Last updated: May 2026 · GDPR + UK GDPR + CCPA compliant

Privacy Policy

VirginClaw.App (“we”, “us”) respects your privacy. This policy explains what personal data we collect, why, who it's shared with, your rights under GDPR / UK GDPR / CCPA, and how to contact us.

Data Controller

VirginAI / VirginClaw.App acts as the Data Controller for personal data collected through this site. For EU/UK residents, you may contact our Data Protection Contact at privacy@virginai.shop.

What we collect

  • Account data — email address (for magic-link sign-in), optional name
  • Purchase data — products bought, dates, PayPal transaction IDs. We never store card numbers.
  • License keys — generated by us upon purchase, stored to verify your downloads
  • Usage data (with consent) — anonymized analytics: which pages, browser, country. Consent-gated via cookie banner.
  • Support communications — emails, WhatsApp messages you initiate (only what you send)

What we don't collect

  • Credit card numbers (handled entirely by PayPal — they never touch our servers)
  • Data the skills process on your machine. Skills run locally in your Claude Code with your own API keys. We never see your prompts, outputs, or customer data.
  • Tracking cookies for advertising or retargeting. Our cookies are session-only (auth) or analytics-only (consent-gated).

Lawful basis (GDPR Art. 6)

  • Contract — to deliver the product/service you purchased (license, downloads, support)
  • Consent — for analytics cookies (you can withdraw via the cookie banner)
  • Legal obligation — to retain transaction records for tax/accounting (typically 7 years)
  • Legitimate interest — to prevent fraud and ensure the security of the platform

Sub-processors (third parties we share data with)

We share minimum-necessary data with these processors. Each is GDPR-compliant.

  • Vercel (hosting + analytics) — US-based, EU data centers available
  • Supabase (auth + database) — EU/US-hosted, SOC 2
  • PayPal (payment processor) — handles all card and bank transactions; PCI-DSS compliant
  • Resend (transactional email) — EU/US
  • ElevenLabs (voice agent, when activated) — voice AI

International data transfers

Some of our processors are based outside the EEA. Where data is transferred outside the EEA / UK, we rely on EU Commission–approved Standard Contractual Clauses (SCCs) and/or UK International Data Transfer Agreements as the lawful transfer mechanism.

Your rights under GDPR / UK GDPR

You have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure (“right to be forgotten”) — request deletion of your data
  • Portability — receive your data in a machine-readable format
  • Restriction — pause processing while a complaint is investigated
  • Object — to processing based on legitimate interest
  • Withdraw consent — at any time, where processing is based on consent
  • Lodge a complaint — with your local data protection authority

To exercise any right, email privacy@virginai.shop. We respond within 30 days as required by GDPR.

Retention period

  • Account data — until you request deletion or 3 years of inactivity (whichever first)
  • Purchase records — 7 years (legal/tax requirement)
  • Support communications — 2 years
  • Analytics data — 14 months (Vercel default)

CCPA (California)

California residents have additional rights including the right to know what personal information is collected, to delete it, to opt-out of “sale” of personal information (we don't sell), and to non-discrimination for exercising rights.

Updates

When this policy changes materially, we email all active users. Trivial wording fixes don't trigger notifications. Last update timestamp at the top of this page.

Contact

Privacy questions: privacy@virginai.shop
General: hello@virginai.shop
WhatsApp: + message us