Legal

Data Processing Addendum

Last updated: March 2026

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Nocodo LTD ("Processor", "we", "us"), a company registered in Cyprus, and you ("Controller", "Customer") for MyClaw services available at myclaw.to.

This DPA applies where and to the extent we process Personal Data on your behalf as a data processor in connection with the MyClaw platform. It reflects the parties' agreement on the processing of Personal Data in accordance with the requirements of applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR).

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the MyClaw platform.

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR, and any national implementing legislation.

"Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.

"Processing" has the meaning given in the GDPR and includes any operation performed on Personal Data.

3. Scope and Roles

Controller: You determine the purposes and means of processing Personal Data through your use of the MyClaw platform, including data processed by your AI agent instances and any conversations or interactions routed through those instances.

Processor: We process Personal Data solely on your behalf to provide the MyClaw managed hosting service, including provisioning and operating your AI agent instances on cloud infrastructure.

4. Details of Processing

4.1 Subject Matter

Provision of the MyClaw managed AI agent hosting platform.

4.2 Duration

Processing continues for the duration of your active subscription plus any retention period specified in our Privacy Policy.

4.3 Nature and Purpose

Hosting and operating AI agent instances, routing AI API requests (via OpenRouter or your own API keys), processing Telegram messages and other integrations as configured by you, and providing platform management features.

4.4 Categories of Data Subjects

End users of your AI agent instances (e.g., Telegram users interacting with your bots), and you as the account holder.

4.5 Types of Personal Data

Account information (name, email), AI conversation content processed through your instances, Telegram user IDs and messages (when Telegram integration is enabled), API keys provided by you, and any other data you configure your agent instances to process.

5. Obligations of the Processor

We shall:

  • Process Personal Data only on your documented instructions, unless required by law to do otherwise.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit (TLS/HTTPS), encryption at rest for sensitive data (API keys, credentials), access controls and least-privilege principles, and regular security audits and dependency scanning.
  • Not engage a Sub-processor without your prior consent (see Section 7).
  • Assist you in fulfilling your obligations to respond to data subject requests.
  • Assist you in ensuring compliance with your obligations regarding security, breach notification, impact assessments, and consultation with supervisory authorities.
  • At your choice, delete or return all Personal Data upon termination of services, and delete existing copies unless required by law to retain them.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits.

6. Obligations of the Controller

You shall:

  • Ensure that you have a lawful basis for processing Personal Data through the MyClaw platform.
  • Provide any necessary notices to, and obtain any necessary consents from, data subjects whose data is processed through your AI agent instances.
  • Be responsible for the content and data processed by your agent instances, including any AI-generated responses.
  • Ensure that your instructions to us comply with applicable Data Protection Laws.

7. Sub-processors

You provide general authorization for us to engage the following Sub-processors. We will notify you of any changes to this list by updating this DPA and, where feasible, providing advance notice.

Sub-processor Purpose Location
Hetzner Cloud Infrastructure / VM hosting for agent instances EU (Germany, Finland)
OpenRouter AI API routing (when using included credits) United States
Creem.io Payment processing United States

Where a Sub-processor is located outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized under applicable Data Protection Laws.

8. International Data Transfers

Your AI agent instances are hosted on Hetzner Cloud infrastructure within the EU. Account and billing data may be transferred to the United States through our Sub-processors (Creem.io, OpenRouter). Where such transfers occur, they are protected by Standard Contractual Clauses or other appropriate safeguards in compliance with GDPR Chapter V.

9. Data Breach Notification

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting data processed on your behalf. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

10. Data Subject Rights

We will assist you in responding to requests from data subjects exercising their rights under applicable Data Protection Laws (access, rectification, erasure, portability, restriction, objection). Where a data subject contacts us directly regarding your instance data, we will promptly redirect them to you.

11. Data Retention and Deletion

Upon termination of your subscription or deletion of an instance, all instance data (including AI conversations, configurations, and stored files) is permanently destroyed and cannot be recovered. Account data is retained as described in our Privacy Policy. You may request deletion of your account data at any time by contacting support@nocodo.tech.

12. Audit Rights

Upon reasonable notice and no more than once per year, you may request that we provide information necessary to demonstrate our compliance with this DPA. Such requests should be directed to support@nocodo.tech. We may satisfy audit requests by providing relevant certifications, audit reports, or other documentation.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

14. Governing Law

This DPA is governed by the laws of the Republic of Cyprus, consistent with the Terms of Service.

15. Contact

For DPA-related questions, data subject requests, or to report a data breach, contact us at support@nocodo.tech.