Privacy Policy

This Privacy Policy ("Policy") is a legally binding document that governs the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, and destruction of personal data by CrawlWithAI ("we", "us", "our", "Company", "Data Controller", "Data Fiduciary"), a business registered and operating in Mumbai, Maharashtra, India.

CrawlWithAI operates a Shopify application ("the App") and the website located at crawlwithai.com and its subdomains ("the Website") that together provide AI traffic attribution, AI sitemapping, AI crawler monitoring, and revenue intelligence services to Shopify merchants ("Merchants") and whose services are experienced indirectly by end customers of those Merchants ("End Users").

1.1 Who This Policy Applies To. This Policy applies to all of the following individuals and entities:

• Visitors who access our Website (crawlwithai.com) for any purpose including browsing, research, or enquiry.
• Prospective Merchants who sign up for, evaluate, or trial our services.
• Active Merchants who install and use the CrawlWithAI Shopify App.
• Former Merchants whose data we continue to hold in accordance with our retention schedules.
• End Users who visit Merchant-operated Shopify storefronts on which our tracking technology is deployed.
• Individuals who contact us via email, social media, our contact form, or any other channel.
• Job applicants, contractors, and partners who provide us with personal data in the course of a commercial or employment relationship.

1.2 Roles Under Data Protection Law. CrawlWithAI acts in different capacities depending on whose data is being processed and for what purpose:

• Data Controller / Data Fiduciary: In respect of personal data collected directly from Merchants, Website visitors, and individuals who contact us. We independently determine the purposes and means of processing.
• Data Processor / Data Intermediary: In respect of End User data processed through a Merchant's Shopify storefront, where the Merchant is the Data Controller and we process data on their behalf pursuant to our contractual terms.
• Joint Controller: In limited scenarios where we and a Merchant jointly determine the purposes and means of processing, we will conclude a joint controller arrangement as required under Art. 26 GDPR.

1.3 Geographical Scope. This Policy applies globally to all personal data we process regardless of where the data subject is located. We comply with the data protection laws of the jurisdictions from which our users access our services, including but not limited to the European Union, the United Kingdom, the United States (including California), Canada, Brazil, Australia, Singapore, and India.

1.4 Acceptance. By using our Website, installing the App, or otherwise interacting with us, you confirm that you have read this Policy in full, understand its contents, and agree to the collection and use of your information as described herein. If you do not agree, you must discontinue use of our services immediately. For Merchants, acceptance is also governed by our Terms of Service.

1.5 Policy Hierarchy. This Policy should be read alongside our Terms of Service, Cookie Policy, and any supplementary privacy notices we provide at the point of collection. In the event of a conflict between this Policy and a supplementary notice, the supplementary notice shall take precedence to the extent of the conflict.

In this Policy, the following terms shall have the meanings set out below. All other terms shall be interpreted in accordance with their plain English meaning in the context of data protection law.

2.1 Core Data Protection Terms

• "Personal Data" / "Personal Information" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. This includes, but is not limited to, names, email addresses, IP addresses, cookie identifiers, and device fingerprints.
• "Sensitive Personal Data" / "Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation data, and any data defined as "sensitive" under applicable national law including the Indian DPDP Act 2023.
• "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• "Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• "Data Fiduciary" has the meaning assigned to it under the Digital Personal Data Protection Act, 2023 (India), referring to any person who, alone or in conjunction with other persons, determines the purpose and means of processing digital personal data.
• "Data Principal" has the meaning assigned to it under the DPDP Act 2023, referring to the natural person to whom the personal data relates.
• "Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. Consent is not valid if given under coercion, under a condition of service where refusal would result in denial of service (unless strictly necessary), or through pre-ticked boxes or silence.
• "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
• "Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organisational measures.
• "Anonymisation" means the irreversible process of altering personal data in such a way that the data subject can no longer be identified directly or indirectly. Truly anonymised data falls outside the scope of data protection law.

2.2 CrawlWithAI-Specific Terms

• "Merchant" means any Shopify store owner, operator, or administrator who installs, activates, or uses the CrawlWithAI application on their Shopify store.
• "End User" means an individual who visits a Merchant's Shopify storefront on which the CrawlWithAI tracking snippet is deployed.
• "AI Platform" means any artificial intelligence search, assistant, or large language model product or service capable of generating referral traffic, including but not limited to ChatGPT (OpenAI), Gemini (Google DeepMind), Claude (Anthropic), Perplexity AI, Grok (xAI), Meta AI, Microsoft Copilot, You.com, and any successors, derivatives, or similar services.
• "AI Crawler" means an automated web crawler, spider, or bot operated by an AI Platform for the purpose of indexing, scraping, or training on web content, including GPTBot, OAI-SearchBot, ClaudeBot, Google-Extended, PerplexityBot, Bytespider, CCBot, and any similar bots.
• "Attribution Data" means data that links a website visit, session, or purchase event to a specific traffic source, including AI Platforms, organic search, paid advertising, social media, or direct navigation.
• "Session" means a sequence of network requests made by a single browser or client during a defined time window, attributed to a single End User visit.
• "Tracking Snippet" means the JavaScript code injected into a Merchant's Shopify storefront theme that collects session-level attribution and interaction data on CrawlWithAI's behalf.
• "Dashboard" means the web-based interface available to Merchants at app.crawlwithai.com for reviewing AI traffic, crawler activity, revenue attribution, and sitemapping data.

2.3 Legal Instruments Referenced in This Policy

• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended or supplemented from time to time.
• "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
• "DPA 2018" means the Data Protection Act 2018 (UK).
• "CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act of 2020 ("CPRA"), effective January 1, 2023.
• "PIPEDA" means the Personal Information Protection and Electronic Documents Act (Canada), S.C. 2000, c. 5.
• "LGPD" means the Lei Geral de Proteção de Dados Pessoais (Brazil), Law No. 13,709/2018.
• "PDPA" means the Personal Data Protection Act 2012 (Singapore) as amended.
• "Privacy Act 1988" means the Privacy Act 1988 (Cth) (Australia) and the Australian Privacy Principles.
• "DPDP Act" means the Digital Personal Data Protection Act, 2023 (India), Act No. 22 of 2023, and any rules, regulations, or notifications issued thereunder.
• "IT Act" means the Information Technology Act, 2000 (India), and the Information Technology (Amendment) Act, 2008, and associated Rules including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
• "SCCs" means the Standard Contractual Clauses adopted by the European Commission for the transfer of personal data to third countries, as updated from time to time (currently Commission Implementing Decision (EU) 2021/914).
• "DPA" means a Data Processing Agreement entered into between CrawlWithAI and a sub-processor or Merchant setting out the terms of data processing.

We collect personal data across multiple categories depending on the relationship we have with the data subject. The following is an exhaustive account of the personal data we process.

3.1 Merchant Account and Identity Data

• Full legal name and business trading name of the Merchant or authorised representative.
• Shopify store URL (myshopify.com domain and custom domain).
• Primary email address associated with the Shopify account.
• Shopify plan type (Basic, Shopify, Advanced, Plus).
• Shopify store country and default currency.
• Store creation date and account age.
• Time zone configuration of the Shopify store.
• Language and localisation settings.

3.2 Merchant Billing and Subscription Data

• Subscription plan selected (Free Trial, Monthly, Yearly) and billing cycle dates.
• Shopify Recurring Application Charge ID (used to manage billing via Shopify Billing API).
• Billing status (active, cancelled, frozen, pending) and subscription history.
• Trial start and end dates, and trial conversion status.
• We do not store, transmit, or process full payment card numbers, CVV codes, bank account numbers, or other financial instruments. All payment processing is handled exclusively by Shopify Payments in accordance with Shopify's PCI-DSS compliance obligations.

