DRAFT — terms subject to change before public launch. Email [email protected] to confirm specifics.
Legal

Privacy.

How we handle your data, your API keys, and the URLs you crawl.

Data we collect

No third-party analytics. The marketing site uses a session cookie for navigation only.

Where data lives

On our servers. Sub-processors we use to operate the service are listed at /sub-processors.

How long we keep crawl data

Until you delete the crawl. There is no automatic expiry — crawl pages and their HTML archive stay in your account permanently. Delete with DELETE /v1/crawls/{id}. Hashes used for monitor diff-detection are kept for 30 days after a crawl's deletion, then purged. Full retention policy: retention.html.

Your API keys

Generated with 24 bytes of cryptographic randomness, base64url-encoded with a crk_ prefix. We store only the SHA-256 hash. The plaintext key is shown once on mint and never logged. Rotate with:

POST https://api.crawlcrawl.com/v1/keys/rotate
Authorization: Bearer crk_...

Revoke with:

DELETE https://api.crawlcrawl.com/v1/keys/<prefix>

Webhook deliveries

Signed with HMAC-SHA256 over the raw body, using a per-project secret you fetch from GET /v1/webhook/secret. Retried on 5xx for 24 hours, then dropped.

Your rights (GDPR / India DPDP)

Email [email protected] with your project ID to request access, deletion, or export of your data. We respond within 30 days.

Changes to this policy

Material changes are emailed to all paying customers and posted here. Last updated 2026-05-13.