AI Crawl Radar

Privacy Policy

How [LEGAL_ENTITY_NAME] processes personal data.

Draft template. Entity details below come from src/config/legal.ts and still contain bracketed placeholders. This page is not legally binding until those are filled in and the text is reviewed by a German/EU lawyer. Last template revision: [YYYY-MM-DD].

Last updated: [YYYY-MM-DD]

1. Data controller

The controller responsible for processing your personal data within the meaning of Art. 4(7) GDPR is:

[LEGAL_ENTITY_NAME] ([ENTITY_TYPE])
[ADDRESS_LINE1]
[POSTAL_CODE] [CITY], Germany
Email: [CONTACT_EMAIL]

2. What we store

  • Account. Email, name, password hash, role, email-verification status, last-login timestamp.
  • Organization. Workspace name, slug, membership list with role assignments.
  • Subscription. Plan, status, trial / period end dates, payment-provider identifiers (when a paid provider is connected).
  • Scan results. Score history per domain you audit, including the full audit report payload (robots.txt, llms.txt, bot-access matrix, structured-data findings).
  • Alert rules & events. Rules you configure and the events they emit.
  • Server logs. IP address, timestamp, and request metadata for security and abuse prevention.

Cookies

We set only strictly-necessary and functional cookies. We do not use tracking, advertising, or third-party analytics cookies, so no consent banner or opt-in is required — the notice you saw is informational.

  • Authentication (authjs.session-token, CSRF token) — keeps you signed in. Session-scoped, httpOnly.
  • Guest audit quota — an opaque, randomly-generated identifier that rate-limits free scans without an account. Contains no personal data.
  • reCAPTCHA — set by Google only if we enable the anti-abuse challenge; it protects public forms from bots.

3. Legal bases (Art. 6 GDPR)

  • Art. 6(1)(b) — performance of a contract: account data, subscription data, scan results you request.
  • Art. 6(1)(c) — legal obligation: retention of invoices and tax records.
  • Art. 6(1)(f) — legitimate interest: security logging, abuse prevention, product analytics in aggregated form.
  • Art. 6(1)(a) — consent: marketing emails and any optional analytics; you can withdraw consent at any time.

4. Processors

We use the following sub-processors. Each is governed by a data processing agreement (Auftragsverarbeitungsvertrag) under Art. 28 GDPR:

[PROCESSORS — list hosting, email, payment, analytics processors]

5. Retention

Account data is retained for the duration of your subscription and deleted on account closure, subject to legal retention obligations (typically 10 years for invoices under HGB / AO).

Per-domain score history is retained according to your plan'sscore_history_monthslimit (up to 24 months on the top plan). Older rows remain in the database but are hidden until you upgrade; they are permanently purged on account closure.

6. Your rights

Under Articles 15–22 GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate data;
  • erase your data (“right to be forgotten”);
  • restrict or object to processing;
  • data portability;
  • lodge a complaint with a supervisory authority — in Germany this is the data protection authority of your federal state (Land).

Send requests to [CONTACT_EMAIL]. We respond within one month per Art. 12(3) GDPR.

7. International transfers

Where a sub-processor is located outside the EU/EEA, transfers rely on Standard Contractual Clauses (Art. 46 GDPR) or another approved transfer mechanism. The current list is in section 4 above.

8. Changes

We update this policy as the Service evolves. Material changes will be announced via email or in-app. The current version date is shown at the top of this page.