Last updated: 2026
Clawgate is a product of Virstack. Clawgate is a gateway for Claude Code that authenticates requests, enforces usage policies and budgets, records usage for billing and analytics, and forwards requests to an AI inference provider. This policy explains what data we process when you use the Clawgate service.
Information you provide when creating an account or organization, such as name, email address, organization details, role assignments, and authentication credentials.
The API keys we issue (stored as secure hashes), and the policies, budgets, projects, and model controls you configure.
For each request routed through the gateway we record usage metadata used for quota enforcement, billing, and analytics, including: the model used, input/output and cache token counts, computed cost, latency, timestamp, originating IP address, and client User-Agent, attributed to the relevant user and project.
To detect misuse (such as shared keys or a key used outside its intended project), Clawgate may compute privacy-preserving fingerprints of request content, including cryptographic hashes, MinHash sketches, and coarse breadcrumbs. We do not store your raw prompts or source code for abuse detection. We store only these derived, non-reversible signals.
For certain key types, an administrator may choose to store a Claude subscription token (from claude setup-token) so the gateway can connect on a user’s behalf. When stored, the token is encrypted at rest and used only to authenticate that key’s requests to the AI inference provider. It is never returned by the API, displayed in the dashboard, or written to logs, and it can be replaced or removed at any time.
We do not use your prompts, code, or request content to train machine-learning models. Requests are forwarded to our AI inference provider and are subject to that provider’s data handling terms.
Detailed usage events are retained according to your plan’s retention period (for example, 7 days, 90 days, 12 months, or unlimited/custom for Enterprise) and are automatically pruned after that window. Aggregated monthly usage rollups and invoices are retained for as long as needed to maintain accurate billing records. A stored Claude subscription token (where used) persists until it is replaced, removed, or the associated key is revoked, after which it is deleted.
For Enterprise customers who self-host Clawgate within their own infrastructure, usage data and request content remain within the customer’s environment and AWS account. Virstack does not receive that operational data unless explicitly shared for support.
We rely on infrastructure providers to operate the hosted service, including AWS for hosting and a third-party AI inference provider. The AI inference provider receives the request and, for keys that use a stored subscription token, the supplied subscription credential needed to fulfil it. These providers process data on our behalf under their respective terms.
We apply industry-standard measures to protect data, including encryption in transit, hashed credentials, encryption at rest for stored provider credentials, and access controls. No method of transmission or storage is perfectly secure, but we work to protect your information.
Depending on your jurisdiction, you may have rights to access, correct, export, or delete personal data we hold about you. To exercise these rights, contact info@virstack.com.
We may update this policy from time to time. Material changes will be communicated through the service or by email where appropriate.
Questions about this policy? Email info@virstack.com.