3.3 Merchant Store Analytics and Configuration Data

• Aggregate product catalogue metadata: product IDs, titles, product types, vendor names, and published status. We do not store product descriptions, images, or full inventory data.
• Anonymised order counts and aggregate revenue figures for attribution reporting.
• Active sales channels and Shopify theme name (to determine Tracking Snippet compatibility).
• Dashboard configuration preferences including date ranges, default views, and report filters.
• App permission scopes granted to CrawlWithAI at the time of installation.
• Webhook subscription records (order creation, app uninstall events).

3.4 End User Session and Attribution Data (Collected via Merchant Storefronts)

• IP Address: The full IPv4 or IPv6 address of the End User's device at time of session initiation. IP addresses are partially masked within 1 hour and fully anonymised (replaced with a hashed, non-reversible token) within 24 hours of collection. The full IP address is never stored in our production database.
• Geolocation (derived from IP): Country and region-level geolocation derived from IP before anonymisation. We do not derive or store city-level, postal code, or precise location data.
• HTTP Referrer URL: The full URL of the page from which the End User navigated to the Merchant's storefront, including AI Platform URLs (e.g., chatgpt.com, perplexity.ai, gemini.google.com) used for attribution.
• User-Agent String: The browser and device user-agent string, used to classify sessions by device type (mobile, tablet, desktop) and browser (Chrome, Safari, Firefox, Edge), and to distinguish human visitors from AI Crawlers.
• Session Identifier: A pseudonymous, randomly generated session token (_cwai_sid cookie) used to link page views within a single visit without identifying the individual.
• Visitor Identifier: A pseudonymous, randomly generated visitor token (_cwai_vid cookie) stored for up to 90 days, used solely to link returning visits for attribution continuity. This token cannot be reversed to identify the individual without additional information we do not hold.
• UTM Parameters: URL query parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) captured from the landing page URL.
• Pages Visited: URL paths (not full URLs including query strings that may contain personal data) of pages visited on the Merchant's storefront during the session.
• Session Duration and Engagement: Time spent on site, page depth, and whether the session resulted in an add-to-cart or checkout event.
• Order Attribution Record: A record linking an anonymised order ID, anonymised order value range (bucketed), order timestamp, and the attributed traffic source. We never store customer names, billing or shipping addresses, email addresses, phone numbers, or payment method information associated with orders.
• AI Crawler Visits: When a visit is identified as an AI Crawler bot rather than a human user, we record the bot user-agent string, timestamp, page visited, and response code. No personal data of human individuals is involved in crawler records.

3.5 Website Visitor Data (crawlwithai.com)

• IP address (anonymised within 24 hours), browser type, operating system, screen resolution, device type.
• Pages visited on the Website, time spent, entry and exit pages, referral source.
• Interaction data: button clicks, form completions, scroll depth (if analytics tools with such capability are deployed).
• Cookie and local storage data as described in Section 10.

3.6 Contact and Communication Data

• Full name, email address, and optionally Shopify store URL provided via our contact form.
• Subject matter and content of the message or enquiry.
• Metadata of email communications: send/receive timestamps, email client, read receipts (if enabled by the email service provider).
• Records of all communications exchanged with our support team for quality assurance and dispute resolution purposes.

3.7 Technical and Device Data

• Log data from our servers: HTTP request method, URL path, HTTP status code, bytes transferred, response time, and originating IP address.
• Error and crash reports generated by the App or Dashboard, which may include session state information.
• API request logs: endpoint called, parameters (excluding sensitive values), response code, and timestamp.

3.8 Data We Explicitly Do Not Collect

We do not collect, process, or store any of the following:

• Government-issued identification numbers (Aadhaar, PAN, passport, driving licence, social security number, national ID).
• Financial account numbers, credit or debit card numbers, bank account or routing details, UPI IDs, or cryptocurrency wallet addresses.
• Biometric data of any kind, including facial recognition data, fingerprints, or voiceprints.
• Health or medical data.
• Genetic data.
• Political opinions, trade union membership, religious or philosophical beliefs.
• Sexual orientation or sex life information.
• Passwords, authentication credentials, or API keys (we store only cryptographic hashes of tokens where technically necessary).
• Personal data of children under 18 years of age (see Section 14).
• Customer names, addresses, or contact details from Merchant order records.
• Email or messaging content of Merchants' customers.
• Content of products reviewed, wishlisted, or saved by End Users beyond what is necessary for session-level attribution (e.g., we record that a page was visited but not the product description or price).

We collect personal data through the following specific mechanisms. Each mechanism is described in full to ensure transparency.

4.1 Shopify OAuth App Installation

When a Merchant installs the CrawlWithAI App from the Shopify App Store, they initiate an OAuth 2.0 authentication flow managed by Shopify. During this process, the Merchant explicitly grants us access to specific API permission scopes. The scopes we request are limited to what is strictly necessary for the App to function:

• read_orders: To receive anonymised order creation events via webhooks for revenue attribution.
• read_products: To retrieve product metadata for dashboard filtering and catalogue-level reporting.
• read_analytics: To access aggregate session data where available.
• write_script_tags: To inject the JavaScript Tracking Snippet into the Merchant's storefront theme.

We never request write access to orders, customers, or financial data. We never request access to Shopify customer profiles (read_customers scope) as we process End User data through our own Tracking Snippet, not through Shopify's customer database.

4.2 JavaScript Tracking Snippet (Client-Side)

A lightweight, asynchronous JavaScript file hosted on our CDN is injected into the Merchant's Shopify storefront via Shopify's Script Tags API. This snippet executes in End Users' browsers when they visit the Merchant's storefront and is responsible for capturing traffic source signals, maintaining pseudonymous session continuity, and recording purchase attribution events where applicable.

The snippet collects only the categories of data described in Section 3.4 of this Policy. It does not read form inputs, capture keystrokes, record screen or session replay data, access browser storage beyond our own pseudonymous identifiers, or execute outside of pages belonging to the Merchant's storefront. Data captured by the snippet is transmitted securely to our infrastructure over encrypted connections.

4.3 Shopify Server-Side Webhooks

We register webhooks with Shopify to receive real-time event notifications relevant to our service. Upon receiving a webhook, we extract only the minimum data fields necessary for the stated processing purpose and immediately discard all other fields in the payload — including any customer name, address, line item, or payment method data — without writing them to storage.

All webhook payloads delivered by Shopify are verified for authenticity and integrity using cryptographic signatures prior to processing. We act on webhook events only after successful signature verification.

4.4 Server-Side Log Collection

Our web servers and API infrastructure automatically generate access logs for every HTTP request received. These logs contain the originating IP address, request path, HTTP method, response code, user-agent string, and timestamp. Logs are retained for 90 days for security monitoring and then permanently deleted.

4.5 Contact Forms and Direct Communications

When you complete a contact form on our Website, the form data you submit is transmitted via HTTPS to our email delivery API and delivered to our support inbox. Submissions are retained for up to 12 months. We do not use autoresponder services that retain your data indefinitely, and we do not add contact form submitters to marketing lists without explicit consent.

4.6 Cookies and Browser Storage

We use first-party cookies and browser storage technologies as described in full in Section 10 and our Cookie Policy (crawlwithai.com/cookies). We do not use third-party tracking cookies or share cookie data with advertising networks.

4.7 Indirect Collection from Third Parties

We may receive limited personal data from third parties in the following circumstances:

• Shopify App Store: When a Merchant submits a review or support ticket via the Shopify App Store, Shopify may share the Merchant's contact details and store information with us to facilitate a response.
• Payment Processors: Shopify may notify us of billing events (subscription renewal, failed payment, refund) through the Shopify Billing API, including the Recurring Application Charge ID and billing status. We do not receive card or bank details.
• Public Sources: We may review publicly available information about a Merchant's store (e.g., their storefront URL, public product catalogue) for the purpose of providing support or troubleshooting. Such review does not involve systematic scraping or storage of the Merchant's customers' data.

