CrawlWise

    Privacy policy — CrawlWise

    Last updated: 26 April 2026.

    CrawlWise respects your privacy and is committed to protecting your personal data. This policy explains what data we collect, why, how we protect it and what your rights are. It complies with the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA / CPRA), the Canadian PIPEDA, and the Tunisian Organic Law n° 63-2004 on personal data protection (INPDP).

    1. Data controller

    The controller responsible for processing your personal data is:

    • CrawlWise — Fares Bouslama, founder and legal representative
    • 11 avenue de Paris, 1000 Tunis, Tunisia
    • Email: contact@crawl-wise.com
    • Phone: +216 25 686 886

    For privacy-related requests we have appointed a single contact point (acting as Data Protection Officer): contact@crawl-wise.com.

    2. Data we collect

    We only collect data that is strictly necessary for the purposes set out below. The minimisation principle (GDPR art. 5.1.c) is applied systematically.

    2.1 Through the contact form

    • First name and last name
    • Email address
    • Phone number (optional)
    • Free-text message describing your request
    • IP address (collected by our infrastructure for anti-spam and rate-limiting)
    • Source page (URL from which the form was submitted)
    • Browser language preferences

    2.2 Through technical cookies

    • Language preference (lifetime: session)
    • Country / locale choice (cookie crawlwise_locale, lifetime: 1 year)
    • Cloudflare Turnstile validation token (session, anti-bot only)

    2.3 Through analytics cookies (subject to your consent)

    • Pages visited, time on page, navigation path
    • Device type, screen resolution, browser language
    • Traffic source (referrer, search engine, campaign)

    We use privacy-friendly analytics tools (Matomo and Umami, self-hosted on our infrastructure) instead of Google Analytics by default. No data is shared with third parties for advertising purposes.

    3. Purposes and legal bases (GDPR art. 6)

    • Responding to your enquiries: process and reply to contact, quote or information requests (legal basis: pre-contractual measures or legitimate interest).
    • Automated quote pre-drafting: AI analysis (Anthropic Claude) of your message to draft an indicative quote that our team reviews before sending (legal basis: legitimate interest + pre-contractual measures). This is not a fully automated decision under GDPR art. 22 — a human always reviews the output before any commercial communication.
    • Sending transactional emails: receipt confirmation, quote, project-related communications (via Resend, US-based processor).
    • Security and fraud prevention: bot and spam protection via Cloudflare Turnstile and rate limiting (legal basis: legitimate interest in protecting our services).
    • Anonymous audience measurement: improve the site and our content (legal basis: explicit consent via the cookie banner).

    4. Processors and recipients

    Your data is accessible only to our internal team, on a strict need-to-know basis. We use the following processors, all under signed Data Processing Agreements (DPA):

    • Cloudflare, Inc. (United States) — global edge hosting, server-side form processing. Data is stored primarily in European data centers. Cloudflare is certified under the EU-US Data Privacy Framework, UK Extension and Swiss-US Data Privacy Framework, and is ISO 27001 certified.
    • Anthropic, PBC (United States) — AI API for automated quote pre-drafting. Data sent to Anthropic is not used to train their models (zero-retention clause for API enterprise usage).
    • Resend, Inc. (United States) — transactional email delivery. GDPR-compliant DPA in place.
    • Google LLC (United States) — Google Analytics and Google Search Console, activated only with your explicit consent. Google is certified under the EU-US Data Privacy Framework.

    Your data is never sold, rented or shared with third parties for advertising or commercial purposes. We do not engage in the "sale" or "sharing" of personal information as defined by the CCPA/CPRA.

    5. Retention periods

    • Contact requests not converted to a project: 12 months from last exchange, then automatic deletion.
    • Client data (active and past projects): duration of the engagement plus 10 years for accounting and tax obligations under Tunisian law.
    • Technical cookies: session or 1 year maximum.
    • Analytics cookies: 13 months maximum.
    • Server logs: 12 months (security, debugging).

    6. Your rights

    6.1 Under the GDPR (EU and UK residents)

    • Right of access (art. 15): obtain a copy of your data.
    • Right to rectification (art. 16): correct inaccurate or incomplete data.
    • Right to erasure / "right to be forgotten" (art. 17), subject to legal retention obligations.
    • Right to restriction (art. 18) of processing in certain cases.
    • Right to data portability (art. 20): retrieve your data in a structured machine-readable format.
    • Right to object (art. 21) to processing for legitimate-interest grounds.
    • Right to withdraw consent at any time (analytics).
    • Right to lodge a complaint with a supervisory authority: in the UK with the Information Commissioner's Office (ICO); in the EU with your national authority (CNIL in France, AEPD in Spain, BfDI in Germany, etc.); in Tunisia with the INPDP.

    6.2 Under the CCPA / CPRA (California residents)

    • Right to know what personal information is collected and how it is used.
    • Right to delete personal information.
    • Right to correct inaccurate personal information.
    • Right to opt-out of the "sale" or "sharing" of personal information (we do neither).
    • Right to limit the use of sensitive personal information.
    • Right to non-discrimination for exercising these rights.

    6.3 Under PIPEDA (Canadian residents)

    Canadian residents have the right to access, correct and challenge the accuracy of their personal information held by CrawlWise, and may file a complaint with the Office of the Privacy Commissioner of Canada.

    To exercise any of these rights, email contact@crawl-wise.com. We will reply within 30 days (45 days for CCPA requests). Proof of identity may be requested for sensitive demands (deletion in particular).

    7. Data security

    We implement technical and organisational measures appropriate to the risk:

    • HTTPS (TLS 1.3) on every page
    • Hosting on ISO 27001-certified infrastructure (Cloudflare)
    • Encryption of data at rest (databases) and in transit
    • Anti-bruteforce and anti-spam rate-limiting (Cloudflare Turnstile + KV)
    • Passwords stored as hashes (bcrypt or argon2id), never in clear text
    • Strict need-to-know access controls for the internal team
    • Daily encrypted backups with quarterly restoration tests
    • Regular OWASP Top 10 security audits

    8. International data transfers

    Some processors (Cloudflare, Anthropic, Resend, Google) are based in the United States. Such transfers are framed by:

    • Adherence to the EU-US Data Privacy Framework, UK Extension and Swiss-US DPF (Cloudflare, Google)
    • European Commission Standard Contractual Clauses (SCCs) and UK International Data Transfer Addendum
    • Additional technical measures: encryption, access control, anonymisation

    9. Changes to this policy

    This policy may be updated to reflect technical, legal or organisational changes. The "last updated" date appears at the top. For substantial changes we will notify you by email or through a banner on the site.

    10. Contact

    Any privacy-related question can be addressed to:

    Ready to start your project?

    Let's chat for 30 minutes — we'll send a clear quote within 24h.

    Contact us