Privacy-First Security
Track AI bots, not your visitors
Crawlytics is built around a simple principle: we capture the minimum data needed to identify AI bots, and nothing more. No IPs are ever stored. No cookies are dropped. Authentication uses bcrypt password hashing, every request is encrypted in transit, and each site gets its own revocable tracking ID.
No IP storage
Crawlytics never persists visitor IP addresses — not raw, not hashed. The ingest endpoint discards them on receipt.
Aggregated data only
Hit data is rolled up into per-day per-bot aggregates the moment it arrives. There is no raw event log of individual requests.
Bcrypt password hashing
Dashboard logins use bcrypt with a cost factor of 12. Even with a database leak, recovering passwords is computationally infeasible.
Per-site tracking IDs
Each site gets a unique tracking ID. Regenerate it in one click if it leaks — no other site's data is affected.
TLS in transit
All ingest, dashboard, and API traffic runs over TLS. Custom domains get Let's Encrypt certs automatically.
Zero third-party trackers
No Google Analytics, no fingerprinting, no embedded pixels. The dashboard is self-contained.
What we store, what we don't
On a tracked request, Crawlytics writes one of three things to its aggregate table: (1) the bot name + company if the User-Agent matches a known LLM crawler, (2) the AI assistant + path if the Referer matches ChatGPT / Perplexity / Claude / Gemini / Copilot, or (3) nothing identifying about the visitor — just a request count on the day-level page-hit table. IP addresses, cookies, session IDs, and user identifiers are never retained.
Authentication
Dashboard accounts use NextAuth with the Credentials provider. Passwords are hashed with bcrypt at cost factor 12 before being written to the database. Login session tokens are JWT-signed with a server-side secret. Each ingest endpoint is keyed to a specific site via its tracking ID — leaking one ID only exposes that one site, and you can rotate it from the Setup page in seconds.
Data lifetime & control
Aggregate data lives in your account until you delete the site (which cascades-deletes all its rows). You own the workspace; we have no policy of selling or sharing data with anyone. There are no third-party SDKs embedded in the dashboard or the installer snippets.
FAQ
Frequently asked questions
No. Crawlytics doesn't set cookies, doesn't fingerprint visitors, and doesn't store IPs. The data we capture is bot identification and AI-assistant referrals — neither qualifies as personal data under GDPR or CCPA.
Crawlytics doesn't collect personal data, so most GDPR obligations don't apply by design. The few pieces of data we do hold (your account email, your site URLs, aggregated bot counts) can be exported or deleted on request — contact support if you need that done.
A leaked tracking ID lets a third party submit fake events for that one site — annoying but bounded. Open the Setup page for the affected site and click Regenerate. The old ID stops working immediately and your installer snippets can be updated with the new one.
Per-site delete is one click in the dashboard. Bulk export of the underlying aggregate tables will be available once the JSON/CSV export endpoint ships (planned).