Every processing activity we conduct must and does rest on a valid legal basis. We document our legal bases in accordance with Art. 30 GDPR record-keeping requirements. The following sets out the legal basis for each major category of processing.

5.1 Contractual Necessity — Art. 6(1)(b) GDPR / DPDP Act S.4(1)

Processing is necessary for the performance of a contract with the data subject or to take steps at the data subject's request before entering into a contract. This applies to:

• Creating and managing Merchant accounts following App installation.
• Providing AI traffic attribution dashboards, revenue analytics, and AI sitemapping reports.
• Deploying and operating the Tracking Snippet on Merchant storefronts.
• Processing Merchant subscription billing through Shopify's Billing API.
• Sending transactional communications including installation confirmations, billing receipts, and service alerts.
• Responding to Merchant support enquiries in the course of service delivery.
• Executing data deletion following App uninstallation (fulfilment of contractual and legal obligations).

5.2 Legitimate Interests — Art. 6(1)(f) GDPR

Processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We have conducted Legitimate Interests Assessments (LIAs) for each applicable processing activity, records of which are available upon request. This basis applies to:

• Product improvement and analytics: Aggregated, anonymised analysis of how Merchants use our Dashboard to improve features and user experience. Our interest: improving our product. Impact on data subjects: minimal, as only aggregated data is used. Balancing test: passed.
• Fraud and abuse prevention: Monitoring API usage for abnormal patterns that may indicate account compromise, API abuse, or attempts to circumvent billing. Our interest: maintaining security and commercial integrity. Impact: minimal monitoring of usage metadata. Balancing test: passed.
• Security and infrastructure monitoring: Server-side access log analysis to identify security threats, DDoS attacks, and system errors. Our interest: protecting infrastructure and data. Impact: automated log analysis, not individual profiling. Balancing test: passed.
• Service communications: Informing active Merchants of significant product changes, planned maintenance, or new features that are directly relevant to their use of the App. Our interest: keeping Merchants informed to ensure continued service value. Balancing test: passed; Merchants retain the right to opt out of non-transactional communications.
• Legal claims and dispute resolution: Retaining records of contractual interactions sufficient to establish, exercise, or defend legal claims.

5.3 Consent — Art. 6(1)(a) GDPR / DPDP Act S.6

Where no other legal basis applies, or where applicable law specifically requires consent, we rely on the data subject's freely given, specific, informed, and unambiguous consent. Consent applies to:

• Non-essential cookies and analytics tracking on our Website (captured via our Cookie Consent Banner).
• Marketing and promotional communications to Merchants who have not contracted with us or who have opted in specifically to marketing.
• Any processing of special categories of personal data if such categories are ever provided to us (which we do not anticipate and do not encourage).
• End User tracking via our Tracking Snippet on Merchant storefronts where the Merchant's own privacy notice and cookie consent mechanism has obtained the End User's consent, as required by applicable ePrivacy law. Merchants are contractually responsible for obtaining valid consent from their End Users prior to deploying our Tracking Snippet in jurisdictions where consent is required.

You may withdraw consent at any time by contacting us at support@crawlwithai.com or adjusting your cookie preferences via our Cookie Banner. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.

5.4 Legal Obligation — Art. 6(1)(c) GDPR / DPDP Act S.7(b)

Processing is necessary to comply with a legal obligation to which we are subject under applicable Indian law, European law, or the laws of other jurisdictions. This applies to:

• Retention of financial and billing records under the Companies Act 2013, GST Act 2017, and Income Tax Act 1961 (India).
• Disclosure of data in response to valid court orders, regulatory demands, or law enforcement requests.
• Data breach notification obligations under GDPR Art. 33-34, DPDP Act, and other applicable law.
• Compliance with anti-money laundering or counter-terrorism financing obligations if applicable.

5.5 Vital Interests — Art. 6(1)(d) GDPR

In exceptional circumstances where processing is necessary to protect the vital interests of the data subject or another person (e.g., a life-threatening emergency), we may rely on this basis. We do not anticipate relying on this basis in the ordinary course of our operations.

5.6 Note on Special Category Data

We do not intentionally collect special category data and have no legitimate business purpose requiring it. If such data is inadvertently included in communications from data subjects (e.g., in a support ticket), we will delete it at the earliest opportunity. We have not identified any processing of special category data in our operations.

We process personal data for the following specific, explicit, and legitimate purposes. We do not process data in a manner incompatible with these purposes (the "purpose limitation" principle).

6.1 AI Traffic Attribution

We analyse the HTTP referrer headers and URL parameters of End User sessions to determine whether a visit to a Merchant storefront originated from an AI Platform (e.g., a user clicked a product link shared by ChatGPT). Attribution events are recorded and presented in the Merchant Dashboard. This is our core service purpose.

6.2 Revenue Attribution and Conversion Tracking

We link attributed session data with anonymised order creation events to calculate the revenue generated from AI Platform traffic. This allows Merchants to understand the commercial value of their AI presence. Individual customer identities are never disclosed in this process.

6.3 AI Crawler Monitoring and Sitemapping

We analyse server-side request logs and Tracking Snippet data to identify visits by AI Crawler bots. When a bot's user-agent matches a known AI Crawler signature (e.g., GPTBot, ClaudeBot, PerplexityBot), we record which pages were crawled, at what frequency, and report this to the Merchant. No personal data of human individuals is involved in crawler-only records.

6.4 Customer Journey Reconstruction

Using the pseudonymous visitor token, we reconstruct multi-session customer journeys — for example, identifying that a visitor first arrived via Perplexity AI, returned directly two days later, and then completed a purchase. This is presented to the Merchant in aggregate and per-session views without revealing individual identities.

6.5 Account Management and Merchant Onboarding

We use Merchant account data to create and manage accounts, configure the App, issue welcome communications, and provide onboarding assistance.

6.6 Subscription Billing and Payment Administration

We use subscription data to manage trial periods, activate and deactivate paid plans, and liaise with Shopify's Billing API for recurring charges. We do not process payments directly.

6.7 Customer Support and Issue Resolution

We use communication data and account data to diagnose technical issues, answer questions, process refund requests, and resolve disputes.

6.8 Security, Fraud Prevention, and Abuse Detection

We monitor API request patterns, log anomalies, and session behaviour to detect and prevent abuse, credential stuffing, API scraping, billing fraud, and other malicious activity directed at our systems or our Merchants.

6.9 Product Development and Quality Improvement

We use anonymised and aggregated usage data to understand how Merchants interact with the Dashboard, which features are most used, where users encounter friction, and how our attribution accuracy can be improved. We do not use individual End User data for product development.

6.10 Legal Compliance and Record-Keeping

We process and retain certain data to comply with tax, corporate, and regulatory obligations applicable in India and other jurisdictions in which we operate or whose laws apply to our activities.

6.11 Communications and Marketing

We send transactional communications (billing confirmations, service alerts, policy updates) without requiring additional consent where such communications are incidental to the service. We send marketing communications (new feature announcements, case studies, promotional offers) only where the recipient has opted in or where applicable law permits soft opt-in to existing customers, and always with a clear and functional unsubscribe mechanism.

6.12 Corporate Transactions

In the event of a merger, acquisition, investment round, restructuring, or asset sale, we may process and disclose data to prospective or actual counterparties subject to appropriate confidentiality obligations and equivalent data protection standards.

We do not sell, rent, trade, or broker personal data. We share personal data only as described in this Section and only to the extent necessary.

