Privacy Policy

Last updated: 2026-05-16

This Privacy Policy describes how p2claw ("we," "us," or "our") collects, uses, and discloses information about you in connection with the p2claw website at p2claw.com, the p2claw agent and command-line tools, and any related services we provide (collectively, the "Services"). By using the Services, you agree to this Policy.

A few terms used below

The agent. The p2claw program you run on your own machine. It registers your machine and accepts incoming traffic for the apps you publish.
Your alias. The short label that identifies your machine on the network — for example, blue-otter-7392. The full URL a visitor types looks like app-blue-otter-7392.p2claw.com. Aliases are not reassigned, even after a peer is deleted or revoked.

1. Information we collect

1.1 Information you provide directly

The Services do not require you to create an account or provide a name, email address, or payment information. If you choose to contact us (for example, by emailing us about a privacy request), we will collect the contact details and message contents you send. If we offer paid plans in the future, we will collect the information needed to deliver and bill those plans, as described at the relevant signup flow.

1.2 Information we collect automatically

When you use the Services, we automatically collect certain information, which may include:

Identifiers we issue. When the p2claw agent registers with our coordination service, we issue and store an identifier consisting of your peer's public-key fingerprint and a short human-readable alias. The corresponding private key is generated locally on your device and never transmitted to us.
Connection and device information. Our servers receive standard network and request information when you or your visitors interact with the Services, including IP addresses, timestamps, request paths and methods, response codes, byte counts, user-agent strings, and similar diagnostic data.
Service-usage information. We record the names of routes you publish through the agent, the network addresses your agent advertises so peers can reach you, and aggregate metrics about Service usage.
Cookies and similar technologies. The marketing site at p2claw.com may use cookies, web beacons, or similar technologies for purposes such as remembering preferences, measuring traffic, and security. See "Cookies and tracking technologies" below for details and choices.

1.3 What we see, and what we don't

Most traffic between visitors and the apps you publish flows directly between their device and your machine, encrypted in a way we cannot read. We see that the connection happened — when, between which addresses, and how many bytes flowed — but not the request or response contents.

Some inbound traffic cannot use that direct path — for example, webhooks from third-party services, requests from tools that don't have p2claw installed, and other cases where data is routed directly through our edge. In those cases we accept the public HTTPS connection and forward the bytes to your machine over a fresh encrypted connection. During that forwarding window we receive the request and response in plaintext. In the ordinary course, our edge does not log or persistently store request or response bodies. We may retain bytes briefly to investigate suspected abuse or to comply with legal obligations.

When a direct connection between a visitor and your machine is prevented by an unusually restrictive network in between, the connection falls back to a relay run by a third party. The relay sees encrypted bytes, byte counts, and the IP addresses involved, but cannot read the contents.

Whichever path a request takes, we always see:

The alias being addressed. It is part of the URL itself.
The time of the request and the byte counts in either direction.

1.4 If you use a p2claw app that requires sign-in

Some apps published through p2claw require visitors to sign in. For those, we operate an OAuth broker at oauth.p2claw.com that federates to upstream identity providers (such as GitHub) when you sign in to an auth-gated app. The provider you choose sees the standard OAuth scopes p2claw requests; p2claw sees what the provider returns about you. The broker is only in the request path when an app has explicitly enabled sign-in; apps that don't require sign-in never involve the broker at all.

When you sign in through the broker, the broker sees:

Your identity from the provider you chose to sign in with — your verified email address, an internal provider user ID, and (if the provider supplies them) your display name and avatar image URL.
Which app and which machine you are signing in to. The broker has to know which app's session token to mint.
Your IP address at the time you sign in, in the same standard server log we keep for our other services (see "What we see, and what we don't" above).

After it mints your session token, the broker is out of the path. The token is delivered to your browser as a cookie scoped to the app you signed in to. The broker does not see anything you do in the app after that point.

The broker does not keep upstream access tokens or refresh tokens from the provider you signed in with. It reads the profile fields it needs, mints the session token, and discards the upstream token. We do not have ongoing access to your provider account on your behalf.

The app you signed in to — running on its host's hardware, not ours — receives the identity fields it needs (your email, display name, etc.) as request headers handed to it by the p2claw daemon on the host's machine. The session token itself stays out of the app's reach.

