Do I need to know how to code?

No. Paste a URL, describe in plain English what you want to track, and Trawl emails you when it changes. The code editor and API are there for developers; optional for everyone else.

What kind of data can Trawl watch?

Public pages your account is permitted to access: prices, availability, stock, job listings, competitor promos, property listings, tender notices. Trawl encourages users to respect target site ToS and robots.txt, and ships warnings when something looks off. Built-in API rate limits cap how often any account can trigger scraps, which indirectly limits target site load; per-host throttling depends on your schedule, and the responsibility for what you scrape stays with you. See our [Acceptable Use Policy](/aup).

How does AI auto-fix actually work?

When a run fails, Trawl re-reads the current page, matches the new layout against a **shared knowledge base of cross-tenant patterns**, and ships a patch to your selectors. Successful patterns feed back into the library, so the next site that breaks the same way is fixed even faster.

Can I drive Trawl from Claude Code or an MCP agent?

Yes, today. Install the Claude Code skill and run `trawl fix ` or `trawl dispatch` from any MCP-aware agent. The skill diffs the selector change, applies it, and re-runs the scrap without leaving your terminal.

What does the AI Digest email look like?

A morning bullet list of what actually changed overnight: price deltas, stock transitions, new listings. Plus a 7-day sparkline per scrap. No noise, no unchanged rows, no marketing.

How does smart proxy routing work?

Trawl handles all the routing intelligence so you don't have to. Each run tries the least intrusive (and cheapest) legitimate path first, and only escalates if the page fails to render. Week after week, runs that succeed are quietly downgraded to cheaper tiers. Your cost trends down as long as the site stays cooperative. Shared knowledge across the platform helps speed up that learning curve. Included on every plan.

Can I consume Trawl data from my own infra?

Yes. Every scrap exposes a **live JSON endpoint** you can consume from your own workers. Use webhooks to push results straight into your pipeline, or the CLI to pull data on-demand into any CI job.

Do you store my scraped data?

Only the last extraction result, to help debug. Nothing more. Data flows to your webhook or API consumer: **your control**, **your retention policy**.

Is monitoring public web pages legal?

Monitoring publicly available pages is generally legal in most jurisdictions. Trawl respects `robots.txt` and rate limits by default, and our [Acceptable Use Policy](/aup) sets out what users are responsible for (target site ToS, data protection laws, no circumvention of technical protection measures). For regulated use cases, consult your legal team. **We ship the tool, you own the policy.**

Is Trawl free to start?

Yes. The free plan includes a handful of monitors, a monthly execution quota, and full access to smart proxy routing, anti-bot resolution, and the AI suite. No credit card required.

Data Processing Agreement (DPA)

This Data Processing Agreement (the "DPA") is entered into between you (the "Customer", acting as data Controller) and Pierre Brisorgueil ("Trawl", acting as data Processor). It supplements and forms an inseparable part of the Terms of Service published at /terms. It applies whenever Trawl processes Personal Data on behalf of the Customer in connection with the Trawl Service. It implements Article 28 of Regulation (EU) 2016/679 ("GDPR"). Where any provision of this DPA conflicts with a provision of the Terms, this DPA prevails for matters concerning processing of Personal Data.

1. Parties and Definitions

In this DPA, the following capitalised terms have the meanings set out below.

Customer: the natural or legal person who accesses the Trawl Service under the Terms, acting as data Controller within the meaning of Article 4(7) GDPR.
Trawl: Pierre Brisorgueil, the data Processor within the meaning of Article 4(8) GDPR.
Data Subject: the identified or identifiable natural person whose Personal Data is processed.
Personal Data: any information relating to a Data Subject as defined in Article 4(1) GDPR.
Processing: any operation performed on Personal Data within the meaning of Article 4(2) GDPR.
Sub-processor: any third party engaged by Trawl to process Personal Data on behalf of the Customer.
Standard Contractual Clauses (SCCs): the EU Commission Standard Contractual Clauses for the transfer of Personal Data to third countries set out in Commission Implementing Decision (EU) 2021/914.
Service Agreement: the Terms of Service at /terms and any related order form binding the Parties.

2. Scope and Subject Matter

This DPA applies to all Personal Data processed by Trawl on behalf of the Customer in connection with the Service, including (a) account, billing, and authentication data of the Customer's authorised users (Customer staff, team members), and (b) Personal Data contained in scraped output produced by Customer-defined scrapers. The Customer is and remains the Controller for all such Personal Data; Trawl acts as Processor and only processes Personal Data on behalf of the Customer to perform the Service. The Customer warrants the lawfulness of the processing instructions transmitted to Trawl.