7.1 Sub-Processors (Third-Party Data Processors)

We engage the following categories of sub-processors who process personal data on our behalf pursuant to written Data Processing Agreements (DPAs) that impose data protection obligations at least equivalent to those in this Policy:

• Cloud Infrastructure and Hosting Providers: We host our servers, databases, and application infrastructure on cloud platforms. Data stored with these providers is encrypted at rest (AES-256) and in transit (TLS 1.3). Providers operate under DPAs incorporating GDPR-compliant Standard Contractual Clauses for transfers outside the EEA. Current infrastructure providers may include Amazon Web Services (AWS), Google Cloud Platform (GCP), or Vercel. We will update this Policy when infrastructure providers materially change.
• Content Delivery Network (CDN): Our JavaScript Tracking Snippet is served via a CDN to ensure low-latency global delivery. The CDN provider does not have access to the data transmitted by the snippet.
• Transactional Email Delivery: We use a third-party email API to deliver transactional emails (contact form notifications, billing confirmations) to our support team. The email provider processes sender and recipient metadata and message content only for delivery purposes. Email content is not retained by the provider beyond delivery.
• Error Monitoring and Application Performance: We may use an error monitoring tool that captures anonymised stack traces and error metadata when the App or Dashboard experiences a malfunction. Personal data appearing in error messages is filtered prior to transmission where technically feasible.
• Analytics (Website Only): We may use a privacy-respecting analytics tool on our Website to understand visitor behaviour in aggregate. If personal data is processed by such a tool, we do so only with cookie consent and under a DPA. We do not use Google Analytics 3 (Universal Analytics) or any advertising-network-linked analytics product.

A complete, up-to-date list of our sub-processors is available upon request at support@crawlwithai.com. We will provide advance notice of material additions to our sub-processor list and allow objections where required by applicable law.

7.2 Disclosure to Merchants

End User attribution data is reported to the relevant Merchant exclusively in aggregate and pseudonymised form through the Dashboard. We do not disclose to Merchants: End User names, email addresses, phone numbers, full IP addresses, or any data that would allow the Merchant to individually identify a specific End User from our reports.

7.3 Shopify Inc.

We operate as a Shopify Partner. In operating the App, we interact with Shopify's APIs, and Shopify processes certain App-related data under their own Privacy Policy and Partner Program Agreement. Shopify acts as a separate Data Controller in respect of data processed through its platform. We recommend reviewing Shopify's Privacy Policy at shopify.com/legal/privacy.

7.4 Legal Authorities and Law Enforcement

We may disclose personal data to governmental authorities, courts, regulators, law enforcement agencies, or other third parties where:

• Required to do so by applicable law or regulation.
• Required by a valid and enforceable court order, subpoena, or legal process.
• Necessary to protect the legal rights, property, or safety of CrawlWithAI, our Merchants, End Users, or the public.
• Necessary to detect, prevent, or address fraud, security breaches, or technical issues in emergency situations.

Where legally permitted, we will notify the affected data subject before complying with such a request and, where appropriate, challenge overbroad or procedurally defective requests. We maintain records of all such disclosures.

7.5 Business Transfers

If CrawlWithAI undergoes a merger, acquisition, joint venture, corporate restructuring, insolvency proceeding, or sale of all or a material portion of its assets, personal data held by CrawlWithAI may be among the assets transferred to the acquirer or successor entity. We will:

• Notify affected data subjects via email and a prominent Website notice at least 30 days before any such transfer.
• Ensure the successor entity is bound by data protection obligations at least equivalent to those in this Policy.
• Where required by law, obtain fresh consent from data subjects before their data is processed for materially different purposes by the successor entity.
• Provide data subjects with the option to request deletion of their data prior to the transfer taking effect.

7.6 Aggregated and De-identified Data

We may share aggregated, de-identified statistical data (e.g., "AI-referred traffic across all Merchants on our platform increased by X% in Q1") for marketing, research, industry reporting, or business development purposes. Such data contains no personal data and cannot be used to identify any individual or specific Merchant's store.

7.7 Prohibition on Onward Transfer

Our sub-processors are contractually prohibited from using personal data we share with them for their own commercial purposes, sharing it with further sub-processors without our written approval, or retaining it beyond the term of their engagement with us.

CrawlWithAI is incorporated and operated in India. However, given the global nature of our cloud infrastructure and the international origin of our Merchant and End User base, personal data may be transferred to, stored in, or processed in countries outside of India and outside of the European Economic Area (EEA). We take this responsibility seriously and implement the following safeguards.

8.1 Transfers from the EEA and UK

For transfers of personal data from EEA or UK-based individuals to countries not recognised as providing an adequate level of protection, we rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): We incorporate the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2: Controller-to-Processor) into our DPAs with sub-processors located in third countries. For UK transfers, we use the UK International Data Transfer Addendum (IDTA) issued by the ICO.
• Adequacy Decisions: Where the European Commission has adopted an adequacy decision in respect of the destination country (e.g., the EU-U.S. Data Privacy Framework for transfers to participating US organisations), we rely on that decision.
• Transfer Impact Assessments (TIAs): For transfers to countries with potentially conflicting surveillance laws, we conduct Transfer Impact Assessments to evaluate the risk to data subjects and implement supplementary measures where necessary (e.g., end-to-end encryption, data minimisation, access controls).

8.2 Transfers under Indian Law

For transfers involving personal data of Indian residents (Data Principals under the DPDP Act), we comply with the cross-border data transfer restrictions notified by the Central Government of India from time to time. The Government of India maintains a list of countries to which data transfers are permitted. We will update our transfer mechanisms as the DPDP Act's implementing rules are notified and come into force.

8.3 Transfers under CCPA

For data of California residents, the CCPA does not impose cross-border transfer restrictions equivalent to GDPR. However, we ensure that any third parties receiving California resident data provide at least the same level of privacy protection as required by the CCPA and our Privacy Policy.

8.4 Transfers under LGPD (Brazil)

For data of Brazilian residents, cross-border transfers are lawful where the destination country provides an adequate level of protection as determined by Brazil's National Data Protection Authority (ANPD), or where we rely on contractual clauses approved by the ANPD, or where the data subject has given specific consent. We implement SCCs or equivalent mechanisms for such transfers.

8.5 Data Localisation

Where applicable law requires data to be stored within a specific country or region (data localisation requirements), we will implement appropriate technical measures to comply. Currently, Indian law does not impose mandatory data localisation requirements for the categories of data we process, though this position may change as the DPDP Act rules are finalised.

8.6 Your Right to Information on Transfers

You may request a copy of the transfer mechanisms we rely on for international data transfers by contacting us at support@crawlwithai.com. We will provide a redacted copy of relevant SCCs or other instruments within 30 days of your request.

We apply the principle of storage limitation: personal data is retained only for as long as is necessary for the purpose for which it was collected or as required by applicable law. The following retention schedules represent our current practice, subject to legal or regulatory changes.

9.1 Merchant Account Data

• Active account data (name, email, store URL, configuration): Retained for the duration of the active subscription.
• Post-cancellation: Retained for 90 days following cancellation or App uninstallation to facilitate reactivation requests and address billing disputes. Following 90 days, account data is permanently and irreversibly deleted.
• Exception — Legal Hold: If a legal dispute, regulatory investigation, or court order requires retention beyond the standard schedule, data is placed on Legal Hold until the matter is resolved, after which standard deletion procedures resume.

9.2 Attribution and Analytics Data

• Session-level attribution records are retained for 24 months from the date of the session.
• After 24 months, session-level records are aggregated into monthly statistical summaries (no individual session identifiers) and the underlying session records are deleted.
• Monthly statistical summaries are retained indefinitely for longitudinal trend analysis.

9.3 End User Identifiers

• Full IP addresses: Stored in memory only during processing. Never written to persistent storage. Partially masked within 1 hour of receipt. Fully anonymised within 24 hours via one-way hash.
• Session token (_cwai_sid cookie): Expires at the end of the browser session (session cookie). The corresponding server-side session record is retained for up to 30 days for attribution matching, then purged.
• Visitor token (_cwai_vid cookie): Cookie expires after 90 days. The corresponding server-side visitor identifier record is retained for up to 90 days from last activity, then purged.

