Do I need to know how to code?

No. Paste a URL, describe in plain English what you want to track, and Trawl emails you when it changes. The code editor and API are there for developers; optional for everyone else.

What kind of data can Trawl watch?

Public pages your account is permitted to access: prices, availability, stock, job listings, competitor promos, property listings, tender notices. Trawl encourages users to respect target site ToS and robots.txt, and ships warnings when something looks off. Built-in API rate limits cap how often any account can trigger scraps, which indirectly limits target site load; per-host throttling depends on your schedule, and the responsibility for what you scrape stays with you. See our [Acceptable Use Policy](/aup).

How does AI auto-fix actually work?

When a run fails, Trawl re-reads the current page, matches the new layout against a **shared knowledge base of cross-tenant patterns**, and ships a patch to your selectors. Successful patterns feed back into the library, so the next site that breaks the same way is fixed even faster.

Can I drive Trawl from Claude Code or an MCP agent?

Yes, today. Install the Claude Code skill and run `trawl fix ` or `trawl dispatch` from any MCP-aware agent. The skill diffs the selector change, applies it, and re-runs the scrap without leaving your terminal.

What does the AI Digest email look like?

A morning bullet list of what actually changed overnight: price deltas, stock transitions, new listings. Plus a 7-day sparkline per scrap. No noise, no unchanged rows, no marketing.

How does smart proxy routing work?

Trawl handles all the routing intelligence so you don't have to. Each run tries the least intrusive (and cheapest) legitimate path first, and only escalates if the page fails to render. Week after week, runs that succeed are quietly downgraded to cheaper tiers. Your cost trends down as long as the site stays cooperative. Shared knowledge across the platform helps speed up that learning curve. Included on every plan.

Can I consume Trawl data from my own infra?

Yes. Every scrap exposes a **live JSON endpoint** you can consume from your own workers. Use webhooks to push results straight into your pipeline, or the CLI to pull data on-demand into any CI job.

Do you store my scraped data?

Only the last extraction result, to help debug. Nothing more. Data flows to your webhook or API consumer: **your control**, **your retention policy**.

Is monitoring public web pages legal?

Monitoring publicly available pages is generally legal in most jurisdictions. Trawl respects `robots.txt` and rate limits by default, and our [Acceptable Use Policy](/aup) sets out what users are responsible for (target site ToS, data protection laws, no circumvention of technical protection measures). For regulated use cases, consult your legal team. **We ship the tool, you own the policy.**

Is Trawl free to start?

Yes. The free plan includes a handful of monitors, a monthly execution quota, and full access to smart proxy routing, anti-bot resolution, and the AI suite. No credit card required.

Privacy Policy

This Privacy Policy describes how Trawl, the SaaS web scraping orchestration platform operated by Pierre Brisorgueil ("Trawl", "we"), collects, uses, retains, and shares Personal Data in connection with the Trawl Service (trawl.me). It is written to comply with Regulation (EU) 2016/679 ("GDPR") and the French loi Informatique et Libertés. It applies to Personal Data processed by Trawl in its capacity as data Controller (Sections 1-3 below). Personal Data that may appear inside output collected by your scrapers is governed separately by the Data Processing Agreement at /dpa and by Section 4 of this Policy.

1. Identity of the Data Controller

The data Controller for the processing described in this Policy is Pierre Brisorgueil, a French auto-entrepreneur (Entreprise Individuelle, profession libérale) established at 4 avenue de l'Église, 44500 La Baule-Escoublac, France, registered under SIREN 793 833 179. Any privacy-related inquiry, request to exercise a data subject right under Sections 15 to 22 of the GDPR, or complaint should be sent to brisorgueilp@gmail.com. The same email address acts as the contact point for the Data Protection Officer (DPO) function. Where required by Article 27 of the GDPR for data subjects outside the European Union, Trawl will publish the identity of its representative on this Policy.

2. Data We Collect From You (Account and Billing)

When you create an account or maintain a Subscription, Trawl collects: full name; email address; password (stored as a salted hash, never in plain text); billing address provided to Stripe; the Stripe customer identifier returned by Stripe and stored in our database; IP address of each authenticated session; user-agent string and minimal browser fingerprint used for security signals; the plan tier you have subscribed to and any compute pack you have purchased; payment events relayed by Stripe (charge succeeded, charge failed, refund issued, dispute opened). Where you choose to enable multi-factor authentication, the associated secret is stored encrypted and is never displayed to Trawl staff in clear text. Where you connect a third-party service (for example a Google account for SSO, a Notion or Sheets export target), Trawl stores the OAuth tokens encrypted at rest and uses them solely to perform the actions you request.

