Privacy Policy

2.1 Account and Registration Information

When you create a CrawlDesk account or register for our Services, we collect:

• •Business contact information (name, email address, phone number, job title)
• •Company and organizational details (company name, size, industry)
• •Account credentials (username, password, authentication tokens)
• •Billing and payment information (processed securely through third-party payment processors)
• •Team member information and role-based access configurations

2.2 Service Usage and Content Data

Through your use of our Ask AI Search, Copilot, and Crawler products, we process:

• •Documentation Content: URLs, web pages, and documentation sources you submit for crawling and indexing through our Crawler product
• •Search Queries: Questions, queries, and search terms submitted by you or your end users through Ask AI Search widgets
• •AI Conversations: Interaction history, conversation threads, and responses generated through our AI-powered Copilot and Ask AI features
• •Widget Configuration: Customization settings, display preferences, and integration parameters for embedded search widgets
• •Usage Metrics: Search volumes, query patterns, response accuracy feedback, and feature utilization statistics

2.3 Technical and System Information

Our Services automatically collect technical information to ensure optimal performance and security:

• •Device and Browser Data: Device type, operating system, browser version, screen resolution, and hardware specifications
• •Network Information: IP address, geolocation data (country/region level), ISP information, and connection type
• •Application Logs: API requests, system events, error reports, performance metrics, and debugging information
• •Security Data: Authentication attempts, access logs, security event records, and threat detection data
• •Cookies and Identifiers: Session cookies, persistent identifiers, and tracking technologies as detailed in our Cookies Policy

2.4 End User Information

When end users interact with search widgets you embed on your websites or applications, we may collect minimal information such as search queries, interaction patterns, and anonymized usage analytics. Enterprise customers retain ownership and control of their end user data and can configure data collection settings through their account dashboard.

3.1 Service Provision and Optimization

We process your information to deliver and enhance our AI-powered Services:

• •Operating the Crawler product to discover, index, and maintain your documentation content
• •Powering Ask AI Search to generate accurate, contextual responses to user queries
• •Enabling Copilot features for intelligent assistance and documentation navigation
• •Generating and embedding customizable search widgets on your platforms
• •Analyzing search patterns to improve response accuracy and relevance
• •Monitoring system performance, uptime, and service reliability

3.2 Account and Relationship Management

We use your information to maintain and support your business relationship with CrawlDesk:

• •Creating and managing enterprise accounts and user profiles
• •Authenticating users and enforcing access controls based on role permissions
• •Processing billing, invoicing, and subscription management
• •Providing technical support, customer success services, and account assistance
• •Communicating service updates, feature releases, and important notifications

3.3 Security and Compliance

We process information to maintain the security and integrity of our Services:

• •Detecting and preventing unauthorized access, fraud, and security threats
• •Conducting security audits, vulnerability assessments, and penetration testing
• •Maintaining audit trails for compliance with regulatory requirements
• •Enforcing Terms of Service and acceptable use policies
• •Responding to legal requests and protecting legal rights

3.4 Analytics and Product Development

We analyze aggregated and anonymized data to improve our Services:

• •Understanding usage patterns and user behavior across our platform
• •Developing new features and enhancing existing functionality
• •Conducting research to advance AI and natural language processing capabilities
• •Measuring service performance, quality metrics, and customer satisfaction

4.1 Zero Training on Customer Data

CrawlDesk does not use your documentation content, search queries, or AI conversations to train artificial intelligence models. This is a fundamental principle of our data processing practices and applies to all customer data across our Ask AI Search, Copilot, and Crawler products.

Your proprietary documentation, end user queries, and conversation histories remain completely isolated and are never incorporated into model training datasets. We process your data solely to provide the Services you have contracted for and maintain strict logical and technical separation between customer data and model development activities.

4.2 AI Provider Contractual Safeguards

CrawlDesk maintains comprehensive data security contracts with all third-party AI and machine learning service providers. These binding agreements include:

• •Training Prohibition: Explicit contractual terms prohibiting the use of customer data for training, fine-tuning, or improving AI models
• •Data Isolation: Requirements for technical and organizational measures to isolate customer data from model training pipelines
• •Zero Retention: Obligations to delete customer data immediately after processing requests, with no persistent storage or logging for model improvement
• •Audit Rights: CrawlDesk's right to audit provider compliance with data protection obligations
• •Breach Notification: Mandatory disclosure of any unauthorized data access or processing violations
• •Subprocessor Restrictions: Limitations on further subcontracting and data flow to additional third parties

4.3 Conversation and Query Privacy

All interactions with our Ask AI Search and Copilot features are private by default and subject to enterprise-grade security controls:

• •Encryption in Transit: All AI requests and responses are encrypted using TLS 1.3 protocol during transmission
• •Encryption at Rest: Conversation histories stored in our systems are encrypted using AES-256 encryption standards
• •Access Controls: Only authorized team members within your organization can access conversation histories, subject to role-based permissions
• •Data Segregation: Complete logical separation between different customer accounts with no cross-contamination of data
• •Retention Controls: Enterprise customers can configure conversation retention periods and data deletion policies

4.4 Documentation Processing

Our Crawler product processes your documentation URLs to create searchable indexes and knowledge bases. This processing is performed exclusively for your benefit and includes parsing content, extracting semantic meaning, and generating embeddings for similarity search. All processed documentation remains within your dedicated tenant environment and is never shared across customer boundaries or used for model training purposes.

5.1 No Sale of Personal Information

CrawlDesk does not sell, rent, or trade your personal information or customer data to third parties for monetary or other valuable consideration. Your data is not a product we monetize.

5.2 Service Providers and Subprocessors

We engage carefully vetted third-party service providers to support our business operations and service delivery. These providers are contractually bound to:

• •Cloud Infrastructure: Hosting and data center services (e.g., AWS, Google Cloud, Azure) for platform operations
• •AI Service Providers: Natural language processing and machine learning infrastructure, subject to the contractual protections described in Section 4.2
• •Security Services: Authentication, encryption, threat detection, and vulnerability management tools
• •Analytics Providers: Product analytics and performance monitoring (using aggregated, anonymized data)
• •Payment Processors: Billing, invoicing, and payment processing services
• •Communication Services: Email delivery, customer support ticketing, and notification systems

All service providers are bound by confidentiality obligations and are permitted to process data only for the specific purposes authorized by CrawlDesk. We maintain a current list of subprocessors, available upon request to enterprise customers.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will provide notice and may seek consent where required by applicable law before transferring personal information subject to a different privacy policy.

5.4 Legal and Regulatory Compliance

We may disclose your information when required by law or in good faith belief that such disclosure is necessary to:

• •Comply with valid legal process (subpoenas, court orders, government requests)
• •Enforce our Terms of Service and other agreements
• •Protect the security or integrity of our Services
• •Protect the rights, property, or safety of CrawlDesk, our customers, or the public

Where permitted by law, we will make reasonable efforts to notify affected customers of legal demands for their data.

5.5 With Your Consent

We may share your information with third parties when you have explicitly authorized such disclosure, such as when integrating third-party applications with your CrawlDesk account or when you direct us to share data with your service providers.

6.1 Technical Safeguards

• •Encryption: TLS 1.3 for data in transit; AES-256 encryption for data at rest across all storage systems
• •Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection, and network segmentation
• •Access Controls: Multi-factor authentication (MFA), role-based access control (RBAC), and principle of least privilege
• •Secure Development: Security code reviews, vulnerability scanning, and secure software development lifecycle (SDLC)
• •Data Isolation: Logical separation of customer data using multi-tenant architecture with cryptographic isolation

6.2 Organizational Safeguards

• •Personnel Security: Background checks, security training, and confidentiality agreements for all employees
• •Incident Response: Documented procedures for detecting, responding to, and recovering from security incidents
• •Security Monitoring: 24/7 security operations center (SOC) with automated threat detection and alerting
• •Vendor Management: Security assessments and ongoing monitoring of third-party service providers
• •Business Continuity: Disaster recovery plans, backup systems, and redundancy across multiple availability zones

6.3 Compliance and Auditing

• •Audit Logging: Comprehensive activity logs for access, changes, and administrative actions
• •Penetration Testing: Regular third-party security assessments and vulnerability testing
• •Security Certifications: Compliance with industry standards and frameworks (details available in our Security page)

7.1 Retention Periods

We retain your information for as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy. Specific retention periods include:

• •Account Information: Retained for the duration of your active subscription plus 90 days after account closure
• •Documentation Content: Retained while your account is active; deleted within 30 days of account termination unless extended retention is requested
• •AI Conversations: Retained according to your configured retention policy (default: 90 days; configurable from 1 day to unlimited)
• •Usage Logs: Retained for 90 days for operational purposes; anonymized aggregates may be retained longer
• •Security Logs: Retained for 365 days to support security monitoring and incident investigation
• •Backup Data: Maintained in encrypted backups for up to 90 days for disaster recovery purposes
• •Billing Records: Retained for 7 years to comply with tax and accounting regulations

