Privacy policy

Stealth-Scraper is operated as a sole proprietorship by Rushikesh Sonu (the "founder", "we", "us") from India. For any privacy-related question, contact support@stealthscraper.dev. The founder also acts as the data-protection contact (DPO) until we grow large enough to need a dedicated one.

We try to collect as little as we can. Specifically:

• Account data — email address, hashed password (when you sign up with email), and basic plan/subscription state. Email is the only required identifier.
• Scrape activity — the URLs you submit, the fields you extract, generated templates, and a count of pages scraped (for usage and billing).
• Technical logs — IP address, user agent, and request timestamps. We use these for abuse prevention, rate limiting, and debugging — not advertising.
• Payment metadata — the last four digits of your card and billing country (passed back from Lemon Squeezy). We never see or store your full card number.

We do notcollect: contacts, location beyond country-level, advertising IDs, biometric data, or anything from your device that isn't in the request itself.

We use a single category of cookie — a session cookie set by Supabase Auth so you stay logged in. It expires when your session does and contains no advertising or tracking payload. We do not use third-party advertising cookies. If we add product analytics later (e.g. PostHog), we will update this section and surface a clear opt-out before turning it on.

Stealth-Scraper is built on a small set of vetted vendors. They each see a narrow slice of your data, only to do their job:

• Supabase — authentication and primary database. Sees account data and scrape activity.
• Lemon Squeezy — payment processing and subscription management. Sees billing email and payment metadata. Lemon Squeezy is the merchant of record.
• Groq — LLM inference for AI-extract. Sees the page content you submit to extract from. We pass minimum-viable context, not your account identity.
• Webshare — residential proxy pool used by some snapshots. Sees the destination URL only; not your account.
• Vercel — hosts the frontend. Receives request metadata (IP, route, status) for delivery.

We do not sell, rent, or trade your data. We do not share it with advertisers or data brokers. We never will.

Regardless of where you live, you can:

• Access — request a copy of everything we hold on you.
• Correct— fix anything that's wrong.
• Delete — wipe your account and associated data. Email support@stealthscraper.dev and we will action it within 14 days.
• Port — receive your data in a structured, machine-readable format (JSON).
• Withdraw consent — for anything you opted into.

EU/UK/EEA residents additionally have the right to lodge a complaint with their local supervisory authority. California residents have CCPA rights — we treat the deletion / access / opt-out flow above as the channel for both regimes.

We hold data only as long as it's useful:

• Account data — until you delete the account.
• Scraped URLs & extracted output — 90 days, then automatic purge. Templates you explicitly saved are retained until you delete them.
• Technical logs — 30 days.
• Billing records — 7 years, as required by applicable tax / financial law.

All traffic uses TLS in transit. Passwords are hashed with industry-standard algorithms (Supabase Auth defaults to bcrypt-class). Database access is gated by row-level security policies — your data is only visible to authenticated requests bound to your account. We do not store payment card numbers; Lemon Squeezy (PCI-DSS Level 1) handles those.

If we ever discover a breach affecting your account, we will notify you by email within 72 hours of confirming impact, as required by GDPR Article 33-34 standards.

Our infrastructure spans the US (Vercel, Supabase, Groq) and EU (Supabase regions where selected). We rely on the standard contractual clauses these vendors publish to transfer data between jurisdictions. If a regulator finds those mechanisms insufficient, we will move data closer to home or switch vendors.

Stealth-Scraper is a developer tool. It is not directed at children under 16, and we do not knowingly collect data from them. If you think a child has signed up, email us and we will delete the account.

We will update this policy when the product evolves. Material changes are flagged via email to active subscribers at least 30 days before they take effect. The effective date at the top of this page is the source of truth.

This policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra. None of this overrides any non-waivable consumer-protection rights you have where you live.

Questions, requests, or anything else — write to support@stealthscraper.dev. We read every email.