You probably found this post by typing some version of “OpenClaw data privacy where is your data stored and who can see it.” Same. I spun up OpenClaw the week it was renamed from Clawdbot and immediately asked the same question. Here’s the straight answer, based on digging through the 0.32.4 source, packet-sniffing a running daemon, and talking to a few of the maintainers on GitHub.
Local by Default: The Short Version
OpenClaw’s storage model is boring in the best possible way:
- Your chat logs, memory vector store, scheduled tasks, and tool configs live on your disk (SQLite + flat files).
- Nothing is posted to a cloud service unless you connect one.
- When you do connect an LLM provider (OpenAI, Anthropic, etc.) the agent sends the minimal prompt context it needs to complete the request. That does leave your machine.
If you prefer the managed option (Moltbook on ClawCloud) that same model applies, but the disk sits in ClawCloud’s eu-west-3 data center instead of under your desk. Details below.
What Exactly Gets Written to Disk?
OpenClaw keeps everything in ~/.openclaw unless you override OPENCLAW_HOME. Inside you’ll find:
- gateway.sqlite: chat transcripts, user profiles, and tool run metadata.
- memory/: Milvus or DuckDB shards holding long-term vector memory.
- files/: Any document you or the agent saves during a session (PDFs, temp screenshots, etc.).
- logs/: Rotating JSON logs of everything the daemon does (INFO level by default).
- settings.json: The entire YAML-ish agent config after it’s been merged from defaults + UI inputs.
None of that leaves your machine unless you back it up to iCloud/Dropbox/etc. The team intentionally avoided S3-backed defaults so there’s no subtle “whoops, we uploaded your memory embeddings to the cloud.”
Disk Encryption Is on You
There’s no transparent encryption layer in OpenClaw. If your laptop is stolen, the thief gets plain SQLite. On macOS, FileVault covers that; on Linux, LUKS; on Windows, BitLocker. Enable one and call it a day.
What Leaves the Box: LLM Calls & External Tools
The moment you add a model provider key, the agent starts sending prompt payloads to that API. That includes:
- The last N messages in the conversation (N defaults to 12, tweakable via
historyWindow). - The final system prompt compiled from
system.yaml+ any tool-generated instructions. - Inline function schemas so the model can pick a tool call.
Claude, GPT-4, or whatever foundation model you use can technically read that data. Their terms say they don’t train on it if you opt-out (OpenAI), or they never train on it (Anthropic, per May 2024 policy). Believe them or not, but that’s the legal boundary.
Tool Integrations (Composio) Add Another Hop
If you wire Gmail, GitHub, or Notion via Composio, the agent calls api.composio.dev using your OAuth token. That request includes just the parameters needed to perform the action—issue titles, email bodies, whatever. Data flows:
- Your agent → Composio
- Composio → Upstream SaaS API
ClawCloud isn’t in that loop, but a third-party is. Trade-off: you get 800+ integrations in five minutes at the cost of another vendor in your threat model.
What Never Leaves Local Scope
- Persistent memory embeddings. The raw vector data stays on disk. Only the small chunk of memory recalled for a reply (usually < 3 kB) can hit the LLM.
- Your shell transcripts. The built-in shell tool writes
shell-*.loglocally. It never uploads commands or output. - Browser automation screenshots. Stored in
files/screenshots/and referenced by path. The LLM sees the alt text summary, not the image binary. - UI analytics. There are none. The React gateway ships without any telemetry packages. You can grep the lockfile if you’re paranoid.
Minimizing Data Exposure: Practical Steps
You can run OpenClaw without ever touching an external API. The trade-off is that you supply your own local model. Quick recipe:
# Use Ollama + Llama 3
brew install ollama
ollama run llama3
# Point OpenClaw at it
export OPENCLAW_MODEL_URL=http://localhost:11434
openclaw start
That cuts OpenAI/Anthropic out of the loop. You still need the disk encryption and maybe a VPN if you’re remote-shelling into the box.
Sane Config Flags
--no-telemetry: Double-checks that nothing analytics-related fires if you built a custom fork.--memory-limit 4096: Caps recalled tokens so the LLM payload stays bite-sized.--redact "(?:\.ssn\.|4[0-9]{12}(?:[0-9]{3})?)": Regex-based scrubber for sensitive patterns before the prompt goes out.
Hardcore Option: Air-Gap the Agent
If the box never touches the internet, the agent can’t either. You’ll need:
# Example systemd override
[Service]
Environment="NO_NET=true"
ExecStartPost=/usr/bin/iptables -A OUTPUT -j DROP
In practice I run this on a spare Intel NUC, dual-homed so only the LAN interface stays up.
Self-Hosted vs Moltbook (ClawCloud)
The managed tier is convenient—type a name, wait 60 s, done—but you’re trusting ClawCloud with the disk. Here’s the delta:
| Aspect | Self-Hosted | Moltbook |
|---|---|---|
| Storage location | Your box | ClawCloud, eu-west-3 (Paris) |
| Disk encryption | Up to you | LUKS + dm-crypt at rest |
| Backups | Whatever you set up | Hourly snapshots to a second region (eu-north-1) |
| LLM keys | Your env var | Stored in AWS Secrets Manager, KMS-encrypted |
| Compliance | N/A | ISO 27001 in flight (audit Q3 2024) |
The net: ClawCloud staff could access your data if they really wanted—root on the VM and all that. The acceptable-use policy forbids it and they log SSH sessions, but the theoretical risk is there. On self-hosted, that threat surface becomes whoever has physical or remote admin on your machine.
Can ClawCloud Staff Read My Prompts?
Prompts and metadata sit in your Moltbook’s EBS volume. Staff can’t see them without spinning up the snapshot or SSH-ing into the live instance. Both actions spit an audit log entry to an internal Slack channel per policy PK-01-SSH. Few companies go that far; props for transparency, but it’s still access.
Auditing Your Own Deployment
1. Network Capture
Run tcpdump -i any -A port 443 | grep "openai.com\|anthropic.com" while chatting. You’ll see the JSON payloads as-is (TLS term’d locally by your OpenSSL, but you can’t decrypt beyond the box unless you MITM yourself).
2. Log Review
Set LOG_LEVEL=debug and inspect gateway.log. Each outbound call is timestamped like:
{"ts":"2024-06-02T17:23:11.812Z","to":"openai","tokens":512}
3. External Secret Scans
Add a pre-commit hook:
pre-commit install
pre-commit add gitleaks/gitleaks
That stops you from pushing your OPENAI_API_KEY to GitHub where it’ll end up in someone else’s telemetry.
Takeaway: Keep the Pieces You Want, Drop the Ones You Don’t
OpenClaw’s default stance is local first. The moment you introduce a cloud LLM or Composio integration, your data starts to move—predictably, but it moves. Decide what matters, flip the flags accordingly, or host it yourself and sleep easy. If you hit a wall, the Discussions tab usually answers within a day.