2. How we use information

We use the information we collect to:

Operate, maintain, secure, and improve the Services (performance of a contract; legitimate interests);
Authenticate your peer, route traffic to it, and enable peers to discover and connect to one another (performance of a contract);
Detect, investigate, and respond to security incidents, abuse, fraud, and violations of our Acceptable Use policies (legitimate interests; legal obligation);
Communicate with you in response to inquiries you send (legitimate interests);
Comply with legal obligations and enforce our terms (legal obligation; legitimate interests); and
Analyze and improve Service performance, including producing de-identified or aggregated insights (legitimate interests).

3. How we disclose information

3.1 Service providers

We share information with third parties who provide services on our behalf, subject to obligations consistent with this Policy. Categories include providers of hosting and content delivery, DNS resolution, peer-relay infrastructure, customer support, analytics, security and fraud prevention, and (if and when paid plans launch) payment processing.

Where the network does not permit a direct peer-to-peer path, traffic between a visitor and your machine may be routed through a third-party relay. The relay sees encrypted bytes and the IP addresses at either end; it does not see the underlying content. The relay provider's own privacy policy applies to that hop.

3.2 Legal and safety reasons

We may disclose information if we believe in good faith that doing so is reasonably necessary to comply with a legal obligation, lawful request, or court order; to protect the rights, property, or safety of p2claw, our users, or others; or to detect, prevent, or address fraud, security, or technical issues.

3.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information we collect may be transferred as part of that transaction.

3.4 No sale; no targeted advertising

We do not sell your personal information, and we do not share it for purposes of cross-context behavioral advertising or targeted advertising, as those terms are defined under applicable law (including the California Consumer Privacy Act).

4. Cookies and tracking technologies

The marketing site may use cookies and similar technologies for functionality, traffic measurement, and security. Most browsers let you refuse or delete cookies; doing so may affect site functionality. We do not currently use the marketing site for cross-context behavioral advertising. If we add advertising or marketing-attribution tools in the future, we will update this Policy to describe them and any opt-out mechanisms.

5. Data retention

We retain information for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Identifiers we issue (peer fingerprint and alias) are retained for the lifetime of the corresponding peer. We do not reassign aliases that are or have recently been associated with active peers, so that previously-issued URLs remain unambiguous; we may release aliases that have been dormant for an extended period, or reissue identifiers for operational reasons such as system recovery. Operational and diagnostic logs are retained on a rolling basis and deleted thereafter.

6. Your rights and choices

6.1 Self-service controls

Because the Services are built around a public/private key pair generated on your device, you control most of your information directly:

Delete your peer. Delete the local identity file and uninstall the agent. The corresponding row on our side becomes an orphan that can no longer be authenticated against. You do not need to contact us for this.
Stop being reachable. Stop the agent at any time. Visitors will receive a friendly "offline" response until you bring it back.
Inspect what we have. Run p2claw identity to see your peer identifier and alias, and p2claw routes to see the routes you have published.

6.2 Regional rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or receive a copy of the personal information we hold about you, to object to or restrict certain processing, and to lodge a complaint with a data protection authority. Where we process your personal data on the basis of our legitimate interests, you have the right to object to that processing on grounds relating to your particular situation. To exercise any of these rights, contact us using the details below. We will respond within the timeframes required by applicable law. We do not discriminate against users who exercise their rights.

7. Security

We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, and destruction. The peer-to-peer wire protocol used by the Services applies cryptographic authentication and end-to-end encryption to traffic between peers. No system is perfectly secure, however, and we cannot guarantee the security of information transmitted to or stored by us.

8. International data transfers

We operate the Services from infrastructure located in one or more countries which may be different from the country in which you reside. By using the Services, you understand that your information may be transferred to, stored in, and processed in those countries. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) for cross-border transfers of personal information.

9. Children's privacy

The Services are not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from them. If we learn that we have collected such information, we will delete it.

10. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will update the "Last updated" date above and, where appropriate, provide additional notice (such as via the Service or a release note).

11. Contact us

For privacy questions, requests to exercise your rights, or anything else covered by this Policy, contact privacy@p2claw.com.