Legal
Privacy Policy
How CrabGlamp collects, uses, stores, and protects your personal information and data.
Privacy Policy
Effective date: March 25, 2026 Last updated: March 25, 2026
This Privacy Policy describes how CrabGlamp, Inc. (“CrabGlamp,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use the CrabGlamp platform, website, and related services (the “Service”).
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Service.
1. Information we collect
1.1 Information you provide
- Account information: Name, email address, and profile identifier provided through Clerk, our third-party authentication provider. You may sign in via GitHub, Google, or email. CrabGlamp does not store your password — authentication is handled entirely by Clerk.
- Username: A unique slug you choose during onboarding, used as your public identifier on the platform and GlampHub.
- Payment information: Billing details, including payment method information, are collected and processed by Stripe. CrabGlamp does not store your full credit card number or payment credentials.
- Support communications: Any information you provide when contacting support, submitting feedback, or reporting issues.
- GlampHub content: Files, metadata, descriptions, tags, and README content you include when publishing Glamps. Published Glamps are publicly visible.
1.2 Information collected automatically
- Usage data: Agent creation, start/stop events, agent size and billing type, session duration, and feature usage (including GlampHub publishing and starring). This data is used for billing, analytics, and service improvement.
- Log data: Server logs that may include your IP address, browser type, operating system, referring URLs, and timestamps of requests to the CrabGlamp dashboard and API.
- Device information: Browser type, screen resolution, and operating system, collected to ensure the Service displays and functions correctly.
1.3 Agent content
- Your Content: Code, files, configurations, and data stored within your agents. CrabGlamp accesses Your Content only as necessary to provide the Service (storage, transmission). We do not read, analyze, or use Your Content for any other purpose. See Section 4 for details.
1.4 Information from third parties
- Clerk: When you sign in, Clerk provides your name, email, and profile identifier. CrabGlamp stores your Clerk user ID to link your identity to your account. We do not receive your password.
- Stripe: We receive transaction confirmations, subscription status, and payment failure notifications from Stripe. We do not receive your full payment card details.
2. How we use your information
| Purpose | Data used |
|---|---|
| Providing the Service | Account info, agent content, usage data |
| Billing and payments | Account info, payment info (via Stripe), usage data |
| GlampHub | Account info, published Glamp content, star/usage data |
| Service improvement | Usage data, log data, device info |
| Security and fraud prevention | Log data, account info, usage data |
| Customer support | Account info, support communications, usage data |
| Legal compliance | All categories as required by law |
| Communications | Account info (email) for service-related notices |
We do not use Your Content (code, files, data inside agents) for analytics, training, advertising, or any purpose other than providing the Service to you.
3. How we share your information
We do not sell your personal information. We share information only in the following circumstances:
3.1 Service providers
We use third-party service providers to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication and identity management | Name, email, authentication tokens |
| Stripe | Payment processing and subscription management | Account email, billing details, usage metrics for invoicing |
| Cloud infrastructure provider | Hosting agent VMs and persistent storage | Agent content (encrypted at rest) |
| Tigris (S3-compatible storage) | Hosting published Glamp files | Published Glamp tarballs (encrypted at rest) |
| OpenAI (when using platform-provided keys) | LLM API access | Prompts and completions you send through the AI gateway |
3.2 GlampHub (public content)
When you publish a Glamp to GlampHub, the following is publicly visible to anyone:
- Your username
- Glamp name, display name, description, and tags
- Published files and README content
- Version history and star count
This is public by design. Do not publish content you want to keep private.
3.3 LLM providers
When you use platform-provided LLM keys, your prompts and responses are transmitted to the third-party LLM provider (currently OpenAI). This data is subject to the LLM provider’s own privacy policy and data usage terms. CrabGlamp does not log, store, or review the content of your LLM interactions.
If you use your own API keys, CrabGlamp has no visibility into your LLM usage.
3.4 Legal requirements
We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
3.5 Business transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any changes to this Privacy Policy.
4. Agent content and data isolation
4.1 Isolation
Each agent is a dedicated, isolated virtual machine. Your Content is stored on persistent volumes that are not shared with other users. Agents are fully isolated — separate VMs, separate storage, separate networking.
4.2 Access controls
Your agents are accessible only through authenticated browser sessions. Access is controlled by short-lived tokens (60-second TTL) issued by the CrabGlamp dashboard, which establish a secure session cookie (24-hour TTL). There is no SSH access. CrabGlamp personnel do not access Your Content except:
- When required to provide technical support you have requested.
- When required to comply with legal obligations.
- When necessary to investigate a violation of our Terms of Service.
