MonoClaw - Your local AI secretary

PRIVACY POLICY

Effective Date: April 4, 2026

1. Introduction and Territorial Scope

1.1 This Privacy Policy explains how Sentimento Technologies Limited (“Sentimento”, “we”, “us”, “Data User” or “Data Processor” as context requires) collects, uses, stores, and protects personal data when you visit www.monoclaw.app (“Website”) or access the Client Dashboard (“Dashboard”). This Policy is incorporated by reference into the Master Configuration Services, Bailment and Software Licence Agreement and the Acceptable Use Policy.

1.2 Exclusive Service Model – Hong Kong SAR Only: While the Website is accessible globally for informational purposes, we exclusively provide Configuration Services, Bailment, and Software Licensing to bona fide residents of the Hong Kong Special Administrative Region (“HK SAR”) or companies duly incorporated under the Companies Ordinance (Cap. 622) with principal places of business within HK SAR.

1.3 Non-HK Visitors: For visitors accessing the Website from outside HK SAR who are ineligible for services, we process only minimal technical data necessary for: (a) website security; (b) export control compliance screening against Sanctions Lists; and (c) fraud prevention. No service data is collected from non-HK visitors.

1.4 Data Roles Under PDPO:

Data User (Controller): For website analytics, hardware diagnostic logs, device photographs, contract execution data (electronic signatures, IP addresses, audit trails, device fingerprints), sanctions screening records, and Sentimento’s business records.
Data Processor: For Client Account creation data (usernames, encrypted passwords) and Telegram Bot configuration data processed on behalf of our clients (who remain Data Users of their employee data). The terms of Schedule C (Data Processing Agreement) of the Master Agreement govern such processing.

2. Data We Collect

2.1 Authentication and Identity Data:

Google SSO: Google OAuth 2.0 tokens (sub claim), email verification status, session data. We do not store Google passwords.
Native Signing System (NSS): For contract execution, we collect: IP address (HKST timestamped), device fingerprint (browser type, OS, screen resolution), geolocation (city-level), Google SSO unique identifier (sub claim), session duration, and time spent on signature page. These are stored in immutable WORM storage with SHA-256 hashing for non-repudiation (Clause 1.4, Master Agreement).
Identity Verification:

Individuals: HKID number (last 4 digits only), full legal name, Hong Kong residential address, Hong Kong mobile number;
Entities: Business Registration Certificate number, company name, registered HK address, beneficial ownership information (required for sanctions screening against OFAC SDN List, EU Consolidated List, UN Security Council Consolidated List).

2.2 Telegram Bot Configuration Data:

Telegram Username: Immutable unique identifier (whitelisted for Mona bot access per Clause 4.9). Critical: Changing your Telegram username after submission invalidates the whitelist and requires new Configuration Services at prevailing rates.
Bot Token: Securely transmitted during On-boarding for MonoClaw integration (processed as Strictly Confidential Information).

2.3 Transaction and Financial Data:

Apple Orders: Order Confirmation Numbers, hardware serial numbers, MAC addresses, model specifications;
Payments: Stripe transaction IDs, payment confirmation tokens. We do not store credit card numbers (processed by Stripe Inc.);
OpenRouter API Keys: Temporary processing during Configuration Period only (see Section 4.6 below).

2.4 Technical and Diagnostic Data:

Hardware Diagnostics: Diagnostic logs, photographic evidence of device condition/seal application, serial number verification (stored via Supabase in Singapore);
Technical Metadata: IP addresses (screened for sanctioned territories), device fingerprints, timestamps (HKST, NTP-synchronised), session duration, geolocation data (for export control compliance and geoblocking enforcement).

2.5 Professional Credentials (Tier 1 Tools): For Clients accessing regulated sector Tools (Legal, Medical, Accounting, Immigration): practising certificates, professional indemnity insurance certificates, supervisory confirmations (retained for Agreement duration + 6 years per Clause 4.6, Master Agreement).

2.6 Export Control and Sanctions Data:

Sanctions screening results, beneficial ownership verification records, Military End User status verification (retained for 5 years minimum per regulatory requirements).

3. Legal Basis for Processing

3.1 HK SAR Clients (PDPO):

Performance of Contract: To execute the Master Agreement, provide Configuration Services, bailment, and software licensing;
Legal Compliance: To comply with the Gatekeeper Protocol, export controls (Cap. 60), sanctions screening obligations, and the Prevention and Control of Disease Ordinance (Cap. 599) where applicable;
Legitimate Interests: Fraud prevention, network security, enforcement of HK-only service restrictions, and prevention of prohibited dual-use technology transfers.

3.2 Non-HK Visitors (GDPR Article 49 Derogations):

For EU/EEA/UK visitors browsing the site but ineligible for services, we rely on:

Article 49(1)(d): Processing necessary for important reasons of public interest (export control compliance, sanctions prevention, and cybersecurity);
Article 49(1)(b): Processing necessary for the performance of a contract (if you proceed to sign up and verify HK eligibility).

3.3 CCPA (California): We do not “sell” personal information. We process minimal data for security, compliance, and fraud prevention only.

4. Use of Data

Service Delivery and Bailment: Authenticating Dashboard access, processing orders, executing electronic signatures via the Native Signing System, performing hardware diagnostics, and managing bailment of Client Hardware;
Telegram Integration: Configuring the Mona bot system with Client-provided Bot Tokens and whitelisting immutable Telegram usernames (Clause 4.9);
Export Control Compliance: Screening against OFAC SDN List, EU Consolidated List, UN Sanctions to prevent prohibited users from accessing dual-use AI technology;
Security & Audit: Maintaining immutable audit trails (SHA-256 hashing, WORM storage) for contractual non-repudiation (Clause 1.5, Master Agreement);
Dashboard Notifications: All contractual notices, billing communications, and legal correspondence are posted exclusively to the Dashboard (Clause 11.6, Master Agreement). Processing of notification data is essential for contract performance;
OpenRouter API Configuration: Temporary processing of API keys solely during the Configuration Period (Clause 4.6).

