Privacy Policy

Last updated: April 1, 2026

This Privacy Policy describes how CRWLR Ltd. ("CRWLR", "we", "us") collects, uses, and protects information when you use our firewall audit platform ("Service").

1. What We Collect

Account Information

  • Email address (for authentication and notifications)
  • Organization name (for multi-tenant isolation)
  • Payment information (processed by Stripe — we never store card numbers)

Firewall Configuration Data

  • Raw configuration files are never stored. Parsed in memory, discarded immediately after analysis.
  • We store normalized analysis results only: policy structure (zone names, service names, profile assignments), findings, and device metadata (hostname, firmware version).
  • Passwords, pre-shared keys, private keys, and SNMP secrets are never extracted. This is an architecture decision — the system has no fields for them.

For full technical details on what we read, skip, and how scans are isolated, see our Security page.

Usage Data

  • Pages visited, features used, scan frequency
  • Browser type, device type, general location (country level)
  • Error logs and performance metrics

2. How We Use Your Information

  • Provide the Service: Analyze configurations, generate findings, deliver reports
  • Security alerts: Notify you of new vulnerabilities affecting your firmware versions
  • Support: Respond to your requests and troubleshoot issues

3. What We Do NOT Do

  • We do not sell your data to third parties
  • We do not share your configuration data with other customers
  • We do not use your data for advertising
  • We do not train AI models on your individual configuration data

4. Data Security

We implement encryption in transit and at rest, tenant-level database isolation, and sandboxed scan processing. For full technical details, see our Security page.

5. Data Retention

  • Raw configurations: Never stored (parsed in memory, discarded)
  • Scan results & account data: Duration of subscription + 30 days
  • Anonymized aggregates: Retained indefinitely for service improvement (can never identify you or your network)

You may request deletion of all your data at any time. We process deletion requests within 30 days.

6. GDPR (EU Customers)

  • Legal basis: contract performance and legitimate interest
  • Data processed in the EU (Frankfurt)
  • Your rights: access, correct, delete, export, object, complain to your DPA
  • Data Processing Agreement available on request for enterprise and MSP customers

7. Sub-Processors

ProviderPurposeLocation
SupabaseDatabase, authenticationEU (Frankfurt)
RenderAPI hostingEU (Frankfurt)
VercelWeb hostingGlobal CDN
StripePayment processingEU/US
ResendTransactional emailUS
AnthropicAI summary (optional, opt-in)US*

*AI summaries are opt-in. When enabled, only structured analysis outputs (findings, scores, check results) are sent to Anthropic — never raw configuration data, IP addresses, or network topology. Anthropic does not retain inputs for model training under our API agreement.

8. Cookies

Essential cookies only (authentication, session). No advertising or tracking cookies. No third-party analytics.

9. Changes

We may update this policy. Material changes notified via email or in-app notice.

10. Contact

privacy@crwlr.io

Version History

  • April 1, 2026 — Added cookie consent banner; clarified Anthropic data handling (opt-in, no raw config sent, no training); added version history
  • March 30, 2026 — Initial version
CRWLR — Privacy Policy