3. Annex 1 — Subject Matter, Duration, Nature, Purpose, Categories

Item	Description
Subject matter	Orchestration and execution of customer-defined scrapers, related dashboard and management features, AI Auto-fix at Customer's option, third-party integrations triggered by the Customer.
Duration	Term of the Service Agreement plus a thirty (30) day grace period during which the Customer may export data, then deletion in accordance with Section 12.
Nature	Storage, execution, transmission, retrieval, deletion, AI-assisted modification of configurations.
Purpose	Delivering the contractual Service to the Customer.
Types of Personal Data — account	Identifiers, contact data, billing data, authentication artefacts, IP addresses, security telemetry.
Types of Personal Data — scraped	Defined entirely by the Customer through the scraper configurations the Customer creates; the Customer is responsible for the type assessment and for documenting it under Article 30 GDPR.
Categories of Data Subjects	Customer's authorised users (staff, team members); Data Subjects whose Personal Data appears in scraped output as a function of the Customer's chosen targets.

4. Customer Obligations

The Customer warrants and undertakes to: (i) establish and document a lawful basis under Article 6 GDPR for any processing operation that involves Personal Data through the Service, including any scraping operation that captures Personal Data; (ii) provide the notices required under Articles 13–14 GDPR and obtain any consent required under applicable law; (iii) perform a Data Protection Impact Assessment under Article 35 GDPR where required, including for large-scale scraping of Personal Data; (iv) ensure that the Customer's use of the Service complies with the target sites' Terms of Service and with robots.txt; (v) refrain from instructing Trawl to perform any processing in violation of applicable law. The Customer indemnifies Trawl against any third-party claim arising from the Customer's failure to comply with the foregoing, in line with Section 13 of the Terms.

5. Trawl Obligations as Processor

Trawl undertakes to: (i) process Personal Data only on documented instructions from the Customer, the Service configuration constituting such documented instructions, and inform the Customer if Trawl considers an instruction to violate applicable law; (ii) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality; (iii) implement the technical and organisational measures set out in Annex 3 to ensure a level of security appropriate to the risk; (iv) engage Sub-processors only under the conditions of Section 6; (v) assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligations to respond to Data Subject requests under Articles 15 to 22 GDPR within ten (10) business days; (vi) assist the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation); (vii) on termination of the Service Agreement, delete or return Personal Data per Section 12; (viii) make available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR.

6. Sub-processors

Trawl uses the Sub-processors listed in Annex 2 below. The Customer hereby authorises engagement of these Sub-processors. Trawl will give the Customer at least thirty (30) days' prior notice of the addition or replacement of a Sub-processor, by email to the address registered with the account or by in-app notification. The Customer may object on reasonable data protection grounds within the notice period; if the Parties cannot agree on a remediation within fifteen (15) business days of the objection, the Customer may terminate the affected portion of the Service Agreement without penalty and obtain a pro-rata refund of any prepaid fees for the unused portion. Trawl remains liable for the acts and omissions of its Sub-processors as it would for its own.

7. Annex 2 — Sub-processors List

Sub-processor	Purpose	Country	Transfer mechanism
Stripe Payments Europe Ltd	Payment processing, billing	Ireland (EEA) + US (sub)	EU SCCs Module 2
OVH SAS	Primary hosting, K3s cluster, MongoDB	France (EEA)	N/A (intra-EEA)
Resend / Mailgun	Transactional email (alerts, dunning)	US	EU SCCs Module 2
Sentry	Error tracking	US	EU SCCs Module 2
Anthropic / OpenAI / DeepSeek (via LiteLLM)	AI auto-fix, AI digest generation	US (Anthropic, OpenAI), CN (DeepSeek)*	EU SCCs + ad-hoc Schrems II assessment
CapSolver	CAPTCHA solving (where enabled)	Hong Kong	Ad-hoc transfer assessment, user-supplied API key
IPRoyal / Decodo / Bright Data	Residential / datacenter proxy (where enabled)	Mixed (US, IL, EE)	User-supplied credentials, downstream sub-processor of customer's choice

* DeepSeek transfers are subject to documented adequacy decision review; the Customer may opt out of DeepSeek-routed AI Auto-fix in project settings.

