Data Handling Policy

Last updated: 9 May 2026 — Valiant Partners Pty Ltd (ABN 77 636 173 307)

The short version: Your business data lives on your own Virtual Machine, under your control. We don't host your agents, we don't process your operational data, and we don't have persistent access to your infrastructure. This page explains exactly how that works and what we do handle directly.

Contents

Architectural Overview
Data We Handle Directly
Data We Don't Handle
AI Model API Disclosure
Support Access
Security Practices
Retention Schedule
Deletion Procedures
Data Breach Response
Australian Privacy Act Compliance
Questions

1. Architectural Overview

The design of our service is the most important data privacy control we offer. Understanding the architecture clarifies why most data privacy concerns simply don't apply to our model.

How Your Deployed System Works

1 You provision a Virtual Machine with a cloud provider of your choice (e.g. DigitalOcean, Vultr, AWS, Hetzner). You own this VM, you pay the hosting bill (~AUD $12–24/mo), and you hold the credentials.

↓

2 We access your VM temporarily (with your permission) to install and configure the OpenClaw agent runtime and Paperclip management dashboard. Once deployed, our access is revoked.

↓

3 Your AI agents run 24/7 on your VM, processing your business data entirely within your own infrastructure. No data passes through Valiant AI's servers.

↓

4 When your agents need to call an AI language model (e.g. to generate a response or analyse content), they call the model API directly from your VM. The API call goes: your VM → model provider. Valiant AI is not in this data path.

This architecture means Valiant AI is fundamentally not a data processor for your business operations. We are a deployment and configuration service. Once deployed, the system is yours.

1.1 Stack Components

OpenClaw: The agent runtime framework installed on your VM. It orchestrates agent tasks, integrations, and automations. Operates entirely within your VM environment.
Paperclip: A management dashboard installed on your VM that gives you visibility into your agents' activity, task history, and configuration. All Paperclip data is stored in a local database on your VM — not in a cloud service controlled by us.
Your VM: The host environment for everything. Controlled and billed by you directly. We configure it; we don't own it.

2. Data We Handle Directly

There are two phases where Valiant AI comes into contact with your information:

2.1 Pre-Engagement (Enquiry and Scoping)

When you contact us or proceed to an engagement, we collect and handle:

Your name, email address, phone number, and business name (via our contact form or direct email);
Business process descriptions, workflow documentation, and automation requirements you share with us to enable scoping and proposal preparation;
Any materials (e.g. screenshots, process maps, SOPs) you voluntarily provide to help us understand your requirements.

This information is used solely to scope, quote, and plan your engagement. It is not shared with third parties except as described in our Privacy Policy.

2.2 During Deployment (Project Execution)

During the active deployment phase, we may temporarily handle:

VM access credentials: SSH keys or login credentials to access your VM for installation purposes. These are provided by you, used for the purpose of deployment, and then either deleted from our systems or returned to you at handover. We do not retain VM credentials after a project is complete unless ongoing maintenance has been separately agreed in writing.
Third-party API keys: If your agents require integration with external services (e.g. CRM APIs, email platforms, AI model APIs), you may provide API keys for configuration. These are entered directly into your VM's configuration and are not stored in Valiant AI's own systems.
Test data: During configuration testing, we may use anonymised or synthetic test data. We will not request access to real customer data for testing unless the Client specifically asks us to validate against live data, and we will handle any such data with appropriate care and delete it post-testing.

3. Data We Don't Handle

To be unambiguous about what we do not access or control:

Your customers' data: Any data about your customers that flows through your agents — names, contacts, purchase history, messages — stays on your VM. We have no access to it.
Agent conversation logs: The Paperclip dashboard stores agent activity logs locally on your VM. We cannot view these logs.
Business records: Invoices, inventory, orders, bookings, or any other business records your agents interact with remain in your own systems.
Agent outputs: Emails, messages, or documents generated by your agents are produced and sent directly from your infrastructure.

Valiant AI is not a data custodian for your business operations. You are.

4. AI Model API Disclosure

Your deployed agents interact with third-party AI language model providers to perform reasoning, generation, and analysis tasks. When an agent calls a model API, the query and relevant context are transmitted from your VM directly to the model provider's servers. Valiant AI is not in this data path.

