/api/track/<trackingId> doesn't even receive visitor IPs — each installer's POST payload contains only path, user-agent, referrer, source, and timestamp.Legal
Last updated: June 1, 2026
Crawlytics tracks AI bots, not visitors. We store the minimum data needed to operate the service for you — your account, your sites, your subscription, and aggregate counts of bot traffic. We don't store IPs, set cookies (beyond the auth session), use trackers, or sell data to anyone.
| Data | Why |
|---|---|
| Account email + bcrypt password hash | NextAuth credentials authentication. |
| Site name, URL, sitemap URL | Per-site context for crawling and the dashboard. |
| Per-site tracking ID | Write key for the ingest endpoint. Rotatable. |
| Crawled page text (HTML → markdown) | Powers /llms.txt and per-page /md/ endpoints. |
| Detected stacks + per-site metadata | Auto-configures the WebMCP snippet. |
| Daily aggregate bot-hit counts (per site, bot, source) | Bot tracking + AI referrer surfaces. |
| Stripe customer + subscription IDs | Billing. Cards stored at Stripe, never on Crawlytics. |
| Outbound email log (recipient, kind, status, Resend ID) | Diagnostics for the activation email. |
The ingest endpoint at /api/track/<trackingId> doesn't even receive visitor IPs — each installer's POST payload contains only path, user-agent, referrer, source, and timestamp. There is no IP field to log, hash, or accidentally store.
When customers install our snippet on their sites, the loader runs in the visitor's browser and POSTs to Crawlytics only when (a) the browser supports WebMCP and an AI agent invokes a configured tool, or (b) a payment-success URL is detected for conversion attribution.
For conversion attribution, we receive only the payment provider name and the session/transaction identifier (e.g. a Stripe checkout session id). No personal data. Tool invocations are logged with metadata (tool name, success/failure, latency) — we never log tool inputs (which routinely contain customer emails, addresses, and messages).
Payment cards are collected and stored by Stripe. Crawlytics receives a Stripe customer ID and subscription ID for your account but never the card number, CVV, or full PAN. Refer to Stripe's privacy policy for how they handle payment data.
We use Resend to send transactional email (account activation, password resets, billing receipts). Resend processes the recipient address and message contents to deliver. We do not send marketing email unless you explicitly opt in.
Some features (agent-readiness audit, content generation) send your crawled page text to AI providers — currently Anthropic. We use the providers' API offerings (not their consumer products); under their data policies the API does not train on your data. We may add other providers in the future and will list them here.
The only cookie we set is the NextAuth session cookie used to keep you logged in. It's HTTP-only, Secure, SameSite=Lax, and contains a signed JWT — no personal data. We don't use analytics cookies, advertising cookies, or third-party tracking.
You can, at any time:
If you're in the EU/EEA, UK, or California, you have the right to request a copy of your data, to deletion, and (where applicable) to data portability and to object to processing. Email [email protected] and we'll respond within 30 days.
We retain account data while your account is active. After account closure, we delete personal data within 30 days, retaining only what we're legally required to keep (e.g. financial records for tax purposes — typically 7 years). Aggregate bot-traffic counts may be retained indefinitely in anonymized form for service-quality analysis.
Passwords are bcrypt-hashed at cost factor 13. The database runs in a private network and is encrypted at rest. All connections to crawlytics.app use TLS 1.2+. Webhook signatures from Stripe and Resend are cryptographically verified before processing. We follow OWASP guidelines for input validation, SSRF prevention, and CSRF protection.
The service is not directed to anyone under 18. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with data, contact us and we will delete it.
If you process personal data of EU/UK residents on your site and use Crawlytics to crawl, audit, or serve content from those pages, you may need a Data Processing Agreement in place with us to satisfy your own GDPR obligations. A DPA covering Article 28 requirements (including Standard Contractual Clauses for international transfers, our sub-processor list, security measures, and breach-notification timelines) is available on request — email [email protected] with your company name and we'll send a templated agreement within two business days.
Crawlytics is operated from the United States. If you access the service from outside the US, your data will be transferred to, processed, and stored in the US. Standard Contractual Clauses apply where required by EU/UK law.
We may update this policy. Material changes will be announced via email to your account address at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
Questions about this policy or your data? Email [email protected].
Banks Digital LLC · operator of Crawlytics
This page is part of Crawlytics.app. View all pages: llms.txt · llms-full.txt