5. The “No Remote Control” Architecture and Post-Delivery Data Processing

5.1 Local-Only Operation:

Per Schedule B, Section 2.2 of the Master Agreement, MonoClaw and the Skills Library comprise purely local software installed on Client Hardware. Post-delivery, the software operates entirely offline (except for optional API calls initiated by Client via OpenRouter) and does not communicate with Sentimento’s servers.

5.2 No Post-Delivery Processing:

Upon delivery of configured Client Hardware and deletion of diagnostic logs (per retention schedules below), Sentimento cannot and does not: monitor Client usage; view content processed by the Skills; update, patch, or modify the Skills; restrict access; or retrieve locally stored data. Client bears exclusive responsibility for data security post-delivery (Clause 8.6, Master Agreement).

6. International Data Transfers

We transfer data to the following jurisdictions under the safeguards indicated:

Destination	Purpose	Safeguard
Singapore	Supabase database hosting (hardware diagnostic logs, metadata, photographic evidence)	Standard Contractual Clauses (SCCs)
United States	Stripe (payment processing), Google LLC (SSO authentication), OpenRouter Inc. (API routing configuration)	SCCs and respective vendor certifications; contractual commitments per Schedule E
People’s Republic of China	Downloading model weights (Alibaba Cloud, Zhipu AI, DeepSeek) – only where Client selects such models via Order Form	SCCs and contractual commitments per Schedule E
EU/UK	Incidental processing of visitor IP addresses for security screening	Article 49 derogations (public interest/security)

We do not transfer personal data to jurisdictions lacking adequate protection except as necessary for export control compliance or with appropriate safeguards (SCCs).

7. Data Retention

We retain personal data only for the periods necessary to fulfill the purposes outlined above, or as required by law:

Data Category	Retention Period	Legal Basis
Hardware logs/photographs	1 year from delivery date, then permanent deletion (Clause 6.3(a), Master Agreement)	Latent defect claims support
Contract execution data (signatures, audit trails, NSS records)	7 years from execution (or longer if required by limitation periods) (Schedule C, Section 8(b))	Legal proceedings/evidence
Account creation data	Deleted within 30 days of contract termination, unless legal proceedings require retention (Clause 6.3(c))	PDPO minimisation principle
Sanctions screening records	5 years minimum (regulatory requirement)	Export control compliance
Failed registration attempts (non-HK)	90 days then deletion	Security/fraud prevention
OpenRouter API keys	Deleted within 24 hours of final payment confirmation (Clause 4.6(e), Master Agreement)	Contractual obligation
Client Telegram usernames	Duration of Agreement + 6 years (if associated with professional credentials) or duration of Agreement (standard)	Contract performance

8. Your Rights

8.1 PDPO Rights (HK SAR):

You may request access to and correction of your personal data under the PDPO. A reasonable fee may be charged for access requests. To exercise rights: Submit requests via the Dashboard secure messaging system (Clause 11.6). We respond within 30 days.

8.2 GDPR Rights (EU Visitors):

Subject to Article 49 derogations, you may request erasure of browsing data. You have no right to data portability for service data as we cannot provide services outside HK SAR.

8.3 CCPA Rights (California):

You may request disclosure of categories of personal information collected (minimal) and request deletion (subject to sanctions screening retention requirements).

8.4 Dashboard Access:

You must check the Dashboard at least once every Business Day during the Configuration Period, and at least once per calendar week thereafter (Clause 11.6(c)). Failure to monitor the Dashboard does not extend statutory response deadlines.

9. Security Measures

Encryption: Passwords hashed using bcrypt/Argon2; TLS 1.3 for transmission; AES-256 for data at rest;
Audit Trails: Immutable WORM storage for signed contracts and audit logs (Clause 1.5, Master Agreement);
Access Controls: Role-based access limited to essential personnel only;
Geoblocking: IP-based restrictions for sanctioned territories (Cuba, Iran, North Korea, Syria, Crimea);
Secure Deletion: API keys and temporary configuration data destroyed using secure data destruction methods ensuring no recoverable remnant (Clause 4.6(e)).

10. Third-Party Processors

Processor	Purpose	Jurisdiction	Terms
Google LLC	SSO authentication; Dashboard access	United States	Google Privacy Policy
Stripe Inc.	Payment processing; PCI-DSS compliance	United States	Stripe Privacy Policy
Supabase Inc.	Database hosting (diagnostic logs, metadata)	United States (Singapore data center)	Supabase Privacy Policy; SCCs executed
OpenRouter Inc.	API routing configuration (temporary)	United States	OpenRouter Terms
Apple Inc.	Hardware manufacturing; macOS licensing	United States	Apple Privacy Policy

We are not responsible for third-party privacy practices (Clause 7.2, Master Agreement). Client enters into direct legal relationships with these providers per Schedule E.

11. Changes to this Policy

We may update this Policy by posting changes to the Dashboard. Material changes regarding data use will be notified via Dashboard urgent notice (Clause 11.6). Continued use constitutes acceptance. For active Orders, the Policy version current at the Order date governs unless otherwise agreed.

12. Contact and Complaints

For data protection inquiries or to exercise your rights under the PDPO:

Method: Dashboard secure messaging system (exclusively)

Response Time: 30 days

For complaints under the PDPO, you may contact the Office of the Privacy Commissioner for Personal Data, Hong Kong.