9.4 Order Attribution Records

• Anonymised order attribution records (containing no personal data) are retained for 24 months alongside session data.
• Financial figures in aggregate dashboard reports may be retained indefinitely as statistical data.

9.5 Contact Form Submissions and Support Correspondence

• Retained for 12 months from submission date, or until the relevant enquiry or dispute is fully resolved, whichever is later.
• If a support interaction relates to a contractual dispute or legal matter, it may be retained for up to 7 years under legal obligation.

9.6 Financial, Billing, and Tax Records

• Billing records, subscription histories, invoice metadata, and tax records are retained for 7 years from the date of the relevant transaction, as required under the Indian Income Tax Act 1961, GST Act 2017, and Companies Act 2013.
• For UK/EU Merchants, VAT and equivalent records are retained in accordance with the applicable national law of the Merchant's country.

9.7 Server Access Logs

• Retained for 90 days for security monitoring, incident investigation, and debugging.
• In the event of a confirmed security incident, relevant logs may be preserved for up to 2 years as evidence.

9.8 Encrypted Backups

• Automated database backups are encrypted using AES-256 and retained for 30 days on a rolling basis, after which older backups are automatically overwritten. We do not maintain indefinite backup archives.

9.9 Deletion on Uninstall

Upon receipt of the Shopify app/uninstalled webhook, we initiate an automated deletion workflow that:

• Revokes the App's Shopify API access token within 15 minutes.
• Removes the Merchant's store configuration and account data from our live production database within 48 hours.
• Marks attribution and session data associated with the Merchant's store for deletion, which is completed within 7 days.
• Retains only such data as is required by the financial and legal retention schedules described above (billing records, legal hold data).

Merchants may request a written confirmation of data deletion by emailing support@crawlwithai.com within 60 days of uninstallation.

9.10 Deletion Methodology

Data deletion is performed by overwriting database records with null values, removing records from production and replica databases, and flagging backup snapshots containing the deleted data for expiry. We do not use cryptographic erasure as a primary deletion method, but all backup media containing deleted personal data will be overwritten within the applicable backup retention period.

This Section provides a summary of our cookie practices. For the complete and authoritative account, please read our full Cookie Policy at crawlwithai.com/cookies.

10.1 What Are Cookies

Cookies are small text files placed on your device by a website. They allow the website to recognise your device, remember your preferences, and track certain behaviour. We use only first-party cookies (set by us, under our domain) and do not deploy third-party advertising or tracking cookies.

10.2 Cookies Used on crawlwithai.com

• cwai_cookie_consent — Purpose: Stores your cookie consent choice (accepted/declined). Duration: 12 months. Type: Strictly Necessary / Functional.
• cwai_session — Purpose: Maintains your authenticated Dashboard session. Duration: Session (expires on browser close). Type: Strictly Necessary.
• cwai_analytics_* — Purpose: Anonymised Website analytics (if enabled and consented to). Duration: Up to 12 months. Type: Analytics. Requires consent.

10.3 Cookies Deployed on Merchant Storefronts (via Tracking Snippet)

• _cwai_sid — Purpose: Pseudonymous session identifier. Links page views within a single browser session. Duration: Session. Type: Strictly Necessary for attribution service.
• _cwai_src — Purpose: Records the attributed traffic source for the session (e.g., "chatgpt.com"). Duration: 30 days. Type: Functional.
• _cwai_vid — Purpose: Pseudonymous visitor identifier. Enables multi-session attribution (e.g., first click from AI, purchase 3 days later). Duration: 90 days. Type: Functional.
• _cwai_order — Purpose: Short-lived flag set on order confirmation to prevent duplicate attribution counting. Duration: 24 hours. Type: Functional.

10.4 Local Storage

We use browser localStorage solely on the CrawlWithAI Dashboard (app.crawlwithai.com) to store UI preferences (e.g., selected date range, chart type) that persist between sessions. We do not use localStorage on third-party Merchant storefronts.

10.5 Legal Basis for Cookie Processing

• Strictly Necessary cookies: Placed without consent on the basis of contractual necessity or legitimate interest. Blocking these cookies will impair or prevent basic website functionality.
• Functional and Analytics cookies: Placed only with the data subject's prior informed consent obtained via our Cookie Consent Banner or (on Merchant storefronts) via the Merchant's own consent mechanism.

10.6 Managing Your Cookie Preferences

You may manage cookies through:

• Our Cookie Consent Banner, which allows you to accept or decline non-essential cookies at any time.
• Your browser settings: all major browsers allow you to view, delete, and block cookies. See your browser's help documentation for instructions.
• Your operating system's privacy settings (on mobile devices).

Note that blocking strictly necessary cookies may prevent you from logging in to the Dashboard or using certain features of the Website. Blocking cookies on Merchant storefronts will prevent our Tracking Snippet from attributing your visit but will not affect your ability to browse or purchase.

10.7 Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. As there is no universally accepted standard for how websites should respond to DNT signals, we do not currently alter our data collection practices in response to DNT signals. We do, however, provide meaningful consent controls through our Cookie Banner as an alternative.

10.8 Global Privacy Control

We respect the Global Privacy Control (GPC) browser signal, where technically feasible. If your browser broadcasts a GPC signal indicating opt-out of sale or sharing of personal information, we will treat this as a request not to process your data for any purpose other than strictly necessary service provision.

You have extensive rights in relation to your personal data under applicable data protection law. The specific rights available to you depend on your country of residence and the legal framework under which your data is processed. We honour rights from all major frameworks regardless of how you are classified. The following is a comprehensive account of your rights and how to exercise them.

11.1 Rights under GDPR (EEA Residents) and UK GDPR (UK Residents)

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation of whether we process personal data about you and, if so, a copy of that data together with information about its purposes, categories, recipients, retention periods, and your rights. We will provide this free of charge, in a commonly used electronic format, within 30 days of receipt of a valid request.
• Right to Rectification (Art. 16 GDPR): You have the right to require us to correct inaccurate personal data and to complete incomplete personal data without undue delay.
• Right to Erasure / Right to be Forgotten (Art. 17 GDPR): You have the right to require us to delete your personal data where: (a) the data is no longer necessary for the original purpose; (b) you withdraw consent and there is no other legal basis; (c) you object to processing under Art. 21 and there are no overriding legitimate interests; (d) the data has been unlawfully processed; or (e) deletion is required by EU/UK law. This right does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to restrict our processing of your personal data where: (a) you contest the accuracy of the data; (b) processing is unlawful but you oppose erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of our legitimate interests.
• Right to Data Portability (Art. 20 GDPR): Where processing is based on consent or contractual necessity and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON, CSV, or similar) and to transmit that data to another controller without hindrance from us.
• Right to Object (Art. 21 GDPR): You have the right to object at any time to processing of your personal data based on our legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. For other legitimate interest processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights Related to Automated Decision-Making and Profiling (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not make fully automated decisions with significant legal or similar effects based on personal data. Our attribution system produces reports for Merchant review, not automated decisions affecting individuals.
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): You have the right to lodge a complaint with the data protection supervisory authority in your EU/UK Member State of habitual residence, place of work, or place of the alleged infringement. Key supervisory authorities include: ICO (UK), CNIL (France), BfDI (Germany), DPC (Ireland), AEPD (Spain), Garante (Italy), AP (Netherlands), UODO (Poland), and others. Contact details are available on the European Data Protection Board website (edpb.europa.eu).

11.2 Rights under CCPA / CPRA (California Residents)

• Right to Know (§1798.100): Right to know what categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share information. We must respond within 45 days (extendable by a further 45 days with notice).
• Right to Delete (§1798.105): Right to request deletion of personal information we have collected. Exceptions apply where retention is necessary for certain purposes (completing a transaction, detecting security incidents, fulfilling legal obligations, etc.).
• Right to Correct (§1798.106, CPRA): Right to request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing (§1798.120): Right to direct us not to sell or share your personal information. We do not sell personal information and do not share personal information with third parties for cross-context behavioural advertising. This right therefore requires no exercise against us.
• Right to Limit Use of Sensitive Personal Information (§1798.121, CPRA): Right to limit our use of sensitive personal information to that which is necessary to provide the services you request. We do not process sensitive personal information as defined under CPRA in our regular operations.
• Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising any CCPA right. We will not deny services, charge different prices, provide a different level of quality, or suggest that you will receive different treatment for exercising your rights.
• Authorised Agent: You may designate an authorised agent to make a CCPA request on your behalf, provided the agent presents signed written permission and you verify your own identity directly with us.

11.3 Rights under DPDP Act 2023 (Indian Residents / Data Principals)

• Right to Access Information (S.11): Right to obtain a summary of the personal data we process about you and the processing activities, including the identities of Data Processors and other Data Fiduciaries with whom your data has been shared.
• Right to Correction and Erasure (S.12): Right to correct inaccurate or misleading personal data and to erase personal data that is no longer necessary for the purpose for which it was collected, or where consent is withdrawn.
• Right to Grievance Redressal (S.13): Right to have grievances regarding processing of your personal data addressed by our Grievance Officer (see Section 16) within the timelines prescribed.
• Right to Nominate (S.14): Right to nominate another individual to exercise rights on your behalf in the event of your death or incapacity.
• Right to Withdraw Consent (S.6(4)): Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Data Protection Board: If your grievance is not resolved to your satisfaction by our Grievance Officer, you may escalate the matter to the Data Protection Board of India once constituted under the DPDP Act.

11.4 Rights under Other Applicable Laws

• Canada (PIPEDA): Right of access, right to challenge accuracy, right to complain to the Office of the Privacy Commissioner of Canada (OPC).
• Australia (Privacy Act 1988): Right to access and correct personal information, right to complain to the Office of the Australian Information Commissioner (OAIC).
• Brazil (LGPD): Rights to access, correction, anonymisation, portability, deletion, information about sharing, right to object, right to revoke consent, and right to complain to the Autoridade Nacional de Proteção de Dados (ANPD).
• Singapore (PDPA): Right of access and correction, right to withdraw consent, right to complain to the Personal Data Protection Commission (PDPC).

11.5 How to Exercise Your Rights

To exercise any of the above rights:

• Send an email to support@crawlwithai.com with subject line: "Data Subject Rights Request — [Your Name] — [Right Requested]"
• Include sufficient information to allow us to identify your account or data (e.g., Shopify store URL for Merchants, email address used to contact us).
• We will acknowledge receipt within 3 business days.
• We will respond substantively within 30 days (GDPR/UK GDPR), 45 days (CCPA), or 30 days (DPDP Act/others). Where additional time is required, we will notify you and provide a revised timeline.
• We may ask you to verify your identity before fulfilling your request. We will not charge a fee for reasonable requests. We may refuse manifestly unfounded or excessive requests but will explain our reasons.

We implement comprehensive technical and organisational security measures ("TOMs") to protect personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access. The following measures are in place and maintained on an ongoing basis.

12.1 Encryption

• Data in Transit: All communications between users' browsers and our servers, and between our servers and sub-processors, are encrypted using TLS 1.2 or TLS 1.3 with strong cipher suites (ECDHE key exchange, AES-128-GCM or AES-256-GCM). We enforce HTTPS-only access and use HTTP Strict Transport Security (HSTS) headers.
• Data at Rest: All data stored in our databases and object storage is encrypted using AES-256. Encryption keys are managed separately from the encrypted data using a dedicated key management service.
• Backup Encryption: All database backups and archive files are encrypted prior to storage using the same AES-256 standard. Backup decryption keys are held by authorised personnel only and subject to multi-person authorisation for access.
• API Tokens: Shopify API access tokens and any internal service tokens are encrypted at rest using envelope encryption and are never stored in plaintext.

12.2 Access Controls

• Role-Based Access Control (RBAC): Access to production systems, databases, and personal data is restricted to personnel whose role requires it. We apply the principle of least privilege — each team member has access only to the minimum data necessary to perform their function.
• Multi-Factor Authentication (MFA): MFA is mandatory for all internal systems access, including cloud infrastructure consoles, deployment tools, and database interfaces. Password-only access is not permitted.
• SSO and Identity Management: We use a centralised identity provider for managing staff access, enabling rapid access revocation when staff leave or roles change.
• Privileged Access Management (PAM): Administrative and privileged access (e.g., database superuser, root server access) is logged, time-limited, and subject to additional approval workflows.

12.3 Network and Infrastructure Security

• Production systems are isolated in private network segments (VPCs) with firewall rules restricting inbound and outbound traffic to only what is required for operation.
• Web Application Firewall (WAF) protection is applied to all public-facing endpoints to block common attack patterns (OWASP Top 10, SQL injection, XSS, CSRF).
• DDoS protection and rate limiting are applied at the network and application layers.
• Dependency and vulnerability scanning is performed on all software dependencies as part of our CI/CD pipeline, with critical and high-severity vulnerabilities remediated within 48 hours of discovery.
• Regular penetration testing is conducted by qualified third-party security professionals, with findings tracked and remediated according to severity.

12.4 Organisational Measures

• Security Training: All staff receive mandatory data protection and security awareness training upon joining and annually thereafter. Training covers phishing recognition, secure data handling, password management, and incident reporting.
• Privacy by Design and Default: New features and processing activities are assessed for privacy implications during the design phase. We minimise data collection, implement pseudonymisation where possible, and apply privacy-protective defaults.
• Data Protection Impact Assessments (DPIAs): For high-risk processing activities (as defined under Art. 35 GDPR), we conduct DPIAs prior to commencing processing. DPIA records are maintained and reviewed periodically.
• Vendor Due Diligence: All sub-processors and third-party service providers undergo a security and privacy due diligence assessment before engagement, including review of their own security certifications (e.g., ISO 27001, SOC 2 Type II) and DPAs.
• Confidentiality Obligations: All staff and contractors with access to personal data are bound by confidentiality obligations in their employment contracts or service agreements.

12.5 Security Monitoring and Incident Response

• Automated intrusion detection systems (IDS) monitor for anomalous activity including unauthorised access attempts, unusual data volume transfers, and privilege escalation events.
• Security logs are centralised, retained for 90 days, and reviewed regularly by authorised personnel.
• We maintain a formal Incident Response Plan (IRP) that defines roles, responsibilities, escalation procedures, and communication protocols for security incidents.
• In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33). Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (GDPR Art. 34).
• For breaches affecting Indian residents under the DPDP Act, we will comply with breach notification obligations as prescribed by the Central Government from time to time.

12.6 Physical Security

CrawlWithAI operates without dedicated physical data centre infrastructure. All data is stored with our cloud infrastructure providers, who maintain robust physical security controls including 24/7 surveillance, biometric access controls, and environmental protections as described in their respective compliance certifications (ISO 27001, SOC 2).

12.7 Limitations

Despite our extensive security measures, no method of electronic transmission or digital storage is 100% secure. We cannot guarantee absolute security of data transmitted over the internet. If you discover or suspect a security vulnerability in our systems, we ask that you report it to us responsibly at support@crawlwithai.com before public disclosure. We are committed to acknowledging responsible disclosure reports promptly and addressing valid findings.

As a Shopify Partner and developer of a Shopify App listed on the Shopify App Store, we are subject to Shopify's Partner Program Agreement, API Terms of Service, and App Store requirements in addition to applicable data protection law. This Section details our specific Shopify-related commitments.

13.1 Minimum Required API Permissions

We comply with Shopify's data minimisation requirements by requesting only the following API scopes, and we document the specific reason for each scope in our App Store listing:

• read_orders: Required to receive anonymised order webhooks for revenue attribution. We process only the minimum fields necessary (order ID, total, currency, timestamp) and discard all other order fields immediately.
• read_products: Required to retrieve product catalogue metadata for dashboard filtering.
• write_script_tags: Required to inject our JavaScript Tracking Snippet into the Merchant's storefront theme via Shopify's Script Tags API.

We do not request, and will never request without explicit justification and Merchant consent: read_customers, write_customers, read_customer_payment_methods, read_financial_information, write_orders, or any write access to the Merchant's store data.

13.2 Permitted Use of Merchant Data

Data accessed through Shopify's APIs is used exclusively for the purpose of providing the CrawlWithAI service to that specific Merchant. We do not:

• Use Merchant or End User data to build profiles for use outside of the App or for any purpose other than the attribution, monitoring, and reporting features described in this Policy.
• Share individual Merchant's data with other Merchants or with third parties for commercial advantage.
• Use Merchant store data to train AI models or machine learning algorithms for external sale.
• Use Merchant data for advertising or remarketing to the Merchant's End Users through third-party platforms.

13.3 Post-Uninstallation Obligations

Upon receipt of Shopify's app/uninstalled webhook, we comply with Shopify's requirement to delete or de-identify all Merchant data within 48 hours (account configuration, API tokens) and all associated End User session data within 7 days, subject to legal retention obligations. We maintain logs of our deletion confirmations.

13.4 GDPR Data Processing Addendum for EEA Merchants

EEA-based Merchants who install our App are required to execute a Data Processing Agreement (DPA) with CrawlWithAI, pursuant to which we act as a Data Processor processing End User data on behalf of the Merchant (the Data Controller). A copy of our standard DPA is available upon request at support@crawlwithai.com. By installing the App, EEA Merchants agree to the terms of our standard DPA unless a separately negotiated DPA is in place.

13.5 Merchant Responsibility for End User Disclosures

Merchants are responsible for ensuring that their own privacy policies disclose the use of third-party tracking technologies including CrawlWithAI's Tracking Snippet, and for obtaining any consent from their End Users required by applicable law (including the EU ePrivacy Directive and GDPR where applicable). CrawlWithAI provides a suggested disclosure clause for Merchants to include in their privacy policies upon request.

13.6 Shopify's Own Privacy Policy

Data that Shopify independently collects from Merchants and their customers is governed by Shopify's own Privacy Policy (available at shopify.com/legal/privacy), not this Policy. We recommend Merchants familiarise themselves with Shopify's data practices in addition to our own.

14.1 Age Restriction. Our services are designed for and directed exclusively to business operators (Shopify Merchants) and professionals aged 18 years or older. Our Website and App are not directed to, and should not be used by, children under the age of 18.

14.2 No Knowing Collection from Minors. We do not knowingly collect, solicit, or process personal data from individuals under 18 years of age. If we become aware that we have inadvertently collected personal data from a child under 18 years of age, we will take immediate steps to delete such data from our systems and, where required by law, notify the relevant authorities.

14.3 End User Age. We have no control over, and are not responsible for, the age of End Users visiting Merchant storefronts. Merchants who sell age-restricted products are responsible for implementing their own age verification mechanisms. Our Tracking Snippet does not collect data that would reveal the age of an End User.

14.4 COPPA. If a US-based Merchant uses our service in connection with a website or online service directed to children under 13 years of age as defined under the US Children's Online Privacy Protection Act (COPPA), they must notify us in writing at support@crawlwithai.com and we will work with them to implement appropriate data handling modifications or, where necessary, restrict our service to that Merchant.

14.5 Reporting. If you believe we may have collected personal data from or about a minor under 18, please contact us immediately at support@crawlwithai.com with the subject line "Children's Privacy Report". We will investigate and respond within 5 business days.

15.1 Third-Party Links. Our Website and App may contain links to third-party websites, platforms, or services, including but not limited to: the Shopify App Store, Shopify's help documentation, AI Platform websites (OpenAI, Anthropic, Google, Perplexity, etc.), payment processors, and social media platforms. When you click these links, you leave our Website or App environment.

15.2 No Control Over Third Parties. We do not control, operate, or have any affiliation with these third-party websites beyond the commercially defined relationship (e.g., Shopify Partner). This Policy does not apply to any third-party website or service. We are not responsible for the privacy practices, security posture, or content of any third-party site.

15.3 Review Third-Party Policies. We strongly encourage you to review the privacy policies of any third-party website or service you access via links from our Website or App. The fact that we link to a third-party site does not constitute an endorsement of their privacy practices.

15.4 Embedded Third-Party Content. Our Website does not embed third-party social media widgets, YouTube videos, or other third-party iframes that would cause those third parties to set cookies or collect data from you without your knowledge. Where we do embed third-party content in the future, we will update this Policy and our Cookie Banner accordingly.

15.5 Third-Party Authentication. We do not currently offer login via third-party OAuth providers (e.g., Google Sign-In, GitHub). Merchant authentication is handled exclusively via Shopify's OAuth flow. If we introduce third-party authentication options in the future, we will update this Policy.

As an Indian business, we are subject to multiple Indian statutes that govern data protection, information technology, consumer protection, and financial compliance. This Section details our specific obligations and commitments under each.

16.1 Information Technology Act, 2000 (IT Act) and IT (SPDI) Rules, 2011

• We comply with Section 43A of the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which require body corporates handling SPDI to implement and maintain reasonable security practices.
• Our security practices described in Section 12 constitute "reasonable security practices" as required under the IT (SPDI) Rules, including implementation of an Information Security Policy.
• Under Rule 5, we obtain consent from providers of sensitive personal data before collection and allow them to review, modify, and withdraw consent for such data.
• We do not transfer SPDI to any person outside India unless the recipient ensures the same level of data protection as provided under these Rules, and the transfer is necessary for the performance of a lawful contract or the data subject has consented.
• We maintain a designated Grievance Officer as required under Rule 5(9) who can be contacted at support@crawlwithai.com. Grievances are acknowledged within 24 hours and resolved within 30 days.

16.2 Digital Personal Data Protection Act, 2023 (DPDP Act)

• We are committed to full compliance with the DPDP Act 2023 and its implementing rules as they come into force.
• As a Data Fiduciary, we will maintain a publicly accessible privacy notice meeting the notice requirements of Section 5 of the DPDP Act, including in English and the scheduled Indian languages as prescribed.
• We will obtain and manage consent from Data Principals in accordance with Section 6, including maintaining itemised records of consent and providing mechanisms for easy withdrawal.
• We will comply with data localisation obligations for personal data of Indian citizens as notified by the Central Government under Section 16, once such obligations are specified.
• If designated as a Significant Data Fiduciary by the Central Government, we will additionally appoint a Data Protection Officer (DPO) and conduct Data Protection Impact Assessments (DPIAs) and data audits as required under Section 10 of the DPDP Act.
• We will not engage Data Processors who do not provide sufficient guarantees of compliance with the DPDP Act and will ensure all processing by Data Processors is governed by a valid contract.
• In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in the form and manner prescribed under Section 8(6) of the DPDP Act.

16.3 Goods and Services Tax Act, 2017

• We maintain GST-compliant invoices for all B2B transactions (including Merchant subscriptions) which may include the Merchant's business name and GSTIN where provided.
• GST-related financial records are retained for 7 years as required under the GST Act.
• International sales to EEA Merchants may attract GST under the OIDAR (Online Information and Database Access or Retrieval) service rules. We comply with applicable tax obligations in respect of cross-border digital services.