7.2 Data Deletion Procedures

Upon request or at the end of applicable retention periods, we employ secure deletion procedures:

• •Cryptographic erasure of encryption keys rendering encrypted data irretrievable
• •Overwriting of data storage locations using industry-standard sanitization methods
• •Deletion from all production systems, backups, and archives
• •Notification to relevant subprocessors to delete customer data in accordance with our agreements

7.3 Legal Hold Exceptions

We may retain information beyond standard retention periods when required for legitimate legal purposes, including compliance with legal obligations, resolution of disputes, enforcement of agreements, or pending litigation. Such retained data is isolated and protected with appropriate access restrictions.

8.1 Data Subject Rights

• •Right of Access: Request confirmation of what personal information we hold and obtain a copy of such data
• •Right to Rectification: Request correction of inaccurate or incomplete personal information
• •Right to Erasure: Request deletion of your personal information (right to be forgotten), subject to legal retention requirements
• •Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
• •Right to Restriction: Request restriction of processing under certain circumstances
• •Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• •Right to Withdraw Consent: Withdraw consent for processing where we rely on consent as the legal basis
• •Right to Lodge a Complaint: File a complaint with your local data protection authority

8.2 Exercising Your Rights

To exercise any of these rights, please contact us using the information provided in Section 14. We will respond to verified requests within:

• •30 days for GDPR requests (extendable by 60 days for complex requests)
• •45 days for CCPA requests (extendable by 45 days where necessary)
• •Timeframes required by other applicable privacy laws

We may require verification of your identity before processing requests to protect against unauthorized access to your information.

8.3 Account Controls

Enterprise customers can manage many privacy settings directly through their account dashboard, including conversation retention policies, end user data collection preferences, data export tools, and team member access controls.

9.1 Legal Bases for Processing

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

• •Contract Performance: Processing necessary to provide the Services under our Master Services Agreement or Terms of Service
• •Legitimate Interests: Processing for business operations, security, fraud prevention, and service improvement (where not overridden by individual rights)
• •Consent: Processing for marketing communications, optional features, and other purposes where we have obtained your explicit consent
• •Legal Obligation: Processing required to comply with applicable laws, regulations, or legal process

9.2 Data Controller and Processor Roles

For customer account and billing information, CrawlDesk acts as the data controller. For end user data processed through our Ask AI Search, Copilot, and Crawler products on behalf of enterprise customers, CrawlDesk acts as a data processor, and our customers are the data controllers.

When acting as a processor, we process personal data only on documented instructions from the controller (our customer) and in accordance with our Data Processing Agreement.

9.3 Data Protection Officer

Enterprise customers and individuals may contact our Data Protection Officer regarding GDPR matters at contact@crawldesk.com.

9.4 Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates the GDPR.

10.1 Transfer Safeguards

We implement appropriate safeguards for international transfers, including:

• •Standard Contractual Clauses: EU Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
• •UK Addendum: International Data Transfer Addendum to the EU SCCs for transfers from the United Kingdom
• •Swiss-US Framework: Adherence to Swiss data protection requirements
• •Data Localization: Optional data residency in specific regions (EU, US, Asia-Pacific) for enterprise customers

10.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for data transfers to countries without adequate data protection laws, implementing supplementary measures such as encryption, access controls, and contractual protections to ensure effective protection.

13.1 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• •Identifiers (name, email, IP address, account credentials)
• •Commercial information (subscription details, billing records)
• •Internet activity (usage data, search queries, browsing history on our platform)
• •Professional information (job title, company name, business contact details)
• •Inferences (preferences, characteristics, behavioral patterns)

13.2 California Consumer Rights

• •Right to Know: Request disclosure of categories and specific pieces of personal information collected
• •Right to Delete: Request deletion of personal information, subject to exceptions
• •Right to Correct: Request correction of inaccurate personal information
• •Right to Opt-Out: Opt-out of sale or sharing of personal information (note: we do not sell personal information)
• •Right to Limit: Limit use of sensitive personal information (if applicable)
• •Right to Non-Discrimination: Exercise privacy rights without discrimination

13.3 Shine the Light

Under California Civil Code Section 1798.83, California residents may request information about disclosure of personal information to third parties for direct marketing purposes. As stated previously, CrawlDesk does not sell or share personal information for third-party marketing.