This Privacy Policy describes how Crawdad ("we", "us", "our") handles information in connection with the Crawdad software and getcrawdad.dev website (collectively, "the Service").
The data controller for the Service is Andrew Sispoidis, operating as Crawdad, pending formation of a legal entity. Contact: contact@getcrawdad.dev. [LEGAL: update entity name when LLC is formed.]
Crawdad is a local security tool. Raw prompts, responses, action parameters, and PII never leave your machine. Only signed metering packets (event counts, Ed25519-signed, sequence-numbered) transmit upstream. This is enforced by architecture, not policy — even Crawdad as a company cannot see your content.
This policy describes every outbound network call the software makes, the limited account-level information we collect when you sign up or subscribe, and the one opt-in detection feature that can transmit content excerpts for analysis.
When the optional L7 LLM-critic detection layer is enabled with a remote backend, Crawdad may send content excerpts to Anthropic's API for analysis.
This is the one code path in the sidecar where content can leave your machine for inspection rather than remain purely local. It is disabled by default. In the source (crawdad-sidecar/src/output_critic.rs), CriticConfig::default() returns enabled: false, and no remote backend is configured unless you set one.
To enable it, you must explicitly turn on the L7 critic in Settings and configure a backend. The recommended configuration is a local model (Ollama) so inspection remains fully local. Selecting the Anthropic remote backend is what causes content excerpts to leave your machine.
When the L7 critic is disabled, or when it is enabled with a local backend, all inspection is fully local and no content leaves your machine for analysis.
The Crawdad sidecar does not transmit the following to Crawdad, to any third party, or over any network connection (subject to the one opt-in exception called out above):
The Crawdad sidecar is not a hermetically sealed program. It makes the following outbound calls, and no others. Each is documented so you can verify against the running process using netstat, Little Snitch, or an equivalent tool.
api.anthropic.com, api.openai.com, generativelanguage.googleapis.com, api.x.ai, or integrate.api.nvidia.com). These requests are identical to what your agent would send without Crawdad — Crawdad is not a party to them.crawdad-production.up.railway.app. Sent on a fixed cadence. Each packet contains a tenant ID, device ID, sequence number, and integer counts of operations by type (firewall scans, action authorizations, outbound scans, memory writes, privacy classifications). Every packet is Ed25519-signed with your device key; any tampering invalidates the signature. No prompt text. No response text. No tool-call arguments. No PII values. The packet struct is defined in crawdad-sidecar/src/metering.rs.crawdad-production.up.railway.app and (b) the National Vulnerability Database at services.nvd.nist.gov. The request sends no user data. You may disable signature updates in Settings.raw.githubusercontent.com/AndrewSispoidis/crawdad-mcp-db. This is a classification of known MCP servers. The request sends no user data; GitHub's standard request log applies. You may disable MCP database updates in Settings.wss://crawdad-production.up.railway.app/ws/relay and pushes two kinds of messages:
file_read, file_write, shell, web, api_call, other) before encryption. Unpair any device from Settings → Paired Devices → Disconnect to revoke its key immediately; the WebSocket remains closed with no paired devices.No other outbound calls are made by the sidecar.
Crawdad stores data on your machine in a per-user directory:
~/Library/Application Support/crawdad/$XDG_DATA_HOME/crawdad/ (default ~/.local/share/crawdad/)%APPDATA%\crawdad\The directory is created with owner-only permissions (0700 on Unix). The sidecar refuses to start on a group- or world-accessible path. Contents:
config.json — your configuration preferences and detection settings.sessions.db — SQLite database with session recordings, detection events, audit trail metadata, and MCP server data.audit.db — cryptographically chained audit log (SHA-256 Merkle chain, Ed25519-signed).threat_feeds.json — cached threat intelligence data fetched from public sources.This data is readable only by your user account. Crawdad does not encrypt the database files at rest; they rely on your operating system's disk encryption if enabled. You may delete the data at any time by running crawdad-sidecar uninstall or manually removing the directory.
Earlier versions of Crawdad (v0.7 and v0.8) stored data under /etc/crawdad/ with overly permissive permissions. On first startup, v0.9 auto-migrates any data found at that legacy path into the new per-user location and logs a warning asking you to remove the old directory manually after verifying the migration.
