PRIVACY POLICY
Effective date: July 18, 2026
THE SHORT VERSION
Crawly is a Chrome extension that records what you click and type on a website so you can replay it later. Recordings live in your browser. They are never sent to Crawly, to crawly.site, to any server, or to any third party. There is no telemetry, no analytics, no account, and no login.
WHAT CRAWLY STORES
When you record a crawl on a site you have allowed, Crawly saves:
- Click targets and the CSS/text selectors used to find them.
- Values you type into
<input>and<textarea>fields, and dropdown selections. - A short trail of mouse positions for the spider replay animation.
- Page navigation events during the recording.
- Extension settings you set (theme, per-crawl names, auto-run flags).
Everything is written to chrome.storage.local, which is a per-profile storage area managed by your browser. It stays on the device the extension is installed on.
PASSWORDS AND OTHER SENSITIVE FIELDS
Payment card fields (any input with an autocomplete value starting with cc-) and one-time codes (autocomplete="one-time-code") are always skipped. Crawly does not record their values.
Password fields are treated as your choice. When you start a recording on a page that contains a password field, Crawly shows a modal and asks you to pick:
- Skip passwords — recommended. Passwords are ignored during recording.
- Record anyway — Crawly captures what you type into the password field and saves it. It is saved as plaintext in
chrome.storage.local. Anyone with access to your Chrome profile can read it. Anyone who exports the crawl (from the extension's EXPORT button) can read it in the exported JSON. Only pick this for throwaway test credentials against a staging or local environment. Do not record real passwords for accounts you care about.
WHAT LEAVES YOUR BROWSER
Nothing, unless you take an action that moves it. The extension makes no network requests. It does not phone home, does not report install or usage events, and does not load any remote scripts. The only ways data can leave your browser are:
- You click EXPORT on a crawl and save the JSON file. Then it's in that file, wherever you put it.
- You share your Chrome profile with someone else (through Chrome Sync, a shared device, or a backup).
Both of those are your choice, not Crawly's.
PER-SITE PERMISSION
Crawly does not receive access to your browsing at install time. When you open the Crawly popup on a site for the first time, it says NOT ALLOWED YET. When you click ALLOW, Chrome shows its own permission prompt for that specific site. Crawly can only see the site once you grant that prompt. Click REVOKE to remove the permission at any time; the extension will stop running on that site and Chrome will confirm the change.
WHAT CRAWLY DOES NOT DO
- Does not collect analytics, telemetry, or usage metrics.
- Does not sell, rent, or share any user data — there is no data to sell.
- Does not use user data for advertising, credit checks, or any purpose unrelated to the extension's single feature (recording and replaying UI actions).
- Does not include any third-party trackers, SDKs, or remote code.
- Does not read pages you have not explicitly allowed via the permission prompt.
This aligns with Google's Limited Use policy for user data in Chrome extensions.
DELETING YOUR DATA
Delete a single crawl from the popup's DELETE button. To remove everything at once, uninstall the extension from chrome://extensions. Uninstalling clears the extension's local storage on that profile.
CHILDREN
Crawly is a developer tool aimed at people building and testing web applications. It is not directed at children under 13 and does not knowingly collect information from them. Nothing is collected from anyone, but this section exists because reviewers look for it.
CHANGES TO THIS POLICY
If we change this policy, the effective date at the top will change and a summary of what moved will land in the Crawly GitHub repository so you can see the diff.
CONTACT
Questions, concerns, or a security report: open an issue at github.com/yemon/crawly/issues. For anything that shouldn't be public, use the security advisory feature on the same repository.