Privacy Policy
Last updated: May 2026
"Crawlstack is a one-person project. I built this tool to help businesses become visible in AI search — not to harvest data. I do not sell your data, share it with advertisers, or use it for anything other than running this service. That is a personal commitment, not just a legal one."
— Fabio Gschweidl, founder of Crawlstack
1. Who we are
CrawlStack is an AI Search Visibility Platform operated by the legal entity listed in our Imprint. We can be reached at hello@crawlstack.app.
2. What data we collect and why
Account data
When you register: your email address and a bcrypt-hashed password. Lawful basis: contract performance (Art. 6(1)(b) GDPR).
Scan data
The URL you submit and the audit findings produced by the scan. Anonymous scans (no account) are automatically hard-deleted after 24 hours. Authenticated scans are retained as long as your account is active and deleted when you delete the scan or your account. Lawful basis: contract performance.
Audit findings consist entirely of technical data about the publicly accessible website you submitted (e.g. HTTP headers, robots.txt rules, structured data, page titles). This data describes the website itself — it is not personal data of the website's visitors or of you as a user, and is not subject to GDPR data subject rights.
IP addresses
Stored with each scan to enforce rate limits (3 free scans/day per IP for anonymous users). Not linked to your identity if you are not logged in. Deleted with the scan record. Lawful basis: legitimate interest (abuse prevention).
IP addresses are stored as a one-way cryptographic hash (SHA-256) — they cannot be reverse-engineered to identify you.
Session cookies
A single HTTP-only, secure session cookie is set to keep you logged in. It contains no personal data — only an opaque session ID. This cookie is strictly necessary and does not require consent.
Feedback submissions
If you submit feedback, we store your message, optional name, optional email, and star rating. Lawful basis: legitimate interest (improving the product).
Audit log
Administrative actions on your account (role changes, plan changes) are logged for security purposes. Lawful basis: legitimate interest (security, fraud prevention).
3. What we do NOT do
- We do not use third-party analytics (no Google Analytics, Mixpanel, or similar).
- We do not place advertising cookies or tracking pixels.
- We do not sell, rent, or share your personal data with third parties for commercial purposes.
- We do not use your scan data to train AI models.
4. Where data is stored
All data is stored on servers located within the European Union. We do not transfer personal data outside the EEA.
5. Data retention
- Anonymous scan data: deleted automatically after 24 hours.
- Account and scan data: retained for the lifetime of your account. Deleted within 30 days of account deletion.
- Feedback: retained until manually deleted by an administrator.
- Audit logs: retained for 12 months.
6. Your rights (GDPR)
Under the General Data Protection Regulation you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your personal data ("right to be forgotten").
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — ask us to restrict processing in certain circumstances.
To exercise any of these rights, email us at hello@crawlstack.app. We will respond within 30 days.
7. Right to lodge a complaint
You have the right to lodge a complaint with your national supervisory authority. In Austria: Datenschutzbehörde (dsb.gv.at).
8. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance.
9. Contact
Questions about this policy? hello@crawlstack.app