Enterprise Security: Encrypted, Private, GDPR-Ready

Contents

Key facts


all features

► Feature

Privacy-First Security

Track AI bots, not your visitors

Crawlytics is built around a simple principle: we capture the minimum data needed to identify AI bots, and nothing more. No IPs are ever stored. No cookies are dropped. Authentication uses bcrypt password hashing, every request is encrypted in transit, and each site gets its own revocable tracking ID.

What we store, what we don't

On a tracked request, Crawlytics writes one of three things to its aggregate table: (1) the bot name + company if the User-Agent matches a known LLM crawler, (2) the AI assistant + path if the Referer matches ChatGPT / Perplexity / Claude / Gemini / Copilot, or (3) nothing identifying about the visitor — just a request count on the day-level page-hit table. IP addresses, cookies, session IDs, and user identifiers are never retained.

Authentication

Dashboard accounts use NextAuth with the Credentials provider. Passwords are hashed with bcrypt at cost factor 12 before being written to the database. Login session tokens are JWT-signed with a server-side secret. Each ingest endpoint is keyed to a specific site via its tracking ID — leaking one ID only exposes that one site, and you can rotate it from the Setup page in seconds.

Data lifetime & control

Aggregate data lives in your account until you delete the site (which cascades-deletes all its rows). You own the workspace; we have no policy of selling or sharing data with anyone. There are no third-party SDKs embedded in the dashboard or the installer snippets.

// the trust layer

No IP storage. No cookies. No third-party trackers. Just aggregates you own.

Related features

FAQ

Frequently Asked Questions

Do I need a cookie banner if I use Crawlytics?

No. Crawlytics doesn't set cookies, doesn't fingerprint visitors, and doesn't store IPs. The data we capture is bot identification and AI-assistant referrals — neither qualifies as personal data under GDPR or CCPA.

Is Crawlytics GDPR-compliant?

Crawlytics doesn't collect personal data, so most GDPR obligations don't apply by design. The few pieces of data we do hold (your account email, your site URLs, aggregated bot counts) can be exported or deleted on request — contact support if you need that done.

What happens if my tracking ID leaks?

A leaked tracking ID lets a third party submit fake events for that one site — annoying but bounded. Open the Setup page for the affected site and click Regenerate. The old ID stops working immediately and your installer snippets can be updated with the new one.

Can I export or delete my data?

Per-site delete is one click in the dashboard. Bulk export of the underlying aggregate tables will be available once the JSON/CSV export endpoint ships (planned).

Content not visible to non-JS crawlers

Cite this page

Related on this site


This page is part of Crawlytics.app. View all pages: llms.txt · llms-full.txt

Site index for AI agents: llms.txt · sitemap