We respect your privacy.

We use strictly necessary cookies to keep you signed in and to protect against CSRF. With your permission we also use a small amount of first-party analytics to improve the product. We do not sell your data and we do not use third-party advertising trackers. See our cookie policy and privacy policy.

Crawlmind

Legal

Privacy Policy

Last updated: 2026-05-10. Effective date: 2026-05-10.

1. Who we are

Crawlmind (“we”, “us”) provides a tool that crawls websites and audits them for AI-discoverability and traditional SEO. Our operating entity is Crawlmind Inc. (“the Company”), registered in the relevant jurisdiction. You can reach our privacy team at [email protected].

2. What we collect

2.1 Account data

When you sign up we collect: name, email address, hashed password (we never see your plaintext password), organisation name, role within the organisation. If you sign in via OAuth or SSO, we receive your provider profile (name, email, avatar URL, IdP-issued user ID).

2.2 Usage data

We log feature usage (crawl runs, reports generated) and request metadata needed for operating the service: HTTP method, path, status code, user agent, and request IP address. We retain server access logs for 30 days and aggregated usage metrics (counts, not raw events) indefinitely.

2.3 Crawl data

When you run an audit, we crawl the website you specify, store its HTML, generated metadata, and AI-derived analysis. You control what we crawl and own the resulting reports. We do not crawl websites you have not explicitly added.

2.4 Billing data

We use Stripe for payments. Card data goes directly from your browser to Stripe — we never store it. We retain Stripe customer ID, subscription state, and invoices.

2.5 Cookies + similar tech

  • Strictly necessary: session cookie (avp_session), CSRF token (header).
  • Analytics: only set after explicit consent via the cookie banner.
  • Marketing: only set after explicit consent.

See our full cookie policy for the list of cookies and storage we use.

3. How we use it

PurposeLegal basis (GDPR Art. 6)
Provide the serviceContract
Send transactional emailsContract
Send marketing emailsConsent (toggle in /me/settings)
Improve product / fix bugsLegitimate interest
Comply with legal obligationsLegal obligation
Detect / prevent abuseLegitimate interest

4. Who we share it with

See our sub-processors. The short list: DigitalOcean (compute + object storage), Stripe (billing — only on paid plans), OpenAI or Anthropic (AI enrichment — only when configured as the LLM provider, with the crawled page content sent as the prompt), Sentry (error tracking — only if you opt in via the cookie banner), GitHub (source + CI; no customer data).

5. International transfers

We are headquartered in the United States; some sub-processors are in the EU. For EU/UK data subjects we rely on the EU Standard Contractual Clauses + the UK IDTA addendum. Contact [email protected] for the copy of our SCCs.

6. Your rights

  • Access your data — request a JSON export at any time (POST /me/data-export, also available as a button in /me/settings/privacy).
  • Rectify inaccurate data — edit in product or email [email protected].
  • Erase your data — delete your account from /me/settings/privacy. If you are the sole OWNER of any organisation, you must transfer or delete it first.
  • Object to processing for marketing — toggle off in /me/settings.
  • Lodge a complaint with your local data protection authority.

7. Retention

DataRetention
AccountLifetime of account; deleted on request within 30 days
Crawl reports + analysis (JSON in DB)365 days, then archived or deleted on plan limits
Crawl reports (rendered PDFs, in object storage)180 days
Audit logs (platform-admin actions)Indefinitely while the relevant organisation exists
Server access logs30 days
Database backups (daily host snapshots)30 days

8. Security

TLS in transit, application-layer encryption of SSO + webhook secrets, Argon2id password hashing, role-based access on every protected endpoint, an SSRF guard on the crawler, and an in-app audit log of platform-admin actions. We describe the full picture — including what we have not yet shipped (e.g. end-user MFA, external pen-test, SOC 2) — on the security overview.

9. Children

The service is not directed at users under 16. Don't sign up if you are.

10. Changes

We notify you of material changes 30 days in advance via email + an in-product banner. Non-material changes (typo fixes, additional sub-processor in the same role) update the “Last updated” date only.

11. Contact

[email protected]