Privacy Policy

Last updated: 2026-06-07 · Version 1.0

Crawlmouse grades the internal-linking structure of websites. This policy explains what personal data we collect, why, the lawful bases we rely on, and the choices and rights you have. We’ve written it in plain language; if anything is unclear, email privacy@crawlmouse.com.

Who we are (data controller)

Crawlmouse is operated by Nahl Technologies Inc, a Delaware C-Corporation with its principal office in Indiana, United States (“Crawlmouse,” “we,” “us”). For the purposes of the EU and UK GDPR, we are the data controller of the personal data described here. We are not required to appoint a Data Protection Officer; privacy questions go to privacy@crawlmouse.com.

Data we collect

• Account email. We sign you in with a magic link, so we store your email address to send that link and to identify your account. We do not store passwords because there are none.
• URLs you submit and audit results. When you run an audit we crawl the public pages of the site you submitted and store the resulting structural data — the pages we found, their internal links, anchor text, and the computed grade. This is public structural data, not your private content. Because you choose which site to audit, a URL or its results may contain personal data (for example if you audit your own profile or contact page); see your rights below.
• Billing data (held by Stripe). Pro subscriptions are processed by Stripe. We never see or store your full card number — Stripe handles card data directly. We keep only billing identifiers (a Stripe customer ID and subscription status) so we can tell whether your account is on Pro.
• IP address and anti-abuse signals. To stop bots and abuse we use Cloudflare Turnstile and basic rate limiting, which process your IP address and a challenge token. We may derive a coarse, city-level location from the IP address; we do not collect precise geolocation.
• Product analytics. We use PostHog to understand how the product is used (for example, which steps of the audit flow people complete), including event data, page paths, device/browser type, and a pseudonymous identifier.
• Error telemetry. We use Sentry to capture errors so we can fix them. Error reports can include technical context such as the request path, a stack trace, and an IP address.

Why we use it, and our legal bases (GDPR Article 6)

If you are in the EU/UK, we rely on the following lawful bases, by purpose:

• Provide the service (Art. 6(1)(b) — contract). To create and run your account, perform the audits you request, and provide the paid Pro service.
• Keep the service secure (Art. 6(1)(f) — legitimate interests). Our legitimate interest is preventing abuse, fraud, and overload (Turnstile, rate limiting), fixing errors (Sentry), and understanding and improving the product (analytics). We balance these interests against your rights.
• Comply with law (Art. 6(1)(c) — legal obligation). To keep billing and tax records for the periods the law requires.
• Consent (Art. 6(1)(a)). Where required for non-essential analytics or similar technologies. You can withdraw consent at any time using the “Cookie settings” link in our footer.

Cookies and similar technologies

• Authentication. A first-party session cookie keeps you signed in after you click a magic link. This is essential to the service.
• Security. Cloudflare Turnstile and rate limiting use short-lived tokens to tell humans from bots. This is essential to the service.
• Analytics. PostHog sets identifiers to measure product usage. These are non-essential: for visitors in the EU/EEA and UK we ask for your consent (via a banner) before loading them and keep them off until you agree, and you can change or withdraw consent at any time using the “Cookie settings” link in our footer; elsewhere they load by default and you can opt out the same way (or by emailing privacy@crawlmouse.com).
• Session replay. We capture replay only when an error occurs, and we mask text inputs so we don’t record what you type.

Sub-processors

We use a small set of vetted vendors to run Crawlmouse. The current list — each vendor’s purpose, the data it handles, and its region — is published at /subprocessors. Each is bound by a data-processing agreement. We give 30 days’ notice on that page before adding a new sub-processor. We do not sell your personal data to anyone.

International transfers

Crawlmouse and most of our sub-processors are based in the United States, so your data may be processed in the US. Where we transfer personal data out of the EU/UK, we rely on a valid transfer mechanism for each vendor:

• For vendors certified under the EU-US Data Privacy Framework (and its UK extension) — Stripe, Resend, Cloudflare, Vercel, Sentry, and PostHog — we rely on that certification.
• For vendors not certified under the Framework — Supabase and Inngest — we rely on the European Commission’s Standard Contractual Clauses together with the UK International Data Transfer Addendum.

Data retention

• Free-tier audits are deleted automatically 30 days after they are created.
• Account data (your email and billing status) is kept until you request deletion.
• Billing and tax records are kept for as long as applicable law requires, which is generally up to seven (7) years.
• Analytics and error-telemetry data is retained for a limited window in line with each vendor’s defaults; rate-limit and anti-abuse records are short-lived.

Data security

We use appropriate technical and organizational measures to protect personal data (GDPR Article 32), including encryption in transit, passwordless magic-link authentication, access controls and row-level security on our database, anti-abuse protections, and a small, vetted set of sub-processors. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

Automated decision-making

Crawlmouse generates an automated grade for a website you submit. That grade is a technical heuristic about the site’s internal-linking structure. It does not produce legal effects concerning you or similarly significantly affect you, so the rules on solely-automated decisions in GDPR Article 22 do not apply. We’re happy to explain the methodology — just ask.

Your rights

Depending on where you live, you may have the right to access, export (port), correct, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise any of these, email privacy@crawlmouse.com.

California (CCPA/CPRA). In the past 12 months we have collected the following statutory categories of personal information, used as described above and disclosed only to the sub-processors at /subprocessors:

• Identifiers — email address, IP address, account and customer IDs.
• Internet/network activity — usage events, error logs, masked error-only replay.
• Commercial information — subscription and billing status.
• Geolocation — coarse, city-level, derived from IP address.

We do not sell or share your personal information for money or for cross-context behavioral advertising, and we do not use or disclose sensitive personal information beyond the purposes allowed by law (so there is nothing to “limit”). California residents have the rights to know, delete, correct, and opt out of sale/share, and the right to non-discrimination for exercising them. You may use an authorized agent to submit a request with proof of authorization; we will verify your identity using information we already hold. If you are a resident of another US state with privacy rights (for example Virginia, Colorado, Connecticut, Utah, or Texas), we extend the same access, correction, deletion, and portability rights to you.

How to exercise your rights, and our timelines

Email privacy@crawlmouse.com. We verify the request (usually by confirming control of the account email) and respond within one month under the GDPR (extendable by two further months for complex requests) and within 45 days under the CCPA (extendable by a further 45 days), erasing your account data on a valid request.

Complaints to a supervisory authority

We’d like the chance to resolve any concern first, so please contact us. You also have the right (GDPR Article 77) to lodge a complaint with a data-protection supervisory authority — in the EU/EEA, your local authority; in the UK, the Information Commissioner’s Office (ico.org.uk).

Data breaches

If a personal-data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority without undue delay and, where the law requires, notify you, in accordance with applicable law.

Children

Crawlmouse is not directed to children. We do not knowingly collect personal data from anyone under 16 (the GDPR default age of digital consent), and in the United States we do not knowingly collect personal data from children under 13 (the Children’s Online Privacy Protection Act, COPPA). If you believe a child has used the service, contact us and we’ll delete the data.

Changes

If we make material changes to this policy we’ll update the “last updated” date and version above and, where appropriate, notify you. Continued use after a change means you accept the updated policy.

Contact

Questions about privacy? Email privacy@crawlmouse.com.