In all cases, access is logged and limited to the minimum necessary.
4.3 No content mining
CrabGlamp does not use Your Content to train machine learning models, generate analytics, or for any purpose other than providing the Service. Your code is your code.
4.4 GlampHub security scanning
When you stage a Glamp for publishing, CrabGlamp runs an automated security scan using TruffleHog to detect accidentally included credentials, API keys, and sensitive patterns. Scan results are shown to you during the review step. CrabGlamp does not guarantee detection of all sensitive content — you are responsible for reviewing scan results before publishing.
5. Data retention
| Data type | Retention period |
|---|---|
| Account information | Retained while your account is active, plus 30 days after closure |
| Agent content | Retained while the agent exists, plus 30 days after agent destruction or account closure |
| Published Glamps | Retained until you delete them or your account is closed |
| Usage and billing data | Retained for 24 months after generation for billing accuracy and dispute resolution |
| Log data | Retained for 90 days, then deleted or anonymized |
| Support communications | Retained for 24 months after resolution |
| Payment records | Retained as required by tax and financial regulations (typically 7 years) |
After the applicable retention period, data is permanently deleted or irreversibly anonymized.
6. Data security
We implement industry-standard security measures to protect your information:
- Encryption in transit: All connections to CrabGlamp use TLS 1.2 or later. Agent access, dashboard, and API traffic are encrypted.
- Encryption at rest: Agent persistent volumes and Glamp file storage are encrypted at rest using AES-256.
- Access controls: Internal access to production systems requires multi-factor authentication and is limited to authorized personnel on a need-to-know basis.
- Infrastructure isolation: Each agent runs in its own dedicated VM with no shared resources between users.
- Payment security: Payment information is handled entirely by Stripe, which is PCI DSS Level 1 certified. CrabGlamp never stores full card numbers.
- Authentication security: User authentication is handled by Clerk with industry-standard security practices.
While we take security seriously, no system is completely secure. We cannot guarantee absolute security of your data.
7. Your rights and choices
7.1 Access and portability
You can access Your Content at any time through your agents. You can export your data by downloading files directly from the agent’s file system or using Git to push to an external repository.
7.2 Correction
You can update your account information through the dashboard. Contact support at don@crabglamp.com if you need assistance correcting other personal information.
7.3 Deletion
You can delete Your Content by destroying agents. You can delete published Glamps from the dashboard. You can close your account by destroying all agents and contacting support at don@crabglamp.com. Upon account closure, we will delete your personal information in accordance with the retention schedule in Section 5.
7.4 Objection and restriction
You may object to certain processing of your personal information or request that we restrict processing in certain circumstances. Contact us at don@crabglamp.com to make such a request.
7.5 Communications opt-out
You can opt out of non-essential communications by contacting support. You cannot opt out of service-related notices (e.g., billing failures, Terms updates, security alerts).
8. Cookies and tracking
8.1 Essential cookies
The CrabGlamp dashboard and agents use essential cookies for:
- Authentication: Session cookies managed by Clerk that maintain your authenticated state on the dashboard.
- Agent sessions: A secure cookie (24-hour TTL) that maintains your authenticated session with a specific agent.
- CSRF protection: Cookies that prevent cross-site request forgery.
These cookies are strictly necessary for the Service to function and cannot be disabled.
8.2 Analytics
We may use privacy-respecting analytics to understand aggregate usage patterns (e.g., which documentation pages are visited most). We do not use third-party advertising trackers, and we do not serve ads.
8.3 Do Not Track
We honor Do Not Track (DNT) browser signals. When DNT is enabled, we disable non-essential analytics.
9. International data transfers
CrabGlamp is based in the United States and processes data in the United States. If you are located outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission as the legal mechanism for data transfers outside the EEA.
10. Children’s privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided personal information, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at don@crabglamp.com.
11. California privacy rights (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to know: You may request the categories and specific pieces of personal information we have collected about you.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to opt out of sale: We do not sell personal information. No opt-out is necessary.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at don@crabglamp.com.
12. European privacy rights (GDPR)
If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Legal basis for processing: We process your personal data based on: (a) performance of our contract with you (providing the Service), (b) our legitimate interests (security, service improvement), and (c) your consent (where applicable).
- Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority.
- Additional rights: In addition to access, correction, and deletion, you have the right to data portability and the right to restrict or object to processing.
To exercise GDPR rights, contact us at don@crabglamp.com.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the dashboard or email at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
The “Last updated” date at the top of this page indicates when this policy was last revised.
14. Contact us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at don@crabglamp.com.