The getcrawdad.dev website is hosted on Cloudflare Workers. When you visit, Cloudflare collects standard web server access logs (IP address, user agent, request path, timestamp) per Cloudflare's retention defaults. We do not place cookies beyond Cloudflare's operational cookies, use analytics services, advertising, or retargeting pixels.
On first run (and exactly once per machine, unless you delete the model), the sidecar fetches two files from the Cloudflare R2 CDN behind getcrawdad.dev/download/v0.9.2/: the ML detection model (~272 MB) and a platform-specific libonnxruntime shared library (~7–8 MB). These are standard anonymous HTTPS GETs; Cloudflare receives the normal request metadata (IP address, user agent, request path, timestamp). No account, device, or tenant identifier is attached to the request. The files are verified via SHA-256 before being written to disk. If the download fails repeatedly or disk space is insufficient, the sidecar continues pattern-only detection and retries on the next restart. Downloads can be suppressed entirely with CRAWDAD_ML_DISABLED=1.
When you sign up via the "Install" button or subscribe to a paid plan, we collect:
This data is stored on the Crawdad gateway (Railway-hosted). Email transactional messaging is handled by Resend.
Payment processing is handled by Stripe, Inc. We receive from Stripe: your name, email address, subscription plan, and payment status. We do not receive or store your credit card number. Stripe's privacy policy governs the handling of your payment information.
The Service uses the following third parties. Each is listed with what data it receives. We do not have formal Data Processing Agreements in place at this time; we rely on the standard data processing terms of our infrastructure providers.
| Service | Purpose | Data received |
|---|---|---|
| Cloudflare | Website hosting, CDN, DNS | Standard web server logs (IP, user agent, request path, timestamp) |
| Railway | Crawdad gateway hosting | Signed metering packets, signup events, Stripe webhook events |
| Stripe | Payment processing | Name, email, subscription plan, payment method (payment method data handled by Stripe, not received by Crawdad) |
| Resend | Transactional email (install instructions, receipts, incident notifications) | Email address, subject, message body |
| Sentry | Optional crash reporting (opt-in, OFF by default; see "Crash reporting" below) | Structural metadata only — see scrub detail below |
NVD (nvd.nist.gov) | Threat intelligence signature updates | Public request; no user data sent |
GitHub (raw.githubusercontent.com) | MCP server reference database | Public request for AndrewSispoidis/crawdad-mcp-db/db.json; no user data sent |
Depending on your jurisdiction, you may have rights regarding your personal information under laws such as the GDPR, CCPA, and similar frameworks. Because Crawdad stores your AI agent data locally on your machine, you have direct control over all software-side data. For the account-level data we hold (email, tenant ID, subscription records), you may:
Crawdad includes optional crash reporting via Sentry, OFF by default. To enable, both conditions must be met:
getcrawdad.dev/install.sh have this).telemetry.crash_reports_enabled in Settings.When enabled, crash events are aggressively scrubbed before transmission by the scrub_event function in crawdad-sidecar/src/telemetry.rs. Only the following structural metadata survives:
os and runtime only)[scrubbed: potentially sensitive content] if it contains characters outside a safe set (alphanumerics, whitespace, and a limited punctuation set)The following is never sent, regardless of whether crash reporting is enabled:
os / non-runtime context data (stripped)Crash reports are transmitted to Sentry's servers (Crawdad's Sentry organization, US region). Source for the scrub logic is in crawdad-sidecar/src/telemetry.rs. You may disable crash reporting at any time in Settings; no data is sent to Sentry when disabled.
The Crawdad software stores data locally in SQLite databases. Security of this data depends on your machine's security, including disk encryption, access controls, and physical security. We recommend enabling full-disk encryption. Crawdad implementation is in Rust; 1,201 tests across 17 crates; zero unsafe blocks.
Data may be processed in the United States where our infrastructure is hosted. By using the Service, you consent to this transfer. [LEGAL: SCC language if EU customers materialize.]
Crawdad is a professional security tool not intended for use by children under 13. We do not knowingly collect personal information from children under 13.
We may update this Privacy Policy from time to time. The "Last updated" date indicates the most recent revision. For material changes, we will notify account holders by email at least 30 days before the change takes effect. Continued use of the Service after that period constitutes acceptance.