How we handle your data, your API keys, and the URLs you crawl.
No third-party analytics. The marketing site uses a session cookie for navigation only.
On our servers. Sub-processors we use to operate the service are listed at /sub-processors.
30 days, or until you delete the crawl — whichever comes first. Hashes used for monitor diff-detection are kept for 30 days after a crawl's deletion, then purged.
Generated with 24 bytes of cryptographic randomness, base64url-encoded with a crk_ prefix. We store only the SHA-256 hash. The plaintext key is shown once on mint and never logged. Rotate with:
POST https://api.crawlcrawl.com/v1/keys/rotate
Authorization: Bearer crk_...Revoke with:
DELETE https://api.crawlcrawl.com/v1/keys/<prefix>Signed with HMAC-SHA256 over the raw body, using a per-project secret you fetch from GET /v1/webhook/secret. Retried on 5xx for 24 hours, then dropped.
Email [email protected] with your project ID to request access, deletion, or export of your data. We respond within 30 days.
Material changes are emailed to all paying customers and posted here. Last updated 2026-05-13.