How Crawlux handles your data.
This privacy policy explains what data Crawlux collects, how we use it, who we share it with, how long we keep it and what rights you have. Written in plain language with formal definitions where needed.
Privacy policy sections
01Who we are
Crawlux is a SaaS audit tool operated by TG3 Agency (also known as The Group Three). For the purposes of GDPR and CCPA, the data controller is TG3 Agency, with offices in London and Dubai.
London, United Kingdom
124-128 City Rd
London EC1V 2NJ
United Kingdom
Dubai, UAE
Levels 20, 48 Burj Gate Towers
Dubai
United Arab Emirates
This privacy policy applies to crawlux.com, the Crawlux web dashboard, the Crawlux audit engine and any associated documentation or communication. It does not apply to third-party websites linked from Crawlux content.
In plain language
TG3 Agency built Crawlux. This policy covers data we handle when you use crawlux.com or run audits.
02Data we collect
We collect three categories of data: data you provide directly, data generated by your use of Crawlux and data we collect automatically through standard web technologies.
Category 01
Data you provide directly
- Email address for audits, accounts and newsletter subscriptions
- Domain names you submit for audit
- Payment details (Stripe handles cards)
- Optional company name, role, billing address
- Communications to support, press, partner emails
Category 02
Data generated by your use
- Audit results for your domains (JSON output)
- Webhook configurations and delivery logs
- API key usage records (when API ships Q4)
- Account activity logs and audit triggers
Category 03
Data collected automatically
- IP address and approximate location
- Browser, OS and device type
- Referring URL and pages viewed
- Visit time and duration
- Functional cookies for the dashboard
In plain language
Email, domains you audit, payment data (handled by Stripe) and standard web analytics. Nothing surprising.
03How we use data
We use the data we collect for the following specific purposes. Each purpose is tied to a legal basis under section 4.
Service delivery
Running audits on the domains you submit and delivering the resulting reports.
Account management
Creating and maintaining your account, processing payments, sending receipts and managing subscriptions.
Service improvement
Analyzing aggregated audit data (anonymized) to calibrate the methodology and improve the audit engine.
Communications
Audit completion notifications, follow-up emails, product updates and (where you opt in) marketing communications.
Security and fraud prevention
Monitoring for unauthorized access, abuse of the service and fraudulent payment activity.
Legal compliance
Responding to lawful requests from authorities, enforcing terms of service and protecting our rights.
In plain language
We use your data to run audits, manage accounts and improve the methodology. We do not sell your data.
04Legal bases for processing
Under GDPR we rely on the following legal bases when processing your data. Each purpose listed in section 3 maps to one of these.
| Legal basis | When we rely on it |
|---|---|
| Contract | To deliver the audit service you purchased and manage your account. |
| Legitimate interest | To improve the methodology, prevent fraud, secure the service and send service-related notifications. |
| Consent | For optional marketing communications, non-essential cookies and any data processing not covered by other bases. |
| Legal obligation | To comply with tax, accounting and other legal requirements applicable to TG3 Agency. |
05Third-party processors
Crawlux uses third-party services to operate. Each processor receives only the minimum data needed for its function. The complete list is below.
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, payment details, billing address |
| DataForSEO | Backlink and SERP data for audits | Audit domain names only |
| CoinGecko | Crypto market data for audits | Audit domain names and token references |
| DefiLlama | DeFi protocol data for audits | Audit domain names and protocol references |
| Anthropic | Audit analysis and AEO testing | Audit domain content and test prompts |
| OpenAI | AEO citation testing | Test prompts only (not your account data) |
| Perplexity | AEO citation testing | Test prompts only (not your account data) |
| PageSpeed Insights and analytics | Audit domain names and aggregated visitor data | |
| Brevo | Newsletter delivery and double opt-in confirmation | Email address you submit to the subscribe form |
| Postmark | Transactional email (audit reports, billing receipts, password resets) | Email address and message content |
| Cloud hosting | Infrastructure for the audit engine and dashboard | All operational data (encrypted at rest and in transit) |
We have data processing agreements in place with each processor where required by GDPR. Updates to this list are versioned in this policy and reflected on the partners page.
06Cookies and tracking
We use cookies and similar technologies for two purposes only: making the dashboard work and understanding aggregate site usage.
Strictly necessary cookies
Required for the dashboard to function. Store session tokens, authentication state and UI preferences. Cannot be opted out without losing dashboard functionality.
Analytics cookies
Privacy-respecting analytics to understand traffic and visitor flow. Aggregated data not linked to individuals. Opt out via the cookie banner shown on first visit.
No advertising cookies
Crawlux does not use third-party advertising cookies. We do not run retargeting campaigns. We do not share user data with advertising networks.
07Data retention
We retain different categories of data for different periods based on the purpose. The visualization below shows relative retention periods at a glance, followed by the precise table.
Retention period comparison
Scale: 0 to 7 years| Data category | Retention period |
|---|---|
| Audit results (JSON) | 2 years from audit date, then archived in anonymized form for methodology calibration |
| Account data | Until account deletion plus 90 days for backup retention |
| Payment records | 7 years (legal accounting retention requirement) |
| Email communications | 3 years from last interaction |
| Web analytics | 26 months in aggregated form |
| Server logs | 90 days |
You can request earlier deletion via section 8 below. Some retention periods cannot be reduced due to legal obligations (notably payment records, which require 7-year retention for accounting compliance).
08Your rights
Depending on your jurisdiction you have the following rights regarding your personal data. We honor these rights for all users globally where technically feasible, regardless of jurisdiction.
To exercise any of these rights, email [email protected] with the request. We respond within 30 days. Identity verification may be required for certain requests.
CCPA · California residents
Additional rights apply: right to know what is collected, whether information is sold or disclosed and to whom, plus the right to opt out of the sale of personal information. We do not sell personal information.
09International transfers
Crawlux operates globally. Your data may be transferred to and processed in countries other than your country of residence, including the United States, the United Kingdom and the United Arab Emirates.
When we transfer personal data outside the European Economic Area we use Standard Contractual Clauses approved by the European Commission to ensure equivalent protection.
The third-party processors listed in section 5 operate primarily in the United States. They have committed to appropriate safeguards for international transfers under their respective privacy frameworks.
10Children
Crawlux is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete the information promptly.
11Changes to this policy
We may update this privacy policy from time to time. The version number and last reviewed date at the top of this page reflect the current version. Material changes will be communicated via email to active users at least 30 days before the change takes effect.
Historical versions are archived. Email [email protected] to request a previous version of this policy.
12Contact us
For privacy questions, data subject requests or any other privacy-related communication:
Email for all data subject requests
Response window: 30 days
Identity verification may be required
London office
TG3 Agency
124-128 City Rd
London EC1V 2NJ
United Kingdom
Dubai office
TG3 Agency
Levels 20, 48 Burj Gate Towers
Dubai
United Arab Emirates
For general support, billing or product questions, see the about page for the appropriate contact path.
Read the terms next
The terms of service cover the agreement between you and Crawlux. Read alongside this privacy policy for the full picture.
Privacy policy v1.0 · Effective April 13, 2026 · GDPR and CCPA compliant