Privacy Policy

Last updated: May 14, 2026

1. Introduction

CrawlSense ("we", "our", or "us") is a SaaS platform operated by Enric Ramos (autónomo), with registered address in Spain. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at crawlsense.com, our iOS and Android mobile apps ("CrawlSense" on the App Store and Google Play), and related services.

2. Information We Collect

Account Information: When you register, we collect your name, email address, phone number, and billing information (company name, VAT/CIF number, address).

Usage Data: We automatically collect information about how you interact with the platform, including pages visited, features used, crawl configurations, and timestamps.

Website Crawl Data: When you configure a site for analysis, our crawler accesses publicly available pages on your specified domains. We store technical SEO data, page content hashes, link structures, and metadata. We do not store full page content beyond what is necessary for analysis.

Google User Data (Search Console & Analytics): If you connect Google Search Console or Google Analytics to a site, we receive search performance data (queries, clicks, impressions, positions) and traffic analytics (sessions, page views, bounce rate, device categories) via OAuth 2.0 read-only access. We only store aggregated metrics — we do not retain raw query-level data or individual user-level events. This data is used exclusively to enrich the SEO analysis you see in the platform, never for advertising, never resold, and never used to train AI/ML models. See section 9 for the full Google User Data disclosure.

Bing Webmaster Tools Data: If you provide a Bing Webmaster Tools API key, we fetch page-level and query-level statistics (clicks, impressions, average position, top queries) from the Bing Webmaster API. We only store aggregated metrics in your workspace and do not send this data to any third-party AI provider; it is used only to display the Bing performance panels in your CrawlSense workspace.

Payment Information: Payments are processed by Stripe. We do not store credit card numbers. Stripe's privacy policy applies to payment data.

3. How We Use Your Information

  • To provide, maintain, and improve the CrawlSense platform
  • To process your subscription and billing
  • To send transactional emails (account confirmation, billing receipts, crawl notifications)
  • To generate SEO analysis reports and AI-powered insights for your sites
  • To enforce subscription limits and manage your account
  • To detect and prevent fraud, abuse, or security issues

4. Data Storage and Security

Your data is stored on servers located in the European Union. We use industry-standard security measures including:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Two-factor authentication (TOTP) for account access
  • Regular security audits and monitoring
  • Access controls and audit logging for all data operations

5. Data Retention

We retain your account data for as long as your account is active. Crawl data is retained for the duration of your subscription. Upon account deletion, all personal data and crawl data is permanently deleted within 30 days. Billing records may be retained for up to 5 years as required by Spanish tax law.

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict processing of your data
  • Data portability — receive your data in a structured format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time

To exercise any of these rights, contact us at support@crawlsense.ai.

7. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. Google Analytics integration, when enabled by you, is subject to Google's cookie policy.

8. Third-Party Service Providers

We use the following third-party services:

  • Stripe — Payment processing (Privacy Policy)
  • Google APIs — Search Console and Analytics integration (Privacy Policy)
  • Google Cloud Platform (GCP) — Hosting and data storage in the EU (europe-southwest1 region) (Privacy Notice)
  • Microsoft Bing Webmaster Tools — Page and query statistics via Bing Webmaster API (Privacy Statement)
  • Anthropic (Claude) — AI-powered SEO insights (Privacy Policy)
  • Sentry — Crash and performance diagnostics for the web app and the iOS/Android mobile apps. We send anonymised stack traces, your user ID, and email address so we can correlate reports to a specific account when you contact support (Privacy Policy).
  • Google Firebase Cloud Messaging (FCM) — Push notification delivery to the mobile apps. We send the FCM registration token, the notification payload, and the destination user ID (Privacy Policy).
  • Apple Push Notification service (APNs) — Underlying transport for iOS push (operated by Apple, not configurable by us) (Privacy Policy).

9. Mobile Apps (iOS and Android)

The CrawlSense mobile apps consume the same backend as the web platform — anything signed-in users see in the web app is what the mobile apps render. Everything described in sections 2–7 applies. The mobile-specific points below cover what the apps additionally collect or store on the device.

