Privacy Policy
This policy explains, in plain English, what personal data CrustAPI collects, why we collect it, who we share it with, and the rights you have over it. CrustAPI is a data API at crustapi.com that returns Google Search and Google Maps data as clean JSON or CSV. We are not affiliated with, endorsed by, or sponsored by Google. It covers visitors to our site and anyone who holds a CrustAPI account.
1. Who we are and who is responsible
CrustAPI is a data API. It returns Google Search results and Google Maps and local-business data as clean JSON or CSV. In this policy, CrustAPI, we, us, and our all mean the CrustAPI service. You means the person or business using our site or service.
CrustAPI is a business-to-business service. It is not a consumer or end-user product.
For the personal data of website visitors and account holders (for example your name, email, and account records), we are the controller. We decide why and how that data is processed.
For the data you send to us and retrieve through the API as part of your own work, you are the controller and we act as your processor. You are responsible for having a lawful basis for that processing and for using the data in line with the laws that apply to you.
2. What personal data is
Personal data means any information that relates to an identified or identifiable person. That includes obvious things like a name or email address, and less obvious things like an account identifier or an IP address when it can be linked back to a person.
This policy is about the personal data we hold about you as a visitor or customer. It is not about the public web data you fetch through the API, which you control as described above.
3. What personal data we collect
We only collect what we need to run the service. The categories below are the complete list.
- Account data: your first name, last name, email address, and a password. Your password is stored only as a scrypt hash. We never store your plaintext password.
- Email verification data: when we verify your email, we store only a SHA-256 hash of a temporary 6-digit code plus its short expiry. The code itself is not kept after verification.
- API keys: the API keys you create.
- Billing and purchase records: handled through our payment provider. We store a payment reference, the number of credits granted, and a timestamp. We do not store your card number or full payment details. Our payment provider handles those.
- Usage metadata: for each API call we store the endpoint or type used, a timestamp, and how many credits it cost. We do not store the text of your search queries, and we do not retain the search results tied to your account.
- Session data: when you sign in to the dashboard we store only a SHA-256 hash of your session token and its expiry. Authentication uses a bearer token kept in your browser's local storage, not a cookie.
- Infrastructure logs: our hosting providers process your IP address transiently to deliver, rate-limit, and secure the service. We do not keep IP addresses in our own database.
4. What we do not do
These are real choices we have made, not just promises.
- We do not use cookies for tracking or advertising. crustapi.com sets no cookies at all.
- We use no analytics, advertising, or third-party tracking scripts. No Google Analytics, no Microsoft Clarity, no ad pixels, nothing.
- We do not sell or rent your personal data, and we do not share it for cross-context behavioral advertising.
- We do not store your payment card details.
- We do not store the content of your search queries.
5. Why we process your data and our legal bases
We process your personal data for the reasons below. Where the GDPR applies, we also rely on the legal bases noted.
- To provide the service: to create and run your account, issue API keys, meter credits, and return API results. Legal basis: performance of our contract with you.
- To process payments and manage credits: to grant and track credits and keep billing records. Legal basis: performance of our contract with you, and our legal obligation to keep certain records.
- To verify your email: to confirm you own the email address on the account. Legal basis: performance of our contract with you and our legitimate interest in preventing abuse.
- To keep the service secure and prevent fraud: to rate-limit, lock out repeated failed logins, and protect against misuse. Legal basis: our legitimate interest in a secure and reliable service.
- To understand and improve the product: to analyze usage metadata. Legal basis: our legitimate interest in improving the service.
- To meet legal duties: for example tax and accounting rules. Legal basis: compliance with a legal obligation.
- Where we ask for your consent for a specific purpose, our legal basis is that consent, and you can withdraw it at any time.
6. Who we share your data with
We do not sell or rent your personal data, and we do not share it for advertising.
We share your data only with the trusted service providers that help us run CrustAPI, for example payment processing, email delivery, and hosting. They can use your data only to provide their service to us, and they are bound by confidentiality.
We may also share data if the law requires it, or when we need to protect our rights, our users, or the security of the service.
We process data in the United States. If you are in the EEA or the UK, any transfer of your data is protected by appropriate safeguards, such as the Standard Contractual Clauses.
7. How long we keep it
We keep your account data while your account is open. You can ask us to delete it at any time by emailing support@crustapi.com.
We keep some records, for example billing and tax records, for as long as the law requires or for as long as we need them to resolve disputes or enforce our agreements.
We retain usage metadata for billing, fraud prevention, and product analytics.
8. Automated decision-making
We do not make decisions about you that are based solely on automated processing and that produce legal effects or similarly significant effects. Automated steps such as rate-limiting and account lockout are security measures, not decisions of that kind.
9. Your rights
You have rights over your personal data. To exercise any of them, email support@crustapi.com.
If you are in the EEA or the UK, under the GDPR you have the right to:
- Access the personal data we hold about you.
- Have inaccurate data corrected (rectification).
- Have your data deleted (erasure).
- Restrict how we process your data.
- Object to our processing.
- Data portability.
- Withdraw consent where we rely on it.
- Complain to your local supervisory authority.
10. California privacy rights
If you are a California resident, under the CCPA and CPRA you have the right to know what personal information we collect and how we use it, the right to delete it, the right to correct it, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information. You also have the right not to be treated differently for exercising these rights.
To exercise any California right, email support@crustapi.com.
For requests under the GDPR, we respond within one month. We can extend that by up to two more months for complex or numerous requests, and we will tell you if we need to.
11. Cookies and browser storage
crustapi.com sets no cookies at all, and we use no tracking or advertising cookies. To keep you signed in and remember a dashboard preference, we use your browser's local storage instead of cookies.
During payment, checkout runs on our payment provider's own pages, and they may set their own cookies there to process the payment and prevent fraud. Those cookies are governed by that provider's policies, not ours.
Our Cookie Policy explains the browser storage we use in more detail.
12. How we secure your data
We take reasonable steps to protect your data.
- Passwords are stored as scrypt hashes. Email verification codes and session tokens are stored only as SHA-256 hashes.
- All traffic is encrypted in transit over HTTPS and TLS.
- Repeated failed logins trigger a per-account lockout.
- The database is continuously backed up to encrypted object storage.
- No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.
13. Age and eligibility
CrustAPI is a business-to-business service. To use it you must be at least 18 years old and use CrustAPI for business or professional purposes. The service is not intended for children, and we do not knowingly collect personal data from children.
14. Changes to this policy
We may update this policy from time to time. If a change is material, we will notify you through the site or by email. If you keep using CrustAPI after an update, that means you accept the updated version.
15. Contact
For any privacy or data-rights request, or any other matter, contact us at support@crustapi.com.