Below is a disclosure of the model providers that may be configured as part of your Deployed System. The specific provider(s) used in your deployment are specified in your Statement of Work.

Provider	Privacy Policy	Data Residency
Anthropic (Claude models)	anthropic.com/legal/privacy	United States
OpenAI (GPT models)	openai.com/policies/privacy-policy	United States
DeepSeek	deepseek.com/privacy	People's Republic of China
xAI (Grok models)	x.ai/legal/privacy-policy	United States
Google (Gemini models)	policies.google.com/privacy	United States (and others)
Mistral AI	mistral.ai/privacy	European Union (France)

Important: If your business handles sensitive personal information (e.g. health data, financial data, or data subject to strict regulatory requirements), you should carefully review the data handling terms of any model provider before allowing your agents to process that information. Where data sovereignty is a concern, we can configure your agents to use models with Australian or EU data residency options, or discuss self-hosted model alternatives. Raise this during scoping.

4.1 API Usage Costs

Model API calls are billed directly by the provider to the API key holder — that is, to you. Valiant AI does not mark up or profit from your model usage. Costs vary by model and volume. We provide usage estimates during scoping, but actual costs are determined by your usage and the provider's pricing, which may change over time.

4.2 Model Training on Your Data

Most major model providers offer API access under terms that do not use API inputs to train their models by default. However, terms vary by provider and account type. We strongly recommend reviewing the API data usage terms of your chosen model provider and, where available, opting out of data usage for training. Valiant AI does not train models on Client data and has no involvement in this aspect of third-party provider relationships.

5. Support Access

After deployment, Valiant AI has no standing access to your VM. If you request technical support that requires our team to access your system, the following process applies:

Consent: You explicitly request support and grant access, either by providing temporary credentials or by using a controlled remote access method (e.g. sharing a specific session).
Scope limitation: Access is limited to what is necessary to investigate and resolve the specific issue.
Time limitation: Access is revoked at the conclusion of the support session, or within 24 hours, whichever is sooner.
No data extraction: Our team does not download, copy, or retain any data from your VM during a support session. Any observations made during support are used solely to resolve the issue.
Record: We maintain an internal record of when support access was granted, for what purpose, and when it was revoked.

If you use a temporary password or credential for support access, we recommend changing it after the support session concludes.

6. Security Practices

6.1 Our Security Practices

In respect of the limited personal and business information we handle directly, Valiant AI implements the following security measures:

Encrypted communications: All email and data transmission uses TLS encryption. Our website uses HTTPS exclusively.
Access control: Onboarding documents, client files, and any credentials provided during a project are stored in access-controlled systems, accessible only to the team member(s) working on that engagement.
Credential handling: Any API keys, SSH credentials, or access tokens provided for configuration are not stored in plain text. They are entered directly into your VM's configuration environment and not retained in our own storage after project completion.
No persistent credential storage: We do not operate a centralised credential vault for client VM access. After handover, we have no stored means of accessing your VM.
Internal awareness: Our team is briefed on data handling obligations and the importance of handling client information with care.

6.2 Your VM Security — Our Recommendations

Because your VM hosts your agents and their data, its security is your responsibility. We recommend:

Keeping your VM's operating system and packages updated regularly (e.g. apt update && apt upgrade on Ubuntu/Debian systems);
Using SSH key-based authentication and disabling password authentication for SSH access;
Configuring a firewall (e.g. UFW or your cloud provider's firewall) to restrict inbound ports to only those necessary;
Enabling automated backups through your cloud provider's snapshot feature (typically a small additional cost);
Rotating API keys and credentials periodically, especially after any personnel changes;
Using strong, unique passwords for any web-based dashboards or admin interfaces;
Enabling two-factor authentication on your cloud provider account.

We will provide VM-specific security configuration guidance as part of your handover documentation.

