Privacy policy

Crawlfix is a read-only audit tool. We scan URLs you tell us to scan, and we store the audit results so you can come back to them. We do not sell data to third parties, we do not have access to your codebase, and we do not run scans we were not asked to run.

Account data. Email, account id, optional display name, sign-in timestamps. Created when you click a magic-link to sign in or call register_account from MCP.

Scan inputs. The URLs you submit to be audited and any options you set on the scan form (mobile viewport toggle, etc.).

Scan outputs. The raw HTML our crawler fetched from your URL, the rendered DOM after Chromium loaded the page, a screenshot, a list of detected issues, and an AI verdict generated from those signals. These are stored against your account so you can revisit them.

Payment data. Handled by Stripe. We never see card numbers or CVCs. We store a Stripe customer id, your subscription state, and per-audit credit records so we know what you have access to.

Operational data. Token last-used timestamps, session IPs and user agents (for revocation and abuse triage), HTTP request logs from our hosting provider.

We do not access source code repositories, even when you connect one through the optional link_repo MCP tool. That flow grants us read-only metadata for the repo URL. We do not clone, read, or modify your code.

We do not run analytics scripts that fingerprint visitors. The marketing site uses first-party logs only.

• To run the audits you ask us to run and show you the results.
• To enforce per-account rate limits, plan caps, and tier gates.
• To detect abuse (private-IP scan attempts, signup spam, token reuse from many IPs).
• To send transactional email: sign-in links, alert digests you opt into, billing receipts.
• To improve detection rules and fix recipes. We do not train third-party models on your scan content.

The third parties that touch your data when you use Crawlfix:

• DigitalOcean. Hosting, MongoDB, GenAI inference for fix-recipe generation.
• Stripe. Payment processing, billing portal, invoices.
• Resend. Transactional email (magic links, alerts).
• Cloudflare. DNS for crawlfix.app and crawlfix.ai.
• Optional, on request. GitHub OAuth for repo linking. Perplexity / SerpAPI for AI-visibility tracking. These run only when you opt in.

Scan results are retained for the lifetime of your account. You can delete an individual scan from the dashboard. Closing your account removes scan content within 30 days; billing records are retained as required by tax law.

Magic-link tokens auto-purge 15 minutes after issue. Browser sessions are revoked on sign-out and auto-expire after 30 days of inactivity. Anonymous-unlock cookies expire after 30 days.

You can delete your account and all data from Settings > Danger zone. The button schedules deletion immediately and finalizes 30 days later, giving you a grace window to change your mind. Active subscriptions are cancelled automatically at the end of the current period.

EU and California residents have additional rights under GDPR and CCPA respectively. The self-serve flow above already covers the main ones (right to deletion, right to portability via the JSON export). For anything we cannot action through the dashboard, email [email protected].

Crawlfix is owned and operated by Faction Community, LLC. Privacy questions, deletion requests, breach reports, and anything else go to [email protected].