8. Data Subject Rights Assistance

Trawl will, without undue delay and within a maximum of ten (10) business days of receipt, forward to the Customer any Data Subject request received directly by Trawl that concerns the Customer's processing. Trawl will not respond to the Data Subject directly unless the Customer authorises Trawl to do so or unless required by applicable law. Trawl provides the Customer with technical means (data export, deletion, account closure endpoints in the dashboard) to enable the Customer to fulfil Data Subject requests under Articles 15 to 22 GDPR.

9. International Transfers

Where Personal Data is transferred outside the European Economic Area to a Sub-processor located in a third country that is not the subject of an adequacy decision under Article 45 GDPR, the EU Standard Contractual Clauses (Module 2 — Controller to Processor) of 4 June 2021 are incorporated by reference into this DPA and Trawl warrants adherence to additional safeguards where required following the Schrems II decision (case C-311/18). Trawl performs an ad-hoc Transfer Impact Assessment for each non-EEA Sub-processor and documents the technical and organisational supplementary measures in place. A copy of the SCCs in force will be provided to the Customer on written request to brisorgueilp@gmail.com.

10. Audit Rights

The Customer may, once per twelve (12) month period, audit Trawl's compliance with this DPA upon sixty (60) days' prior written notice, under a written non-disclosure agreement, at the Customer's expense, during Trawl's normal business hours, and without disrupting Trawl's operations or the rights of other customers. Trawl may satisfy any audit request by providing a recent third-party audit report (such as SOC 2 Type II or ISO/IEC 27001) where Trawl holds one. Where the audit reveals a material non-compliance, the Parties will agree on a remediation plan in good faith.

11. Personal Data Breach Notification

Trawl notifies the Customer of any Personal Data Breach within forty-eight (48) hours of becoming aware of it. The notification includes, to the extent then known: the nature of the Breach; the categories and approximate number of Data Subjects affected; the categories and approximate number of Personal Data records affected; the likely consequences of the Breach; the technical and organisational measures taken or proposed to address the Breach and to mitigate its possible adverse effects. Trawl provides further information progressively as it becomes available, to enable the Customer to comply with its own notification obligations under Articles 33 and 34 GDPR.

12. Return or Deletion of Personal Data

On termination of the Service Agreement, Trawl deletes all Personal Data processed on behalf of the Customer (account and scraped) within thirty (30) days of the effective date of termination, unless retention of a specific record is required by Union or Member State law (typically billing records subject to a ten-year tax retention). Where the Customer requests, Trawl will instead return the Personal Data in a structured, commonly used, machine-readable format prior to deletion. Trawl issues a written certification of deletion on request to brisorgueilp@gmail.com. Backup media is overwritten on the rolling cycle described in Section 6 of the Privacy Policy at /privacy.

13. Annex 3 — Security Measures

Trawl implements the following technical and organisational measures, which Trawl undertakes to keep under regular review and to update as the threat landscape and the state of the art evolve:

Encryption in transit (TLS 1.3) and at rest (AES-256) for databases, object storage, and backups.
Encrypted credential vault (ACCOUNT_ENCRYPTION_KEY) for OAuth tokens, proxy credentials, and target-site logins.
Multi-factor authentication available to all users.
Role-based access control through the CASL ability framework.
Structured audit logging of administrative actions.
Least-privilege staff access on a need-to-know basis under written confidentiality undertakings.
Secure software development lifecycle with mandatory code review and CI checks.
Regular vulnerability scanning of third-party dependencies.
Vendor risk assessment for new Sub-processors.
Documented incident response plan.
Backup retention with tested restore procedures.
Cross-tenant data isolation: {{CROSS_TENANT_ISOLATION}}.

14. Liability

The liability of each Party under this DPA is back-to-back with the Limitation of Liability section of the Trawl Terms of Service at /terms. The aggregate liability cap and the one-year time-bar set out in Section 12 of the Terms apply equally to claims arising under this DPA, except where applicable law mandates otherwise (in particular for liability under Article 82 GDPR, which cannot be limited beyond what the GDPR itself permits).

15. Term, Governing Law, Jurisdiction

This DPA takes effect upon the Customer's first acceptance of the Terms of Service and remains in force for the term of the Service Agreement and for so long as Trawl processes Personal Data on the Customer's behalf. It is governed by French law. Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the Tribunal de Commerce de Paris.

Last updated: 2026-05-07 · Contact: brisorgueilp@gmail.com