Legal

Privacy Policy

Last updated: March 19, 2026

1. Introduction

nameCrawl ("we", "us", "our") operates the namecrawl.dev website, API, and CLI tool. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Password (stored as a cryptographic hash, never in plaintext)
  • Authentication identifiers from Clerk (our identity provider)

Billing Information

When you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer ID and subscription ID but never store your credit card number, CVV, or full payment details. All payment data is handled directly by Stripe.

Usage Data

We automatically collect:

  • API request logs: endpoint accessed, request body, response status, response time, IP address, and timestamp for each authenticated API call
  • Public search analytics: domain name searched, number of TLDs available/taken, and a SHA-256 hash of your IP address (not the full IP) for unauthenticated searches
  • Daily usage aggregates: query counts, TLDs checked, cache hit rates per account

API Keys

API keys are stored as SHA-256 hashes. The full key is shown to you once at creation and is never stored or retrievable by us after that point.

Watchlist Data

If you use the domain watchlist feature (Pro plan and above), we store the domains you choose to monitor, their expiry dates, your notification preferences, and any webhook URLs you configure.

Device Authentication

When using the CLI tool, we use a device authorization flow. Device codes are stored temporarily as hashes and automatically expire after 15 minutes.

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process payments and manage subscriptions
  • Enforce rate limits and prevent abuse
  • Send domain expiry notifications (if configured)
  • Generate aggregated, non-identifying trending and analytics data
  • Communicate service updates and security notices
  • Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising.

4. Cookies

We use the following cookies:

  • __session: Authentication session token (JWT). Required for dashboard access. Expires when your session ends.
  • __clerk_db_jwt: Clerk authentication cookie managed by our identity provider.
  • csrf_token: Cross-site request forgery protection. Session-based.

We do not use third-party analytics cookies, advertising cookies, or tracking pixels.

5. Third-Party Services

We share data with the following third-party processors as necessary to provide the Service:

  • Clerk (clerk.com) — Identity and authentication. Processes your email and login credentials.
  • Stripe (stripe.com) — Payment processing. Processes your payment method and billing details.
  • Fly.io (fly.io) — Infrastructure hosting. Our API servers and database run on Fly.io.
  • Vercel (vercel.com) — Frontend hosting. Our website is hosted on Vercel.
  • Cloudflare (cloudflare.com) — DNS and domain management.

We also query the following external services to provide domain data. Your searched domain names (not your personal information) are sent to these services:

  • RDAP registries (IANA-designated registry servers) for domain availability and registration data
  • Porkbun, Namecheap, GoDaddy, NameSilo, and Dynadot APIs for pricing data
  • Cloudflare Turnstile for spam prevention on public searches

6. Affiliate Links

Domain registration links displayed in our Service may contain affiliate identifiers for Porkbun, Namecheap, GoDaddy, NameSilo, and Dynadot. When you click these links, the registrar may set their own cookies and track your activity according to their own privacy policies. We earn a commission on registrations made through these links at no additional cost to you.

7. Data Retention

  • Account data: Retained until you delete your account
  • API usage logs: Retained for 90 days, then automatically purged
  • Public search analytics: Retained indefinitely in aggregated form with hashed IPs (not traceable to individuals)
  • Domain index cache: RDAP lookup results are cached and periodically refreshed. Old entries are purged after 30 days of inactivity.
  • Trending snapshots: Aggregated trending data retained for 30 days
  • Device auth sessions: Expire and are deleted after 15 minutes

8. Data Security

We implement the following security measures:

  • Passwords and API keys are stored as cryptographic hashes (never plaintext)
  • All data in transit is encrypted via TLS/HTTPS
  • Database connections are encrypted via Fly.io's internal WireGuard network
  • CSRF protection on all state-changing requests
  • SSRF protection on user-provided webhook URLs
  • Rate limiting to prevent brute-force attacks
  • Stripe webhook signature verification

While we take reasonable measures to protect your data, no system is 100% secure. You are responsible for keeping your account credentials and API keys confidential.

9. Your Rights

You have the right to:

  • Access: View your account data, usage statistics, and API keys through the dashboard
  • Export: Download your usage data from the dashboard (CSV export)
  • Delete: Delete your account, which will remove all associated personal data, usage logs, watchlist entries, and API keys
  • Correct: Update your email and account settings through the dashboard
  • Revoke: Revoke API keys at any time through the dashboard

To exercise any of these rights, use the dashboard settings or contact us at hello@namecrawl.dev.

10. International Data Transfers

Our servers are located in the United States (Fly.io IAD region). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

11. Children's Privacy

The Service is not intended for users under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top reflects the most recent revision.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at hello@namecrawl.dev.