Get Started
// privacy

Privacy Policy

This policy explains what information webscrape.ai collects when you use our website and API, how we use and protect it, and the choices and rights you have over your data.

updated2026-06-21contact[email protected]

01 Overview

The short version: we collect the account and usage data needed to run the service, bill you accurately, and keep your account secure. We do not sell your personal information, and the web content you extract is stored only to power your request history — never resold or used to train models. The detail below covers the specifics.

webscrape.ai ("webscrape.ai", "we", "us", or "our") provides a web scraping and data-extraction platform that turns web pages into clean, schema-validated structured data through a single API. This Privacy Policy applies to our marketing website, dashboard, API, and related services (together, the "Services").

By using the Services you agree to the collection and use of information in accordance with this policy. This policy should be read alongside our Terms of Service.

02 Information we collect

We collect the following categories of information:

Information you provide

  • Account information — your email address and a hashed password when you register. Passwords are stored only as an argon2id hash; we never store or have access to your plaintext password.
  • Profile & onboarding details — optional information you supply during onboarding, such as your use case and preferences.
  • Payment information — when you purchase a plan or credit pack, billing is handled by our payment processor. We receive the transaction metadata and credit-grant details needed to fulfil your order, but full card numbers are processed and stored by the payment provider, not by us.
  • Support & feedback — the contents of messages, feedback, and support requests you send us.

Information we generate or collect automatically

  • API keys & sessions — we generate API keys and session tokens for authentication. API keys and session tokens are stored only as SHA-256 hashes; the full secret is shown to you once and never persisted in cleartext.
  • Request & usage metadata — for each API request we record metadata such as the endpoint used, target URL, status, latency, credits consumed, model, and token counts, so you can review usage and we can bill and operate the Services.
  • Request & response payloads — the inputs you submit and the structured output we return are stored so you can review them in your request history. See Scraped content & payloads below.
  • Technical & log data — IP address, browser/user-agent, and timestamps associated with requests, used for security, abuse prevention, and rate limiting.

03 How we use information

We use the information we collect to:

  • provide, operate, maintain, and improve the Services;
  • authenticate you and keep your account and our infrastructure secure;
  • process payments and manage your credit balance and billing;
  • meter usage, enforce rate limits, and prevent fraud and abuse;
  • show you your request history, usage analytics, and account activity;
  • respond to your support requests and send service-related notices (such as verification, billing, and security emails);
  • send product updates and marketing communications where you have opted in — you can unsubscribe at any time;
  • comply with legal obligations and enforce our Terms of Service.

We do not use the content you extract through the Services to train machine-learning models, and we do not sell your personal information.

04 Scraped content & payloads

When you make an extraction request, our engine fetches the target URL, cleans the content, and returns structured data. The page content is processed transiently to fulfil your request.

To power your request history, the request and response payloads are stored on our object-storage provider in a compressed form and indexed in our database. These payloads are subject to a retention window and are automatically expired by a background cleanup process and storage lifecycle rules. We treat scraped content as your data: we do not resell it and we do not use it to train models.

You are responsible for the content you choose to extract. You should only scrape content you are permitted to access, and you must comply with the terms, robots directives, and applicable laws governing the sites you target. See our Acceptable Use terms for detail.

05 Cookies & local storage

We keep our use of cookies and browser storage deliberately minimal:

  • Session cookie — an HttpOnly wsg_session cookie keeps you signed in. It contains an opaque session token (stored server-side as a hash) and is required for the dashboard to function.
  • Local preferences — non-essential UI preferences may be kept in your browser's local storage.
  • Product analytics — we use PostHog (hosted in the EU) to understand how the product is used so we can improve it. It is configured cookieless: it sets no cookies and writes nothing to your browser's local or session storage, keeping only an in-memory identifier for the duration of a page visit. It is not used for advertising or cross-site tracking.
  • Attribution — if you arrive via a campaign link or an external referrer, we store that first-touch marketing source in your browser's local storage so that, should you create an account, we can record how you found us. It is first-party, never shared for cross-site tracking, and absent for direct visits.

