Privacy Policy

Effective date: 2026-01-01

1. Information We Collect

When you sign in with Google, we receive the following information from Google:

Your name
Your email address
Your profile picture URL

We do not store this information on our servers. It is held only in a short-lived, HTTP-only session cookie in your browser for the duration of your session.

2. How We Use Your Information

We use the information solely to:

Authenticate you and maintain your session while you use the Service.
Display your name and profile picture within the Service.

We do not use your information for advertising, profiling, or any other purpose.

3. Cookies

We use two cookies:

oauth_state – a short-lived (10-minute) cookie used to prevent CSRF attacks during the OAuth login flow. It is deleted immediately after login.
session – a 24-hour HTTP-only cookie that stores your name, email, and profile picture for the current session.

4. Data Sharing

We do not sell, trade, or otherwise transfer your personal information to any third parties. We do not share your information with Google beyond what is necessary to perform the OAuth authentication flow.

5. Data Retention

Because we do not persist your data to a database, your information is automatically removed when your session cookie expires (within 24 hours) or when you sign out.

6. Security

Session cookies are set with HttpOnly and SameSite=Lax flags to mitigate XSS and CSRF attacks. In production the Secure flag should be enabled so cookies are only transmitted over HTTPS.

7. Your Rights

You may sign out at any time by visiting /auth/logout, which immediately removes all session data from your browser.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date.

9. Contact

If you have questions about this Privacy Policy, please contact [email protected] or open an issue at github.com/modster/openclaw.