Privacy Policy

01Who we are

The data controller responsible for personal information described in this policy is Crawlog LLC (trading as AxioRank), located at 30 N Gould St, Ste R, Sheridan, WY 82801, United States. You can reach our privacy team at hi@axiorank.com.

AxioRank operates a security gateway that sits between AI agents and the tools, data, and systems they reach. The Service inspects agent tool calls for leaked secrets, personal data, destructive commands, and prompt injection; enforces customer-defined policy; verifies the identity of inbound agents; and writes a redacted, tamper-evident audit trail. This policy describes our own handling of personal information. Your use of the Service is also governed by our Terms of Service.

02Scope and our role

We handle personal information in two distinct roles, and your rights and our obligations differ depending on which applies:

• As a controller. When we decide why and how personal information is processed — for example, information about visitors to our website, prospective customers, and the individual users who administer a workspace — we act as a “controller” (or “business” under U.S. law). This policy governs that processing.
• As a processor. When our customers route their data through the Service so that we can inspect, score, redact, and log agent activity on their behalf, that data (“Customer Data”) is processed under the customer’s instructions. For Customer Data, the customer is the controller and we are the “processor” (or “service provider”). Our handling of Customer Data is governed by the agreement and Data Processing Addendum (“DPA”) with that customer, not by this policy. If you are an end user, employee, or agent operator of one of our customers and have questions about your data, please contact that organization directly.

This policy does not apply to third-party products, websites, or services that we do not own or control.

03Information we collect

We collect personal information in the following categories. The exact information collected depends on how you interact with us.

Information you provide to us

• Account and profile data: name, work email address, password or single sign-on identifier, organization or workspace name, job title, and role.
• Billing and transaction data: billing contact, billing address, plan and subscription details, and the last four digits and card type of your payment method. Full card numbers are collected and stored by our payment processor, not by AxioRank.
• Support and communications data: the contents of messages, support requests, survey responses, and other communications you send to us, including any attachments.
• Configuration data: the policies, allowlists, connections, API keys, members, and other settings you configure in your workspace.

Information we collect automatically

• Device and connection data: IP address, browser type and version, operating system, device identifiers, language preferences, and referring URLs.
• Usage and telemetry data: pages and dashboard screens viewed, features used, requests made to our API, timestamps, performance and diagnostic metrics, and error reports.
• Cookies and similar technologies: identifiers used to keep you signed in, remember preferences, secure the Service, and understand usage. See Cookies below.

Customer Data processed through the Service

When a customer connects the Service, we process the agent tool calls, requests, responses, metadata, and other content routed through the gateway in order to inspect them for risk signals, apply policy, redact sensitive values, generate threat assessments, and record a redacted audit trail. This Customer Data may incidentally contain personal information. We process it only to provide and secure the Service on the customer’s behalf and in accordance with our agreement and DPA with that customer. By design, sensitive values detected in tool-call payloads are redacted before they are written to the audit trail.

Information from other sources

• Identity and authentication providers when you sign in using single sign-on.
• Our payment processor for subscription status and payment confirmations.
• Security and analytics providers, and publicly available sources, used to protect the Service and our users.

04How we use information

We use personal information for the following purposes:

• to provide, operate, maintain, and improve the Service and its features;
• to create and administer your account, authenticate you, and provide customer support;
• to process payments, manage subscriptions, send invoices, and prevent payment fraud;
• to monitor, detect, investigate, and prevent security incidents, abuse, and other prohibited or illegal activity, and to protect the rights, property, and safety of AxioRank, our users, and others;
• to send transactional and administrative messages, security alerts, and — where permitted — product updates and marketing you may opt out of;
• to understand how the Service is used so we can develop new features and improve performance, reliability, and detection quality;
• to comply with legal obligations, enforce our agreements, and establish, exercise, or defend legal claims.

We do not use the contents of Customer Data to train general-purpose or foundation machine-learning models. Where the Service uses machine learning to assess risk, it does so to deliver the security functionality the customer has engaged us to provide.

05Legal bases for processing (EEA and UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR and UK GDPR:

• Performance of a contract — to provide the Service you or your organization have requested and to administer your account.
• Legitimate interests — to secure, support, and improve the Service, prevent fraud and abuse, and communicate with you, where those interests are not overridden by your rights.
• Consent — for certain cookies and optional communications, which you may withdraw at any time.
• Legal obligation — where processing is necessary to comply with applicable law.

06Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, secure the Service against fraud and abuse, remember your preferences, and measure usage so we can improve. Strictly necessary cookies are required for the Service to function. You can control non-essential cookies through your browser settings or any cookie controls we provide; disabling some cookies may affect how the Service works.

We honor Global Privacy Control (GPC) signals where required by applicable law, and analytics cookies are set only with your consent. You can change or withdraw your choice anytime via the “Cookie preferences” link in our footer. For the full list of cookies we use, see our Cookie Policy.

07How we share information

We do not sell your personal information. We share personal information only in the following circumstances:

• Service providers and sub-processors that perform services on our behalf, under contracts that require them to protect the information and use it only for the services they provide to us.
• Within your organization, with workspace administrators and members who are authorized to access your account and its activity.
• For legal reasons, when we believe in good faith that disclosure is required to comply with a law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of AxioRank, our users, or the public.
• Business transfers, in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case we will require the recipient to honor this policy or notify you of any material change.
• With your direction or consent, including integrations you choose to connect.

08Service providers and sub-processors

We rely on a limited set of trusted vendors to run the Service. These providers process personal information on our behalf and are bound by confidentiality and data-protection obligations. They fall into the following categories:

• cloud hosting and application delivery;
• managed database, storage, and authentication;
• payment processing and subscription billing;
• transactional email and customer communications;
• compute and machine-learning infrastructure used for risk scoring;
• vector search used for behavioral anomaly detection;
• background job processing, logging, error monitoring, and analytics.

A current list of the specific sub-processors we use is published at axiorank.com/subprocessors. Customers under a Data Processing Agreement will be notified of material changes to sub-processors as set out in that DPA.

09International data transfers

We are based in the United States and may process and store information in the United States and other countries where we or our service providers operate. These countries may have data-protection laws that differ from those in your jurisdiction. Where we transfer personal information from the EEA, the UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum. You may request a copy of the safeguards we use by contacting hi@axiorank.com.

10Data retention

We retain personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Account information is generally retained for the life of the account and for a limited period afterward. Customer Data is retained and deleted in accordance with the customer’s configuration and our DPA.

For the security logs we generate, we apply tiered retention, enforced by an automated daily purge and configurable per workspace under Settings → Data Retention:

• Inbound request logs (which may contain raw IP addresses and user-agent strings) are deleted after 90 days by default; workspaces may also choose to truncate or hash visitor IPs at the point of collection.
• Audit and forensic logs (already redacted of secrets and personal data at write time) are deleted after 365 days by default.
• Cryptographic integrity proofs (the hashes used to tamper-evidence the audit ledger) are retained after the underlying log data is purged — the proof remains, the personal data does not.
• De-identified, aggregate statistics are retained indefinitely.

When information is no longer needed, we delete or de-identify it.

11How we protect information

We maintain administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption in transit and at rest, least-privilege and role-based access controls, tenant isolation, secret management, audit logging, and continuous monitoring. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. You are responsible for keeping your credentials and API keys confidential and for promptly notifying us at hi@axiorank.com if you believe your account has been compromised.

12Your privacy rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

• to access and obtain a copy of the information we hold;
• to correct inaccurate or incomplete information;
• to delete your information;
• to port your information to another service in a structured, machine-readable format;
• to object to or restrict certain processing, and to withdraw consent where processing is based on consent;
• to lodge a complaint with your local data-protection authority.

To exercise any of these rights, email hi@axiorank.com. We will respond within the timeframe required by applicable law. We will not discriminate against you for exercising your rights. We may need to verify your identity before fulfilling a request. If your information was provided to us by one of our customers (where we act as a processor), we will refer your request to that customer.

13U.S. state privacy rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another U.S. state with a comprehensive privacy law, you have the rights described above, including the right to know, access, correct, and delete your personal information, and the right to opt out of the “sale” or “sharing” of personal information and of targeted advertising.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not knowingly process the sensitive personal information of consumers for purposes that would require an opt-out. To exercise your rights, email hi@axiorank.com. You may use an authorized agent to submit a request on your behalf, subject to verification. If we decline a request, you may appeal by replying to our response.

14Children’s privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from anyone under 18 years of age. If you believe a child has provided us with personal information, contact hi@axiorank.com and we will take appropriate steps to delete it.

15Third-party links and services

The Service may contain links to, or integrate with, third-party websites and services that we do not control. This policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third party before providing them with your information.

16Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, if required, provide a more prominent notice. Your continued use of the Service after an update becomes effective constitutes acceptance of the revised policy.

17How to contact us

If you have questions, concerns, or requests regarding this policy or your personal information, please contact us: