Crawlr

Website Privacy Policy

How we handle your data on the Crawlr website — clearly explained.

Website Privacy Policy

This policy explains how we collect, use, and protect personal data when you use the Crawlr website and web portals. It is separate from the Crawlr app privacy policy, which governs the Crawlr iOS app.

1. Who we are

The data controller is Nascent Group Ltd ("Crawlr", "we", "us"), registered in England and Wales (Companies House no. 16259791), registered office 48 Langham Street, London W1W 7AY. We are registered with the UK Information Commissioner's Office (ICO registration ZB961271).

For any privacy question, or to exercise your rights, contact legal@crawlr.com.

2. Scope

This policy covers:

  • the public website at crawlr.com (marketing pages, contact and inquiry forms);
  • the Partner portal (venue and business accounts, billing);
  • the Ambassador portal (ambassador applications and accounts);
  • the admin interface used by our staff;
  • team membership features within partner accounts; and
  • public share pages at crawlr.com/u/[username].

The Crawlr iOS app is covered by a separate app privacy policy. If you only use the app and never the website, that policy — not this one — applies to you.

3. What we collect, why, and for how long

We collect different data depending on how you interact with us. For each category we set out the lawful basis under the UK GDPR and how long we keep it.

Website visitors

  • What: essential and (with consent) non-essential cookies, basic analytics, and your IP address.
  • Why / basis: essential cookies and security logging rely on our legitimate interests (running and protecting the site); non-essential cookies rely on your consent.
  • Retention: security and rate-limiting logs are kept for up to 12 months; cookie lifetimes are listed in Section 4.

Contact and partner inquiries

  • What: the name, email, business/venue details, and message you submit through our contact and partner-inquiry forms.
  • Why / basis: to respond to you and assess a potential partnership — legitimate interests, and steps taken at your request prior to entering a contract.
  • Retention: up to 24 months after our last contact, unless the inquiry becomes an account.

Partner accounts

  • What: account profile, venue information, and billing metadata (subscription tier, billing cycle, renewal/cancellation status, invoice history). Card details are handled by Stripe and are never stored on our servers.
  • Why / basis: to provide the partner service and take payment — performance of a contract; some billing records are kept to meet our legal obligations.
  • Retention: for the life of the account and then up to 7 years for financial records, as required by UK tax law.

Ambassador applicants and accounts

  • What: application details, account profile, and referral/performance statistics.
  • Why / basis: to assess applications and run the ambassador programme — legitimate interests and, where applicable, performance of a contract.
  • Retention: application data for up to 12 months if unsuccessful; account data for the life of the account.

Team members and invitations

  • What: email address, assigned role, and an audit log of team changes.
  • Why / basis: to operate multi-user partner accounts securely — legitimate interests.
  • Retention: for the life of the partner account.

Public share-page data

  • What: the limited profile information shown on a public page at crawlr.com/u/[username] when a user chooses to share it.
  • Why / basis: to provide the sharing feature the user has chosen to use — legitimate interests / at the user's request.
  • Retention: until the user disables sharing or deletes the relevant data.

Security and audit records

  • What: security events, audit logs, and IP addresses used for abuse prevention and rate limiting.
  • Why / basis: legitimate interests (protecting our service and users) and, where relevant, legal obligation.
  • Retention: up to 12 months.

4. Cookies and similar technologies

We use cookies and similar technologies on the website under the Privacy and Electronic Communications Regulations (PECR):

  • Essential cookies are strictly necessary to run the site (for example, to keep you signed in and to protect against abuse). These do not require consent.
  • Non-essential cookies and caching — including page caching and the service worker we register for faster repeat visits — are used only with your consent, which you give through our cookie banner.

You can withdraw consent at any time by clearing your cookies or changing your choice in the banner. Blocking essential cookies may stop parts of the site from working.

5. Who we share data with

We do not sell your personal data. We share it only with the following categories of recipient:

  • Service providers (processors) acting on our instructions:
    • Supabase — database, authentication, and storage hosting.
    • Stripe — payment processing and subscription billing for partners.
    • Fly.io — application hosting and infrastructure.
    • Apple (MapKit) — map display on certain pages.
    • Brevo — transactional email delivery, where email sending is enabled.
  • Law enforcement or regulators, where we are legally required to disclose information.
  • Our staff, on a need-to-know basis, to operate and support the service.

We do not use a third-party application-performance or error-tracking processor for the website; diagnostic logging stays within our own infrastructure.

6. International transfers

Some of our providers process data outside the UK. Where they do, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or EU Standard Contractual Clauses, so your data receives an equivalent level of protection.

7. Your rights

Under the UK GDPR you have the right to: access your data; have inaccurate data corrected; have data erased; restrict or object to processing; data portability; and to withdraw consent where we rely on it. You can also lodge a complaint with the ICO (ico.org.uk), though we'd ask you to contact us first so we can help.

To exercise any right, email legal@crawlr.com. We will respond within one month.

8. Retention summary

Data categoryTypical retention
Security / rate-limiting logsUp to 12 months
Contact & partner inquiriesUp to 24 months after last contact
Partner financial recordsUp to 7 years (UK tax law)
Ambassador applications (unsuccessful)Up to 12 months
Account data (partner / ambassador)Life of the account
Public share-page dataUntil sharing disabled / data deleted

9. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, role-based permissions, audit logging, and rate limiting. Payment card data is handled entirely by Stripe under their PCI-DSS compliant environment.

10. Changes to this policy

We may update this website privacy policy from time to time. Because it covers only the website and web portals, it can change independently of the app privacy policy. The "Last updated" date below the policy shows when it last changed; significant changes will be highlighted on the site.

11. Contact

Questions about this policy or your data? Email legal@crawlr.com or write to Nascent Group Ltd, 48 Langham Street, London W1W 7AY.

Last updated: 1 June 2026

Back to Home