7. Retention Schedule

We apply the following data retention periods to different categories of information:

Data Category	Retention Period	Basis
Enquiry and contact form data (no engagement proceeds)	24 months from initial contact	Legitimate interest (follow-up); deleted at expiry
Enquiry and contact form data (engagement proceeds)	Duration of engagement + 7 years	Legal/tax compliance
Project scope documents, proposals, SOWs	7 years from project completion	Tax, accounting, and legal record-keeping obligations
Invoices and payment records	7 years from invoice date	Income Tax Assessment Act 1997 (Cth)
VM access credentials (SSH keys, passwords)	Deleted at project handover or within 48 hours thereafter	No legitimate basis for continued retention
Third-party API keys entered for configuration	Not retained by Valiant AI; entered directly to VM only	N/A
Support access records	12 months from access date	Accountability and audit
General business correspondence (emails)	7 years	Legal and tax record-keeping

8. Deletion Procedures

When data reaches the end of its retention period, or when a Client requests deletion under the Privacy Act, we apply the following procedures:

Electronic documents and files: Securely deleted from any cloud storage or file systems where they are held, using platform-level deletion that removes data from active storage. Where platform-specific data recovery windows apply, we confirm deletion has been initiated.
Email correspondence: Deleted from email client and server (where technically possible). Note that email data held by the Client party cannot be deleted by us.
Credentials and API keys: Overwritten or deleted immediately upon confirmation of project handover.
Third-party processors (e.g. Formspree): We will submit deletion requests to third-party processors on your behalf where technically available. Deletion timelines are subject to those processors' own procedures.

Upon completion of a deletion request, we will confirm in writing (by email) that the deletion has been carried out, identifying the categories of data deleted. Where we are legally required to retain certain records (e.g. tax records), we will advise you of this and the expected retention period.

9. Data Breach Response

In the event that Valiant AI becomes aware of a data breach involving personal information we hold, we will respond in accordance with our obligations under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth):

Assessment: We will assess whether the breach is likely to result in serious harm to any affected individuals within 30 days of becoming aware of the incident.
Notification: If serious harm is likely, we will notify:
- The affected individual(s) as soon as practicable; and
- The Office of the Australian Information Commissioner (OAIC) via the NDB notification form.
Containment: We will take immediate steps to contain the breach and prevent further unauthorised access or disclosure.
Review: We will conduct a post-incident review and implement any necessary improvements to prevent recurrence.

If you become aware of a security incident affecting your VM or Deployed System, please notify us at hello@valiantai.com.au promptly. While your VM is under your control, we can assist with incident response guidance where relevant.

10. Australian Privacy Act Compliance

Valiant Partners Pty Ltd handles personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). The following table summarises our compliance position against each APP:

APP 1 (Open and transparent management): This policy and our Privacy Policy provide transparent disclosure of our data handling practices.
APP 2 (Anonymity and pseudonymity): We allow anonymous website browsing. However, service enquiries require contact information to respond.
APP 3 (Collection of solicited personal information): We collect only information that is reasonably necessary for our functions and services.
APP 4 (Dealing with unsolicited personal information): Unsolicited personal information that we could not have solicited is destroyed or de-identified promptly.
APP 5 (Notification): We notify individuals of our data practices at the time of collection through this policy and our contact form.
APP 6 (Use or disclosure): Personal information is used only for the primary purpose of collection, or secondary purposes the individual would reasonably expect.
APP 7 (Direct marketing): We do not use personal information for direct marketing without consent.
APP 8 (Cross-border disclosure): As detailed in our Privacy Policy, Formspree and email services may process data overseas. We take reasonable steps to ensure equivalent protection.
APP 9 (Adoption of government-related identifiers): We do not collect or use government identifiers such as Tax File Numbers.
APP 10 (Quality): We take reasonable steps to ensure personal information is accurate, up-to-date, and complete.
APP 11 (Security): We apply security measures as described in Section 6 of this policy.
APP 12 (Access to personal information): Individuals may request access to personal information we hold. See our Privacy Policy for the request process.
APP 13 (Correction of personal information): Individuals may request correction of inaccurate information. We will respond within 30 days.

11. Questions

If you have any questions about how we handle your data, want to exercise a privacy right, or wish to request deletion of your information, contact us:

Email: hello@valiantai.com.au
Subject line: Data Handling Enquiry
Entity: Valiant Partners Pty Ltd
ABN: 77 636 173 307
Jurisdiction: New South Wales, Australia

We will respond to all data handling enquiries within 5 business days.