Privacy Policy
Last updated: May 27, 2026
This Privacy Policy describes how Beach Platform LLC ("Beach," "we," "us," or "our"), a Tennessee limited liability company, collects, uses, and protects your information when you use our managed OpenClaw hosting platform ("Service"). By using the Service, you agree to the practices described in this policy.
1. Information We Collect
Account information
When you create an account, we collect your email address and password (hashed, never stored in plain text). If you sign up via a third-party OAuth provider (Google, GitHub), we receive your email address and display name from that provider.
Billing information
Payment processing is handled entirely by Stripe. We do not store your credit card number, expiration date, or CVC. Stripe provides us with a customer ID, subscription status, and billing history. See Stripe's Privacy Policy for how Stripe handles your payment data.
Instance and usage data
We collect and store:
- Instance metadata: instance ID, status, creation date, associated subdomain, cloud resource identifiers
- Instance events: provisioning steps, health checks, start/stop/terminate actions, backup history
- Usage patterns: login timestamps, page views within the dashboard (via server logs, not third-party analytics)
API keys and credentials you provide
To configure your OpenClaw instance, you may provide third-party API keys (such as LLM provider keys) and messaging channel credentials. These are encrypted at rest using AWS Key Management Service (KMS) and stored in AWS Systems Manager Parameter Store, scoped to your account via per-user IAM roles. We access these credentials only to configure your instance and never for any other purpose.
OpenClaw instance data
Your OpenClaw instance stores data on its own encrypted volume, including configuration files, conversation sessions, memory, and installed skills. This data resides on dedicated infrastructure provisioned for your account and is not shared with other users. We do not access, read, or analyze your instance data except when necessary to provide technical support at your request, diagnose infrastructure issues, or comply with legal obligations.
Affiliate program data (if you join)
If you sign up for the Beach Affiliate Program, we (and our affiliate platform Rewardful) additionally collect:
- Your name, email, country, and payout email (PayPal) — submitted by you in Rewardful's hosted signup form
- Tax form data on file with Rewardful: a completed W-9 (U.S.) or W-8BEN (non-U.S.) provided before your first payout. We use this solely to comply with IRS reporting obligations — including filing Form 1099-NEC for U.S. affiliates earning $600 or more in a calendar year — and do not use it for any other purpose
- Referral tracking metadata: the affiliate ID associated with your referrals, attribution events (clicks, signups, conversions), and commission balances, maintained by Rewardful
If you are a customer who signs up via an affiliate link, we (and Rewardful) record the referring affiliate ID against your account so that commissions can be paid correctly. Rewardful's referral cookie (see Cookies below) is set on your browser when you click an affiliate link.
Information we do not collect
We do not use third-party analytics, tracking pixels, or advertising networks. We do not sell, rent, or trade your personal information. We do not track you across other websites.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process payments and manage your subscription
- Send transactional emails: account verification, password resets, instance status notifications, trial and billing alerts
- Monitor infrastructure health and diagnose issues
- Enforce our Terms of Service and prevent abuse
- Respond to support requests
- Comply with legal obligations
We do not use your information for advertising, profiling, or automated decision-making.
3. Third-Party Services
We rely on the following third-party services to operate the platform. Each processes data on our behalf under their own privacy policies:
| Service | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (AWS) | Compute, storage, networking, secrets management | Instance data, API keys (encrypted), infrastructure logs |
| Supabase | Authentication, database | Email, hashed password, account metadata, instance records |
| Stripe | Payment processing | Email, payment method (handled by Stripe), billing history |
| Resend | Transactional email delivery | Email address, email content (notifications) |
| Railway | Application hosting (control plane) | Application logs, environment variables |
| Rewardful | Affiliate program platform (referral tracking, commission accounting, payout administration, tax form collection) — used only if you join the Beach Affiliate Program or arrive via an affiliate link | Affiliate: name, email, country, payout email, W-9/W-8BEN tax form. Referred customer: referring affiliate ID, attribution events |
| PayPal | Affiliate commission payouts (PayPal Mass Pay) — only if you are an enrolled affiliate receiving a payout | Affiliate payout email, commission amount |
4. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth cookies | Session management and authentication (access token, refresh token) | Session / configurable expiry |
beach-gate | Launch gate access (pre-launch only, removed when the app goes public) | 30 days |
Rewardful referral cookie (rewardful.referral) | Affiliate-link attribution: when you click a Beach affiliate link, Rewardful records the referring affiliate ID so the affiliate can be credited if you subsequently subscribe. Loaded only on Beach marketing surfaces (set by r.wdfl.co/rw.js). No personal information is stored in the cookie itself | 60 days (last-touch attribution window) |
We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies. All cookies are either functional and necessary for the Service to operate, or (in the case of the Rewardful referral cookie) limited to affiliate-program attribution.
5. Data Security
We protect your data through multiple layers of security:
- Encryption in transit: All connections use TLS/HTTPS
- Encryption at rest: Instance volumes are encrypted using AWS EBS encryption. API keys and credentials are encrypted using AWS KMS
- Access isolation: Each instance runs on dedicated infrastructure with per-user IAM roles. Your credentials are inaccessible to other users
- Password security:Passwords are hashed using Supabase's bcrypt implementation and never stored in plain text
- Security headers: The application enforces HSTS, Content Security Policy, and other security headers
No system is perfectly secure. If you discover a security vulnerability, please report it to support@beachhost.io.
6. Data Retention
- Account data: Retained while your account is active. Upon account deletion, your personal data is removed within 30 days. Anonymized usage data may be retained for operational purposes.
- Instance data: Retained while your instance exists. After instance termination, data is deleted according to the schedule described in our Terms of Service. Backups are retained for up to 30 days after termination.
- Billing data: Retained as required by tax and accounting laws (typically 7 years for financial records).
- Server logs: Infrastructure logs are retained for 14 days for debugging purposes, then automatically deleted.
7. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Update or correct inaccurate information via your account settings
- Deletion: Request deletion of your account and associated data by contacting us at support@beachhost.io
- Data portability: Export your OpenClaw instance data while your instance is running
- Objection: Object to specific uses of your data by contacting us
We will respond to data rights requests within 30 days. Some data may be retained as required by law even after a deletion request.
8. Children's Privacy
The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
9. International Data Transfers
The Service is hosted in the United States (AWS us-east-1 region). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact
If you have questions about this Privacy Policy or how we handle your data, contact us at support@beachhost.io.
Beach Platform LLC
Knoxville, Tennessee