Autocrawl

Privacy

Last updated: 2026-04-27

What we collect

  • Account data: the email address you sign up with and a hashed password (handled by Supabase Auth).
  • Project data: project names, primary domain, and the URLs in the sitemaps you choose to ingest.
  • Google OAuth credentials: the Client ID, Client Secret, and user refresh token you connect for the Indexing API. Secrets and refresh tokens are encrypted at rest with AES-256-GCM before they touch the database.
  • Queue activity: per-URL submission status, response codes, and error messages from Google's Indexing API.
  • Standard server logs: IP address and user agent for security and debugging, retained briefly.

What we don't do

  • We never crawl, scrape, or store the content of pages on your site.
  • We do not sell or share your data with third parties.
  • We never read your Search Console data beyond what's needed to call the Indexing API on your behalf.

How long we keep it

We retain your account, projects, credentials, and queue data while your account is active. You can delete a project (which cascades to its credentials and queue) at any time. To fully delete your account, email davisledsinger829@gmail.com and we'll permanently remove your data.

Google API Limited Use compliance

Autocrawl's use and transfer to any other app of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.

  • We request only the minimum OAuth scopes needed: openid, email, and https://www.googleapis.com/auth/indexing. The indexing scope is used solely to call the urlNotifications:publish endpoint on behalf of the authenticated user.
  • We do not transfer Google user data to third parties, except as necessary to provide or improve Autocrawl's user-facing features (Supabase, Vercel listed above), to comply with applicable law, or as part of a merger or acquisition with notice.
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless we obtain affirmative consent from the user, it is necessary for security or abuse-prevention purposes, it is required to comply with applicable law, or the data is aggregated and used for internal operations in accordance with the policy.
  • We do not sell Google user data.
  • The encrypted OAuth refresh token and any access tokens are stored at rest with AES-256-GCM encryption and only decrypted server-side at the moment of an Indexing API call.

Subprocessors

  • Supabase: Postgres database and authentication.
  • Vercel: application hosting and cron.
  • Google APIs: Indexing API for URL submissions you initiate.

Contact

Questions, deletion requests, or concerns: davisledsinger829@gmail.com