Legal
Privacy Policy
Last updated 4 July 2026.
SendClaw is operated by ASTRA Digital Solutions LTD, a company registered in England and Wales, trading as SendClaw. This policy covers two groups of people: our customers (the teams who publish gated content with SendClaw) and end-viewers (the people who fill in a form to view that content). It explains what we collect from each, where it lives, who it is shared with, how long we keep it, and the rights you have over it. This policy is maintained by our team and reviewed periodically. It is not legal advice. Questions to privacy@sendclaw.io.
1. Our role: controller and processor
For customer account data (your login, organisation, billing) and for data collected on this marketing site, ASTRA Digital Solutions LTD is the data controller.
For end-viewer data captured through a gate, the customer who published the gate is the controller and SendClaw acts as their processor: we collect, store, and forward that data on their instructions. If you submitted a form on a gated page and want your data corrected or deleted, the publisher of that page is your first point of contact. We also action requests sent to us directly at privacy@sendclaw.io.
Customers are responsible for having a lawful basis to collect lead data through their gates and for their own privacy notices to their visitors. A data processing agreement (DPA) is available on request from hello@sendclaw.io.
2. What we collect from end-viewers
When you submit a gate form, we collect the form fields the publisher asks for. Depending on how the gate is configured these can include:
- Email address and phone number
- First name, last name, and company
- One custom field the publisher defines (for example job title or team size)
3. What we collect automatically on share pages
Every visit to a public share page records technical data used for lead attribution, the publisher's view analytics, and abuse prevention:
- IP address and browser user agent
- The referring page you arrived from
- Campaign (UTM) parameters carried by the link you followed
- View activity: which pages of the content you opened, how long it was open (measured by a periodic heartbeat while the page is visible), and return visits
4. What we collect from customers
Account email, name, and organisation details, managed through our authentication provider Clerk. If you upgrade to a paid plan, payment is handled by Stripe: your card details are collected by and stored with Stripe and never touch our servers. We hold only your billing status and a reference to your Stripe subscription. We also collect product usage analytics inside the app dashboard (via PostHog, configured without cookies) so we can improve the service. We do not run product analytics scripts on public share pages.
We send account holders two kinds of email: service emails about your account and content (welcome, lead notifications, link expiry and billing notices), and optional product emails such as usage summaries and tips tied to your activity. Every product email includes an unsubscribe link; service emails are sent only where necessary to run the service.
5. Where we host it
All customer and lead data is stored in Supabase Postgres in eu-west-1 (Ireland). Uploaded documents are stored in Supabase Storage in the same region. Data is encrypted in transit and at rest, every table is protected by row-level security, and file access goes through expiring signed URLs.
We do not transfer lead data outside the UK or EEA except to the subprocessors listed below, under appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision.
6. Who we share it with
End-viewer data is forwarded to the publisher who collected it, including to destinations the publisher configures: their CRM or other systems via webhooks, their Slack workspace, and a notification email. IP addresses are never included in webhook payloads or notification emails.
Beyond the publisher and the subprocessors below, we do not sell, rent, or share customer or lead data with anyone, we do not use it for advertising, and we do not train AI models on your content or your leads.
7. Subprocessors
We rely on the following providers to run the service:
- Supabase (database and file storage, hosted in Ireland)
- Clerk (authentication, United States)
- Stripe (payment processing, United States)
- Vercel (application hosting and CDN, United States)
- Loops (transactional and product email, United States)
- PostHog (product analytics for the app dashboard only, hosted in the EU)
8. How long we keep it
Lead data, including incomplete form submissions, is retained until the publisher deletes it or closes their account, after which it is removed within 30 days. For incomplete submissions that are never finished, the IP address and browser details we collected are removed automatically after 30 days; the contact details remain so the publisher can follow up. When a lead is deleted, the view activity linked to it (including IP address and user agent records) is deleted with it.
Customer account data is deleted within 30 days of account termination, after the export window described in our Terms of Service.
9. Cookies
We set only first-party cookies that are strictly necessary to make the service work. We set no advertising cookies, no third-party tracking cookies, and no analytics cookies anywhere, which is why you do not see a cookie consent banner.
- Authentication cookies set by Clerk on the SendClaw app, to keep you signed in
- A cookie on a share page after you complete a form (sc_lead_ prefix, 30 days), so you are not asked to fill the same form twice
- A cookie that lets the same publisher's other gates prefill your details (sc_visitor_ prefix, 30 days)
- A short-lived session cookie on share pages (sc_sess_ prefix, 1 hour) that protects the view-tracking endpoint from abuse
10. Your rights (UK and EU)
Under the UK GDPR and the EU GDPR you have the right to access, correct, export, delete, and restrict or object to the processing of your personal data. Customers can export all lead data and delete individual leads self-serve from Settings, and can email us for anything else.
Submit any request to privacy@sendclaw.io and we will respond within 30 days. You also have the right to complain to the Information Commissioner's Office (ico.org.uk) in the UK, or to your local supervisory authority in the EU.
11. Your rights (California and other US states)
If you are a California resident, the CCPA as amended by the CPRA gives you the right to know what personal information we hold about you, to delete it, to correct it, and to opt out of its sale or sharing. We do not sell or share personal information as those terms are defined in the CCPA, and we do not use sensitive personal information beyond what is necessary to provide the service. We will never discriminate against you for exercising these rights. Residents of other US states with similar laws have the equivalent rights. Requests to privacy@sendclaw.io.
12. Children
SendClaw is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted data through a gate, contact privacy@sendclaw.io and we will delete it.
13. Changes to this policy
We will post any changes on this page and update the date at the top. For material changes affecting customers we will give notice by email before they take effect.
14. Contact
Data controller: ASTRA Digital Solutions LTD, trading as SendClaw, registered in England and Wales. For any privacy question or request, email privacy@sendclaw.io.