business associate agreement, CJIS agreement, data-residency commitment, service level, government control schedule, or other regulated-data commitment additionally requires signed terms and an associated protected environment marked active. Until those requirements are met, Standard terms apply and personal, sensitive, or regulated data covered by the missing agreement must not be submitted to hosted workflows. Contact us before procurement to review the required documents and provider eligibility.
Security and incident contact
We use access controls, encryption in transit, protected session cookies, scoped device identifiers, retention controls, and provider security features appropriate to the configured service. No system is risk-free. Protected customer incident-notification timelines and cooperation duties are defined in the signed DPA or order. Report a suspected privacy or security incident to the contact below without including secrets or affected payload content in the first message.
Policy updates
We may update this policy over time. We will publish the revised version and effective date here. If a material change requires renewed consent or contract notice, we will request it through the account or the customer’s contractual contact rather than treating silence as consent.
Questions about privacy
Contact support@novlabs.ai for privacy requests, security reports, a DPA, the current subprocessor schedule, or procurement review. Include only the account identifier and request type in the first message; do not email sensitive payloads.