We do not use third-party advertising or cross-site tracking cookies. Because our authentication cookie is strictly necessary, disabling it will prevent you from signing in.

06 Third-party subprocessors

We rely on a small set of service providers ("subprocessors") to deliver the Services. Each processes only the data needed for its function and is bound by its own privacy and security commitments:

Payment processing
Handles checkout, subscriptions, and credit-pack purchases. Receives the billing details needed to process your payment.
Transactional email
Delivers account, verification, billing, and security emails. Receives your email address and message content.
Cloud hosting & storage
Runs our application servers and stores request/response payloads. Receives data you submit through the Services.
Product analytics
Helps us understand product usage so we can improve the Services. Receives cookieless usage events (such as pages viewed and features used) and, for signed-in users, your account identifier and email. Hosted in the EU.
Error monitoring
Captures application errors and diagnostic context so we can detect and fix problems. May receive technical details of an error (such as the page, browser, and a stack trace) and, for signed-in users, your account identifier and email.

We will keep this list current as our infrastructure evolves. If you need a complete, named subprocessor list for a vendor-security review, contact us at [email protected].

07 How we share information

We share information only in these circumstances:

  • With subprocessors who perform services on our behalf, as described above, under contractual confidentiality and data-protection obligations;
  • For legal reasons — when required to comply with applicable law, regulation, legal process, or an enforceable governmental request, or to protect the rights, property, or safety of webscrape.ai, our users, or the public;
  • In a business transfer — in connection with a merger, acquisition, financing, or sale of assets, in which case we will continue to protect your information and notify you of any change in control or applicable policy.

We do not sell your personal information, and we do not share it with third parties for their own independent marketing.

08 Data retention

We retain account information for as long as your account is active and as needed to provide the Services. Request and usage metadata is retained to support your history, billing, and our operational and legal needs.

Request/response payloads are retained for a limited window and then automatically expired by our cleanup processes and storage lifecycle rules. When you delete your account, we delete or de-identify your personal information within a reasonable period, except where we are required to retain it to comply with legal, tax, or accounting obligations or to resolve disputes and enforce our agreements.

09 How we protect data

We take reasonable and commercially appropriate measures to protect your information, including:

  • passwords hashed with argon2id (per current OWASP guidance), never stored in plaintext;
  • API keys and session tokens stored only as SHA-256 hashes;
  • encryption in transit (TLS) for traffic between you and the Services;
  • compression and access-controlled storage for request/response payloads;
  • scoped internal access and authentication between our own services.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law.

10 International transfers

We and our subprocessors may store and process your information in countries other than the one in which you reside. Where information is transferred internationally, we take steps to ensure it remains protected consistent with this policy and applicable data-protection law. By using the Services, you understand that your information may be processed in jurisdictions whose data-protection laws may differ from those of your own.

11 Your privacy rights

Depending on where you live, you may have rights over your personal information, including the right to access, correct, delete, export, or restrict the processing of your data, and to object to certain processing.

  • EEA/UK (GDPR): rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your local supervisory authority.
  • California (CCPA/CPRA): the right to know what personal information we collect, to request deletion, to correct it, and to not be discriminated against for exercising these rights. We do not sell or "share" personal information as those terms are defined under California law.

You can exercise many of these rights directly from your account settings, or by contacting us at [email protected]. We may need to verify your identity before acting on a request.

12 Children's privacy

The Services are not directed to children, and we do not knowingly collect personal information from anyone under the age of 13 (or the minimum age required in your jurisdiction). If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.

13 Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you through the Services or by email. Your continued use of the Services after an update means you accept the revised policy.

14 Contact us

If you have questions about this Privacy Policy or how we handle your data, contact us at [email protected]. For our overall terms, see the Terms of Service.