WhoCrawls
Log inSign up

Privacy policy

Last updated: 17 May 2026. Effective: launch day, 2026.

This is the privacy policy for WhoCrawls Ltd ("WhoCrawls", "we", "us"). WhoCrawls is operated from Camden, London, United Kingdom. Our contact email is hello@whocrawls.com.

We've kept this policy short because we genuinely don't collect much. If you want the long version, the short version is: we log bot user-agents, we don't log humans.

What we collect

We collect three categories of data.

Bot user-agent data. When an AI crawler (GPTBot, ClaudeBot, PerplexityBot, and similar) visits a site you've added to WhoCrawls, we log the bot's user-agent string, the page URL it visited, the timestamp, and whether its source IP matched the bot owner's published IP range. We do not log the IP itself. We do not store any header that could identify a human visitor.

Account data. If you sign up for a paid plan, we collect your email address (so we can email you), a hashed password (so you can sign back in), the domains you've added, and your Polar customer ID (so we can bill you). That's the full list.

Payment data. Payments are handled by Polar, which acts as the Merchant of Record for your purchase (they are the seller on your statement and handle sales tax / VAT). We never see your card number. Polar sends us a customer ID, a billing email, and webhook events about successful charges, refunds, and subscription state. Polar's privacy policy covers anything they collect from you directly: polar.sh/legal/privacy.

What we don't collect

We don't log end-user IP addresses. Anywhere. Our database schema is audited on every migration by a CI script that fails the build if any column matches *ip*, *cookie*, *session*, *human_*, or uses Postgres inet / cidr types. This is enforced in code, not just in policy.

We don't use cookies for tracking. We use one technical cookie for session authentication on the dashboard and that's it. No third-party analytics, no fingerprinting, no pixels.

We don't sell anything to anyone. We don't share data with advertisers, marketing platforms, or "data partners". There are no data partners.

Why we collect what we collect

Bot user-agent data: it's the product. You're paying us to log it.

Account data: we need an email to send you receipts, an email to send you the weekly digest if you opt in, and your domain list to know which hits belong to your account.

Payment data: we need it to take payment and refund you if you ask.

Legal basis (UK GDPR Article 6)

For paid customers, the legal basis is contract. You've signed up for a service, we process the minimum data needed to deliver it.

For free generator users, we don't collect personal data, so no legal basis is required. The IP rate-limit on the generator is enforced ephemerally at the Cloudflare edge and is not persisted.

Sharing data with third parties

We use these processors:

  • Cloudflare (Workers + DNS): serves the hosted llms.txt endpoint and rate-limits the generator. Cloudflare may see request metadata in transit. They do not see your account contents.
  • Vercel (web hosting): hosts the marketing site and dashboard. They see web requests in transit.
  • Neon Postgres (database): stores your account data and crawler hit logs. Hosted in EU-West-1 (Frankfurt).
  • Polar (payments, Merchant of Record): processes your card and is the seller of record for your purchase. They store payment data per their own privacy policy.
  • Resend (email): sends transactional and weekly digest emails. They see your email address and the email content.

Every processor in this list is a UK GDPR Article 28 processor under a written data processing agreement. We do not transfer personal data outside the UK / EEA except via standard contractual clauses where required.

Retention

Crawler hit logs: Lite customers, 30 days rolling. Pro customers, until you cancel. After cancel, 14 days then permanent delete.

Account data: until you delete your account. We process account-deletion requests within 7 days.

Email: marketing email (the weekly digest, if you opted in) is sent via Resend. You can unsubscribe via the link in every email or by emailing hello@whocrawls.com. Transactional email (receipts, password resets) cannot be unsubscribed because they're required for the service.

Server logs: Vercel and Cloudflare keep their own infrastructure logs for up to 30 days for security and abuse prevention. We do not access these except to investigate abuse.

Your rights under UK GDPR

You have the right to:

  • Access the data we hold about you (email hello@whocrawls.com).
  • Correct any inaccurate data (do it yourself in account settings, or email us).
  • Delete your account and all associated data (account settings, or email us).
  • Object to processing (you can stop using the service any time).
  • Data portability (we'll export your hit log as JSON if you ask).
  • Complain to the UK Information Commissioner's Office: ico.org.uk, helpline 0303 123 1113.

We respond to data subject requests within 30 days. Usually faster.

Children

WhoCrawls is for SaaS founders and developers. It's not designed for, marketed to, or used by anyone under 16. We don't knowingly collect data from anyone under 16. If you believe we have, email hello@whocrawls.com and we'll delete it.

Security

Account passwords are hashed with bcrypt. The dashboard is served over HTTPS only. Database connections use TLS. Polar handles all payment data with PCI-DSS Level 1 compliance.

We are a small team (one person, currently). Security incidents that affect customer data will be disclosed to affected customers within 72 hours, per Article 33 UK GDPR.

Changes to this policy

If we change the policy, the change goes into effect 30 days after we post it. We'll email all paid customers about material changes. Minor changes (typo fixes, clarifications) go in without notice.

Contact

WhoCrawls Ltd
Camden, London, United Kingdom
hello@whocrawls.com

Company number: TBD (registration pending). Data Protection Officer: not required under UK GDPR Article 37 (we're not a public body, we don't conduct large-scale systematic monitoring, we don't process special-category data at scale). Any data protection question goes to hello@whocrawls.com.