Privacy policy

Last updated: 1 April 2025

Data controller

Data controller: Brandon Kay, trading as Crawwwl.

What we collect

crawwwl collects the minimum data necessary to provide the service.

  • Email address: collected when you create an account, via Supabase Auth. Used for authentication and account-related communication. Never used for marketing without explicit opt-in.
  • Audit results and scores: when you run an audit, the resulting report and scores are stored in our database, linked to your account. This is necessary to provide the audit history feature and to allow you to retrieve past reports.
  • Project names: the name of the project you audit is stored alongside the audit record.
  • Credit transactions: records of credit top-ups and usage are stored to maintain accurate account balances.

Source code files are sent to our API for processing and are immediately discarded after the audit completes. They are never stored in our database.

What we do not do

  • We do not sell your data.
  • We do not use your data to train AI models.
  • No page view tracking or analytics cookies
  • No third-party advertising or tracking scripts
  • No device fingerprinting

How data is stored

All data is stored in Supabase, a Postgres-based cloud database with row-level security enabled. Data is stored in the EU (AWS eu-west-2). Supabase's infrastructure is SOC 2 Type II certified.

Authentication is handled by Supabase Auth. Passwords are never stored in plaintext.

Sub-processors

We use the following third-party services to operate crawwwl:

  • Supabase: authentication and database storage. EU-hosted, SOC 2 certified. supabase.com/privacy
  • Stripe: payment processing. PCI DSS compliant. We never handle or store raw card data. All card entry is handled by Stripe's hosted interface. stripe.com/privacy

Your source code

When you run an audit, the contents of your source files are sent to our API for processing. Source files are processed and immediately discarded. They are never stored. We do not read your source code for any purpose other than running the audit.

We do not use your code to train AI models.

Data retention

Account data is retained for as long as your account is active. You can request deletion of your account and all associated data at any time by emailing privacy@crawwwl.com. Deletion requests are processed within 14 days.

Your rights under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: you can request a copy of the data we hold about you.
  • Right to rectification: you can ask us to correct inaccurate or incomplete data.
  • Right to erasure: you can ask us to delete your data (the right to be forgotten).
  • Right to data portability: you can request your data in a structured, machine-readable format.
  • Right to restrict processing: you can ask us to limit how we use your data.
  • Right to object: you can object to us processing your data in certain circumstances.

To exercise any of these rights, contact us at privacy@crawwwl.com. We will respond within 30 days.

Cookies

crawwwl uses only functional cookies necessary for authentication (session tokens). No cookies are set for tracking or advertising.

Changes to this policy

If we make material changes to this policy, we will update the date at the top of this page and, where appropriate, notify users by email.

Contact

Questions about privacy: privacy@crawwwl.com