How we handle your data, your API keys, and the URLs you submit.
No third-party trackers or cookies beyond a session ID on the marketing site.
All data is stored on our servers. One sub-processor is used for anti-bot and search offload—see /sub-processors. No third-party analytics are used.
Crawl data is retained until you delete it or for 90 days, whichever comes first. After deletion, monitor diff-detection hashes are kept for 30 days before permanent removal.
API keys are hashed at rest using SHA-256. The plaintext key is shown once at creation and never stored. Rotate or revoke keys via:
POST https://api.crawlcrawl.com/v1/keys/rotate
Authorization: Bearer crk_...DELETE https://api.crawlcrawl.com/v1/keys/{prefix}
Authorization: Bearer crk_...Webhook payloads are signed with HMAC-SHA256. Failed deliveries are retried for 24 hours on 5xx responses before being dropped.
Under GDPR and DPDP, you may request access, deletion, or portability of your data. Email [email protected] with your project ID. Responses are provided within 30 days.
Changes to this policy are posted here. Material changes are communicated via email and an API deprecation header.
Last updated: 2026-05-12