Privacy Policy

Effective date: April 20, 2026

1. Who We Are

CrawlFox ("we", "us", "our") operates the CrawlFox API and dashboard at crawlfox.io. Contact us at privacy@crawlfox.io for any privacy-related requests.

2. Data We Collect

We collect the minimum data needed to provide the Service:

• Account data: email address, bcrypt-hashed password, account creation timestamp
• Usage events: per-request logs including URL scraped, HTTP status, latency (ms), success flag, and API key identifier. No scraped content is retained.
• Session data: short-lived JWT stored in a secure HTTP-only cookie. No persistent tracking cookies.
• Technical metadata: IP addresses in server access logs, retained for 30 days for security and abuse prevention.

3. How We Use Your Data

• Authenticate you and keep your session secure
• Enforce quota limits and bill for usage
• Detect and prevent abuse or fraud
• Send transactional emails (account creation, key rotation) — no marketing without explicit opt-in
• Improve the reliability and performance of the Service

4. Data Sharing

We do not sell or rent your personal data. We share data only with:

• Infrastructure providers (hosting, database) bound by data processing agreements
• Law enforcement when required by valid legal process

5. Data Retention

• Account data: retained while your account is active, then deleted within 30 days of account closure
• Usage events: retained for 12 months for billing disputes, then deleted
• Access logs: 30 days

6. Your Rights (GDPR / CCPA)

Depending on your jurisdiction you may have the right to access, correct, delete, or export your personal data. You may also object to certain processing or request restriction.

To exercise any of these rights, email privacy@crawlfox.io. We will respond within 30 days. For deletion requests, your account and all associated data will be erased within 30 days of verification.

7. Cookies

We use only strictly necessary session cookies. See our Cookie Policy for details.

8. Security

Passwords are stored as bcrypt hashes (cost factor 12). Traffic is encrypted in transit via TLS 1.3. Database access is restricted to the application server network. We will notify affected users within 72 hours of a confirmed data breach.

9. Children

The Service is not directed to users under 16. We do not knowingly collect personal data from minors. Contact us immediately if you believe a minor has registered.

10. Changes

Material changes to this policy will be communicated by email 14 days before taking effect. Continued use constitutes acceptance.