Privacy Policy

Effective date: 2026-05-27 · Last updated: 2026-05-27

AutoClaw AI ("AutoClaw", "we", "us") is a retail intelligence platform operated by Win Big Marketing Inc. This policy explains what data AutoClaw collects from auto dealers and end users, how that data is used, and the controls available to you. If you have questions, contact support@autoclawai.com.

1. Who this policy applies to

AutoClaw is a business-to-business product. Our customers are licensed auto dealers ("Dealers") who sign up for an AutoClaw account and connect their own third-party accounts (such as Google Merchant Center, Google Analytics 4, and CRM platforms) to AutoClaw so that AutoClaw can surface retail intelligence on their inventory.

This policy applies to:

• Dealer account holders and dealership employees who log in to AutoClaw.
• Data that AutoClaw reads from third-party accounts that a Dealer has connected.
• Visitors to autoclawai.com.

2. Information we collect

2.1 Account information

When a Dealer signs up, we collect the account holder's name, email address, dealership name, and an encrypted password hash. Where applicable we also collect billing contact information.

2.2 Data accessed through Google APIs (OAuth)

With the Dealer's explicit consent, AutoClaw uses Google OAuth to access the following Google API scopes on behalf of the Dealer. The data flow, retention, and use of each scope is described below.

2.2.1 Google Merchant Center — https://www.googleapis.com/auth/content

• What we read: The Dealer's vehicle product listings (productInputs) from their Google Merchant Center account, including VIN, year, make, model, trim, mileage, price, dealer location, listing URL, image URL, and feed-level metadata such as lastSyncedAt.
• What we do not read or modify: AutoClaw uses read-only access. AutoClaw never creates, edits, or deletes Merchant Center listings, never reads or modifies any non-vehicle product data, and never accesses other Merchant Center accounts within the Dealer's Google account.
• Why: To mirror the Dealer's lot into AutoClaw so we can pair each VIN with retail comp signals, demand signals, and traffic signals on the AutoClaw retail intelligence cockpit.
• Storage: Mirrored locally in encrypted Postgres in a per-Dealer DealerInventoryItem table. Deleted within 30 days of the Dealer disconnecting Google.

2.2.2 Google Analytics 4 — https://www.googleapis.com/auth/analytics.readonly

• What we read: Aggregate page-view counts from the Dealer's GA4 property, filtered to page paths that contain a 17-character vehicle identification number (VIN). We extract the VIN from the page path, group by (VIN, date), and store the resulting daily aggregate count.
• What we do not read: AutoClaw does not read user-level GA4 data, personally identifiable information, IP addresses, user IDs, device identifiers, or any other GA4 dimension beyond pagePath and date. AutoClaw never modifies GA4 configuration.
• Why: To compute "hot unit" and "stale unit" signals on the AutoClaw cockpit (which VINs are getting attention vs. sitting idle).
• Storage: Mirrored locally in encrypted Postgres in a per-Dealer DealerVdpView table. Deleted within 30 days of the Dealer disconnecting Google.

2.2.3 OAuth tokens

When a Dealer connects Google, we receive an OAuth refresh token. AutoClaw stores this token encrypted at rest using AES-256-GCM with a key managed in our infrastructure secrets vault. The refresh token is used solely to mint short-lived access tokens at request time. The refresh token is deleted within 24 hours of disconnect, and we revoke the token at Google as part of the disconnect flow.

2.3 Data accessed through CRM integrations

If a Dealer connects a CRM (such as DealerSocket), AutoClaw reads lead records (lead source, vehicle VIN or year/make/model, lead status, lead created timestamp, and lightweight customer contact fields where present) so AutoClaw can attribute leads to specific VINs in the cockpit. The Dealer's CRM API key is encrypted at rest using the same AES-256-GCM key.

2.4 Usage data

We collect standard server logs (timestamps, request paths, response codes, user agent, IP address) for security, debugging, and rate-limit enforcement. Log retention is 30 days.

2.5 Cookies

We use first-party cookies for session authentication only. We do not use third-party advertising or cross-site tracking cookies.

3. Google API Services User Data Policy — Limited Use

AutoClaw's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements.

Specifically:

• We only use Google user data to provide and improve user-facing features that are prominent in AutoClaw's user interface.
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to Dealers.
• We do not use Google user data for serving ads, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read Google user data unless: (a) we have the Dealer's affirmative agreement for specific data, (b) it is necessary for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) the data has been aggregated and anonymized so that it cannot be used to identify any individual.

4. How we use information

• To provide the AutoClaw retail intelligence cockpit and related features.
• To authenticate Dealers and protect their accounts.
• To compute aggregate, non-identifying signals (e.g. "median CarGurus list price for 2022 RAM 1500 in Dallas this week") that are shown to all Dealers.
• To send transactional product emails (password reset, sync failure alerts, billing notices). We do not send marketing email without separate opt-in.

We do not sell Dealer data. We do not sell Google user data. We do not use Google user data to train or improve generalized machine learning models.

5. Who we share data with

AutoClaw uses the following sub-processors, all under written data processing terms:

• Supabase (Postgres hosting) — Dealer data at rest.
• Fly.io (application hosting for the API).
• Vercel (application hosting for the web app).
• Anthropic (Claude API, when a Dealer interacts with the in-app AI assistant — prompts and responses are not used to train Anthropic's models, per Anthropic's enterprise data policy).

We do not share Google user data with any sub-processor except the ones above and only as needed to provide the AutoClaw service.

6. How a Dealer can revoke access and delete their data

• Revoke Google access at any time from app.autoclawai.com/settings/connections — this revokes the refresh token at Google and deletes our local copy within 24 hours.
• Revoke Google access at Google at myaccount.google.com/permissions.
• Delete a Dealer account in full by emailing support@autoclawai.com — we complete deletion within 30 days and confirm by email.

7. Data retention

8. Security

• All traffic to AutoClaw is encrypted in transit (TLS 1.2+).
• OAuth refresh tokens and CRM API keys are encrypted at rest with AES-256-GCM.
• Database storage is encrypted at rest by our sub-processor.
• Production access is limited to specific employees with multi-factor authentication.
• We perform routine dependency scanning on application code.

9. Children

AutoClaw is a B2B product for licensed auto dealers and is not directed at children under 13. We do not knowingly collect data from children.

10. International users

AutoClaw is operated from the United States. By using AutoClaw you consent to the transfer of your data to the United States. We do not currently offer AutoClaw to users in the European Economic Area.

11. Changes

If we make material changes to this policy we will notify Dealers by email and post the change here with an updated "Last updated" date.

12. Contact