This Privacy Policy explains how CrawlSnap Limited ("CrawlSnap", "we", "our", or "us") collects, uses, shares, and protects personal data when you use the CrawlSnap platform, websites, dashboards, marketplace, APIs, and related services (together, the "Services"), available at crawlsnap.com.
This Policy should be read together with our Terms of Service and Refund Policy. By using the Services, you acknowledge the practices described here.
For the personal data described in this Policy, the data controller is:
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and, where it applies to our processing, the EU GDPR. Because CrawlSnap serves customers globally, we apply these standards as a baseline worldwide.
Note on payments. When you buy a paid plan, your purchase is processed by Polar as our reseller and Merchant of Record. Polar acts as an independent data controller for payment data, not as our processor. See Section 9.
We collect the following categories of personal data.
A core function of the Services is to analyse publicly available information from the internet and apply our own processing to produce derived intelligence (such as reputation signals and indicators). This analysis may, incidentally, include personal data that is already publicly available (for example data associated with a domain or IP address). We process such data to provide the Services as described in Sections 3 and 4.
We do not collect or store your full payment card number, card security code, or bank details. Those are handled by Polar and its PCI-DSS-compliant payment processor (Section 9). We do not knowingly collect data from children (Section 11).
Under the UK GDPR we must have a lawful basis for each processing purpose. The table below sets these out.
| Purpose | Examples | Lawful basis |
|---|---|---|
| Provide the Services | Create and manage your account, authenticate you, issue API keys, run your API queries, return Output, meter usage | Performance of a contract |
| Billing and subscriptions | Manage plans, renewals, quotas; coordinate with Polar | Performance of a contract; legitimate interests |
| Security, fraud prevention, and abuse detection | Audit logs, rate limiting, detecting credential sharing, quota circumvention, and Acceptable-Use violations | Legitimate interests (keeping the Services and users safe); legal obligation |
| Derived intelligence from public data | Analysing publicly available information to produce insights and indicators that power the Services | Legitimate interests (providing a data-intelligence service), balanced against the rights of data subjects |
| Service communications | Email verification, password resets, security and transactional notices, important service updates | Performance of a contract; legitimate interests |
| Support | Responding to your enquiries | Legitimate interests; performance of a contract |
| Improve and develop the Services | Aggregated/de-identified analytics, troubleshooting, capacity planning | Legitimate interests |
| Marketing (if any) | Optional product news or offers | Consent (you may opt out at any time) |
| Legal and compliance | Responding to lawful requests, enforcing our Terms, establishing or defending legal claims | Legal obligation; legitimate interests |
Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms. You can object to such processing (see Section 7). Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.
When you submit parameters to our APIs (such as URLs, hashes, IPs, or domains), you are responsible for ensuring you have a lawful basis to do so and that your queries comply with applicable law and our Terms of Service. You must not submit special-category personal data or any data you are not authorised to process. In relation to data you submit and the queries you run, you act as a controller in your own right.
We do not sell your personal data. We share it only as described below.
CrawlSnap operates globally, and some of our service providers are located outside the United Kingdom and the European Economic Area (for example in the United States). Where we transfer personal data internationally, we put in place appropriate safeguards required by UK and EU data-protection law, such as the UK International Data Transfer Agreement (IDTA) / UK Addendum and the European Commission's Standard Contractual Clauses (SCCs), together with any additional measures needed to protect your data. You can ask us for more information about these safeguards using the contact details in Section 13.
Subject to applicable law, you have the following rights over your personal data:
You can exercise most of these rights directly in your account (for example updating your profile, or deleting your account) or by contacting [email protected]. We will respond within the timeframes required by law (generally one month under the UK GDPR). We may need to verify your identity first.
If you are unhappy with how we handle your data, you may complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, or to your local supervisory authority if you are in the EEA. We would, however, appreciate the chance to address your concerns first.
We keep personal data only for as long as necessary for the purposes set out in this Policy, after which it is deleted or anonymised. In general:
| Data | Indicative retention |
|---|---|
| Account data | For the life of your account. After account deletion, removed or anonymised within a reasonable period, subject to backups and legal requirements. |
| API request logs (incl. query parameters and client IP) | Retained for a limited operational period for security, troubleshooting, abuse detection, and metering, then deleted or aggregated. |
| Security and audit logs | Retained for a period appropriate to detect and investigate security incidents and abuse. |
| Email verification / reset tokens | Short-lived; expire automatically. |
| Billing records | Retained by us and/or Polar as required by tax and accounting law (typically several years). |
Where the law requires a minimum retention period (for example for tax records), we keep the relevant data for that period.
We use carefully selected third parties to operate the Services. The main ones are:
| Provider | Role | Data protection role |
|---|---|---|
| Polar (Polar Software, Inc. and affiliates) | Reseller and Merchant of Record; payment processing, billing, tax, invoicing, refunds | Independent controller. Polar collects payment data directly from you (through its payment processor, Stripe) and shares only limited buyer information with us (such as email, country, and transaction amount); it does not share your card or bank details. Governed by Polar's Privacy Policy and Buyer Terms. |
| Sign-in with Google (OAuth) and bot protection (reCAPTCHA) | Processor / independent controller as applicable | |
| GitHub | Sign-in with GitHub (OAuth) | Independent controller for your GitHub account data |
| Resend | Delivery of transactional emails (verification, password reset, notices) | Processor |
| DigitalOcean | Cloud hosting, compute, and storage for the Services | Processor |
| Cloudflare | Content delivery, DNS, and edge security/DDoS protection | Processor |
We require our processors to protect personal data and to process it only on our instructions. We may update this list as our providers change.
We use a small number of cookies and similar technologies, primarily to make the Services work:
We do not use cookies for cross-site advertising. Where we use any non-essential cookies or analytics, we will ask for your consent where required and provide controls. You can also control cookies through your browser settings, though blocking strictly necessary cookies may prevent you from signing in.
The Services are not directed to, and are not intended for use by, anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will take appropriate steps to delete it.
We implement appropriate technical and organisational measures to protect personal data, including password hashing, encryption in transit (HTTPS/TLS), access controls, rate limiting, audit logging, and monitoring. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. You are responsible for keeping your account credentials and API keys confidential (see our Terms of Service). If we become aware of a personal-data breach that is likely to affect your rights, we will notify you and the relevant authority as required by law.
For any privacy question or to exercise your rights:
For payment- and billing-related data handled by our Merchant of Record, see Polar's Privacy Policy.
We may update this Privacy Policy from time to time. The "Last updated" date above shows the latest version. If we make a material change, we will provide reasonable notice through the Services or by email before it takes effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.