16.4 Consumer Protection Act, 2019 and Consumer Protection (E-Commerce) Rules, 2020

• We comply with the Consumer Protection Act 2019 and its associated e-commerce rules, including obligations to provide clear information about our services, pricing, and grievance redressal mechanisms.
• Our Grievance Officer (also serving as our designated officer under the Consumer Protection (E-Commerce) Rules) can be reached at support@crawlwithai.com. Consumer complaints are acknowledged within 24 hours and addressed within 30 days.
• We do not engage in unfair trade practices, including misrepresentation of our services or deceptive pricing.

16.5 Companies Act, 2013

To the extent applicable to our business structure, we comply with the record-keeping and financial reporting requirements of the Companies Act 2013 and the rules made thereunder.

16.6 Grievance Officer — Contact Details

17.1 Nature of Our Processing. Our systems perform automated processing of session and attribution data to generate the analytics reports visible in the Merchant Dashboard. This processing is algorithmic and rule-based (e.g., "if the referrer URL contains 'chatgpt.com', classify session as ChatGPT-attributed") rather than involving machine learning inference on individual data subjects.

17.2 No Significant Automated Decisions. We do not make any fully automated individual decisions that produce legal effects or similarly significantly affect natural persons. Specifically:

• We do not use automated processing to determine whether to grant or deny a person credit, employment, insurance, or access to services.
• We do not use automated scoring to discriminate between individuals on the basis of any protected characteristic.
• Our attribution classifications are statistical reports provided to Merchants for their own business intelligence use. The Merchant, not CrawlWithAI, makes any business decisions based on those reports.
• We do not build individual consumer profiles sold or licensed to third parties for targeting purposes.

17.3 Aggregated Machine Learning. We may use aggregated, fully anonymised data to train or improve our attribution classification algorithms (e.g., improving AI Crawler bot detection accuracy). This training data does not include personal data attributable to any individual. No personal data is used as model training input or surfaced in model outputs.

17.4 AI Platform Detection. Our system uses proprietary classification methods to determine whether a session or crawler visit originates from an AI Platform. Classification is based on signals present in standard HTTP request metadata. We do not disclose the specific implementation details of our detection and classification methods, as these constitute proprietary intellectual property. False positives (misclassified sessions) may occur and we maintain a process by which Merchants can report and request correction of attribution records.

We maintain a formal Data Breach Response Plan. In the event of an actual or suspected personal data breach, we follow the procedures set out below.

18.1 Definition of a Personal Data Breach

A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by us. This includes:

• Unauthorised access to our database by an external attacker.
• Accidental exposure of Merchant or End User data due to a software misconfiguration.
• Loss or theft of a device containing unencrypted personal data.
• Accidental disclosure of personal data to the wrong recipient.
• Ransomware or other malware that results in encryption or destruction of personal data.

18.2 Internal Response Timeline

• T+0 (Discovery): Incident detected and escalated to the incident response team. All relevant evidence is preserved.
• T+4 hours: Preliminary severity assessment completed. Containment measures initiated. If breach is confirmed and appears likely to result in risk to individuals, breach notification clock starts.
• T+24 hours: Root cause analysis underway. Internal incident report drafted. Decision made on regulatory notification obligation.
• T+72 hours: Regulatory notification submitted where required (GDPR Art. 33). Notification includes: description of the breach, categories and approximate number of individuals and records concerned, name of our data protection contact, likely consequences, measures taken or proposed.
• T+72 hours (or without undue delay thereafter): Individual notification sent to affected data subjects where the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 34), unless an exemption applies (e.g., data was encrypted).

18.3 Notification to Merchants

If a breach affects Merchant data or End User data processed on a Merchant's behalf (where we act as Data Processor), we will notify the relevant Merchant(s) as promptly as possible and in any event within 48 hours of confirming the breach, to enable the Merchant to fulfil their own notification obligations as Data Controller.

18.4 Post-Incident Review

Following resolution of any breach, we will conduct a post-incident review to identify root causes and implement remediation measures to prevent recurrence. A summary of significant breaches and remediation actions is maintained in our security incident log.

In accordance with Art. 30 GDPR, we maintain written records of all processing activities carried out under our responsibility as Data Controller. These records include:

• The name and contact details of the Data Controller (CrawlWithAI) and, where applicable, joint controllers and the Data Protection Officer.
• The purposes of each processing activity.
• A description of the categories of data subjects and categories of personal data for each activity.
• The categories of recipients, including any third countries or international organisations to which data is transferred.
• The legal basis for each processing activity.
• The retention periods for each category of data.
• A general description of the technical and organisational security measures in place.

Our Records of Processing Activities (RoPA) are maintained internally and are available for inspection by the relevant supervisory authority upon request. Data subjects may request a high-level summary of the RoPA entries relating to their data as part of their Right of Access request.

We also maintain records of processing activities conducted as Data Processor on behalf of Merchants, as required under Art. 30(2) GDPR, including the categories of processing carried out on each Merchant's behalf.

20.1 Right to Update. We reserve the right to modify this Policy at any time to reflect changes in our data processing practices, applicable law, regulatory guidance, or our business operations. All changes will be reflected in the "Effective Date" at the top of this Policy.

20.2 Notification of Material Changes. Where we make material changes that affect your rights or our processing of your data in ways that are not merely procedural or cosmetic, we will:

• Update the Effective Date at the top of this Policy.
• Email all active Merchants to the address on their account at least 14 days before the changes take effect.
• Display a prominent notice on our Website and in the Merchant Dashboard for at least 30 days.
• Where applicable law requires, seek fresh consent from data subjects before the new processing begins.

20.3 Immaterial Changes. We may make administrative, cosmetic, or legally required changes to this Policy without advance notice. Such changes will be noted by an updated Effective Date.

20.4 Policy Archive. Previous versions of this Policy will be archived and made available upon request at support@crawlwithai.com, together with a changelog summarising substantive amendments between versions.

20.5 Continued Use. Continued use of our services after the Effective Date of an updated Policy constitutes your acceptance of the updated terms. If you do not accept the updated Policy, you must discontinue use of our services prior to the Effective Date. Termination following a material Policy change that you do not accept will be treated as termination without fault, subject to our standard Refund Policy.

For any questions, concerns, or requests regarding this Privacy Policy, your personal data, or your rights as a data subject, please contact us using the details below.

21.1 Primary Data Protection Contact

21.2 Grievance Officer (India — IT Act / DPDP Act)

21.3 Relevant Supervisory Authorities

If you are not satisfied with our response to your data rights request or privacy complaint, you have the right to contact the relevant data protection supervisory authority in your jurisdiction:

• India: Data Protection Board of India (DPBI) — to be constituted under the DPDP Act 2023 (once operational). In the interim, the Ministry of Electronics and Information Technology (MeitY) at meity.gov.in.
• EU (all member states): Your local Data Protection Authority (DPA) — a full list is available at edpb.europa.eu/about-edpb/board/members_en
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk | helpline: 0303 123 1113
• United States (California): California Privacy Protection Agency (CPPA) — cppa.ca.gov
• Canada: Office of the Privacy Commissioner (OPC) — priv.gc.ca
• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
• Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg

21.4 Preferred Dispute Resolution

Before escalating to a supervisory authority or court, we encourage you to contact us directly. We commit to engaging in good faith to resolve any privacy concerns you raise and to providing a clear written response to every complaint we receive. Most concerns can be resolved quickly and informally through direct communication.

21.5 Judicial Remedies

Nothing in this Policy limits your right to seek judicial remedies in your local courts if you believe your data protection rights have been violated, in addition to or as an alternative to filing a complaint with a supervisory authority.