Data we collect from the mobile app:

  • Account credentials. Email and password (or Sign in with Apple / Google identity token) sent securely to our backend at sign-in. We never store plaintext passwords.
  • Authentication tokens. After a successful login the backend issues a short-lived access token and a refresh token. Both are stored on the device inside the iOS Keychain (Android Keystore on Android) via expo-secure-store. They are sent with every API request to identify your account.
  • Push notification token. When you grant notification permission, Firebase Cloud Messaging issues a per-device registration token. We send that token to our backend, linked to your user ID, so we can deliver alerts about crawls finishing, ranking drops, or Web Vitals regressions. Revoking the iOS / Android notification permission, or toggling "Notifications" off in Profile, removes the token from your account.
  • Crash and performance diagnostics (Sentry). When the app crashes or hits an unhandled error we send a stack trace, app version, OS version, device model, locale, and the active user ID + email to Sentry so we can debug and notify you. We do not send IP address (sendDefaultPii: false). A small sample (10%) of normal performance traces is also sent in production for monitoring; same scope as crash reports.

Data stored only on the device:

  • Biometric unlock state. If you enable "Unlock with Face ID / Touch ID", a flag is saved locally. The biometric template itself is held by Apple's Secure Enclave (or Android Keystore) and never reaches our servers or any third party.
  • Cached app data. The list of your sites, recent crawls and analytics responses are cached locally with TanStack Query (in AsyncStorage) so the app can render instantly on cold start. The cache is wiped on logout.
  • Notification preferences and last-seen locale / app version. Small flags used to decide whether to re-register your push token after an update.

Permissions the app may request:

  • Notifications — to deliver crawl, ranking, and Web Vitals alerts. You can revoke this in iOS Settings → CrawlSense → Notifications (or Android Settings → Apps → CrawlSense → Notifications) at any time.
  • Face ID / Touch ID — only used locally to unlock the app when you enable biometric lock. Apple / Google never share the underlying biometric data with us.

Sign in with Apple:

If you choose "Continue with Apple", Apple shares your name and either your real email or an Apple-generated private relay email. We store only what Apple shares with us; if you ever decide to stop using Apple SSO you can revoke the connection at appleid.apple.com.

Tracking across other apps and websites:

We do not use the iOS App Tracking Transparency framework. We do not link your data with data from third-party apps or websites for advertising purposes, do not share device identifiers with data brokers, and do not display advertising inside the apps.

Children:

CrawlSense is a B2B / professional SEO tool, not directed at users under 13. We do not knowingly collect data from children.

10. Google User Data — Disclosure and Limited Use

CrawlSense's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Who has access to your Google user data:

  • CrawlSense systems running on Google Cloud Platform (GCP), europe-southwest1 region. GCP acts as our hosting and data-storage subprocessor for the same data we receive from your Google account. No human at Google reviews this data.
  • Anthropic (Claude API) — when you trigger AI Insights, aggregated Search Console and Analytics metrics (clicks, impressions, sessions per URL, top queries, device/country breakdowns) are sent to Anthropic to generate written recommendations. We do not send raw user-level events. Anthropic processes this data under their commercial terms and data usage policy, which prohibit training models on customer data.

What we do NOT do with Google user data:

  • We do not sell or share your Google user data with brokers, advertisers, or any third party outside the subprocessors listed above.
  • We do not use it to serve advertising, retargeting, or any form of marketing.
  • We do not transfer it to AI/ML providers for the purpose of training their models.
  • We do not access your Google user data manually, except (a) with your explicit one-time consent for support, (b) to comply with a legal obligation, or (c) to investigate a verified security incident.

Revoking access:

You can revoke CrawlSense's OAuth access at any time from https://myaccount.google.com/permissions or from the integrations panel inside your CrawlSense workspace. Revoking immediately stops further data retrieval; any cached aggregated metrics on our side are deleted within 30 days.

11. Contact

For any privacy-related questions or requests:

Data Controller: Enric Ramos

Email: support@crawlsense.ai

Supervisory Authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es