Trawl does not receive or store full payment card numbers, PAN, CVV, or expiry dates. Card data is collected directly by Stripe through Stripe Elements or Stripe Checkout in your browser and is exchanged with Stripe under their PCI-DSS Level 1 certification. Trawl only receives a tokenised reference (the Stripe customer or payment method identifier) used to charge subsequent invoices.

3. Data We Collect From Your Use (Telemetry)

When you use the Service, Trawl automatically collects telemetry that supports the operation, security, and improvement of the Service. This includes: aggregated metrics on Scrap executions (duration, status, compute consumed, errors); error logs (stack traces, last actions before failure, user identifier, without scraped output content); AI Auto-fix usage events (which Scrap was auto-fixed, by which AI provider, success or failure); product click-stream events captured in the dashboard (page views, feature toggles, opt-in/opt-out events) used to improve UX. Telemetry is retained for the periods described in Section 6. We do not commercialise this telemetry, do not sell it, and do not use it to build profiles that are later disclosed to third parties.

4. Data We Process FOR You (Scraped Data)

Where you operate scrapers through Trawl, the output of your scrapes may contain Personal Data of third parties (the data subjects of your scraping operation). For that processing, you act as the data Controller within the meaning of Article 4 of the GDPR and Trawl acts as a data Processor on your behalf within the meaning of Article 28. The full Data Processing Agreement governing this processing is published at /dpa and is incorporated by reference into the Trawl Terms of Service. You are solely responsible for ensuring that your scraping operations rest on a valid lawful basis under Article 6 of the GDPR, that data subjects have been notified where required, that data minimisation and proportionality principles are respected, and that the targeted sites' Terms of Service permit the collection.

Trawl does not analyse the content of your scraped output for marketing, research, or training purposes. Scraped output is encrypted at rest, scoped to your account, and is only made available to the Trawl staff strictly for incident response, on the conditions set out in Section 11 below and in Annex 3 of the DPA. Trawl never sells, rents, or licenses your scraped output to any third party, and does not enrich it with data from other Users.

5. Lawful Bases for Processing

Trawl relies on the following lawful bases under Article 6.1 of the GDPR for its own processing as a Controller. (a) Performance of contract (Art. 6.1.b) for any processing necessary to provide the Service, run scraper executions, manage Subscriptions, and respond to support requests. (b) Legitimate interests (Art. 6.1.f) for security telemetry, fraud prevention, abuse detection, and product improvement, balanced against your reasonable expectations and rights. (c) Legal obligation (Art. 6.1.c) for processing required by tax law, accounting law, anti-money-laundering rules, and legal hold requests by competent authorities. (d) Consent (Art. 6.1.a) for optional analytics cookies (PostHog) and any optional marketing email; consent may be withdrawn at any time via the cookie preference centre in the footer or by clicking "unsubscribe" in any marketing email, or by writing to brisorgueilp@gmail.com. The withdrawal of consent does not affect the lawfulness of any processing performed before the withdrawal.

6. Data Retention

Account and Subscription data are retained for the lifetime of the Subscription. Upon cancellation, account data is retained for thirty (30) days during which the User may reactivate; after the grace period, account data is permanently deleted, except for billing records, which French tax law requires Trawl to retain for ten (10) years (Article L. 102 B of the Livre des procédures fiscales). Scraped data and Scrap outputs are retained for a default rolling window of ninety (90) days; the User may configure a shorter or longer retention per Scrap, subject to plan limits. Operational logs (security events, error traces) are retained for a maximum of twelve (12) months. Backups are retained on a thirty (30) day rolling cycle and overwritten thereafter. Telemetry events are aggregated; raw event records are retained no longer than ninety (90) days.

Where applicable law (tax, accounting, anti-fraud, anti-money-laundering) imposes a longer retention period on a subset of records (typically invoices and payment evidence for ten years), Trawl applies that longer retention only to the records subject to the obligation; the remainder of the account data is deleted in accordance with the schedule above. Upon termination of the Subscription, Trawl issues a deletion certification on written request to brisorgueilp@gmail.com.

7. Sub-processors

To deliver the Service, Trawl engages the following sub-processors. The list is current as of the date at the foot of this Policy and may evolve with the notice procedure described in the DPA at /dpa Section 6.

Sub-processor	Purpose	Country	Transfer mechanism
Stripe Payments Europe Ltd	Payment processing, billing	Ireland (EEA) + US (sub)	EU SCCs Module 2
OVH SAS	Primary hosting, K3s cluster, MongoDB	France (EEA)	N/A (intra-EEA)
Resend / Mailgun	Transactional email (alerts, dunning)	US	EU SCCs Module 2
PostHog	Analytics (consent-gated; no data collected if rejected)	EU (EU Cloud)	N/A (intra-EEA)
Anthropic / OpenAI / DeepSeek (via LiteLLM)	AI auto-fix, AI digest generation	US (Anthropic, OpenAI), CN (DeepSeek)*	EU SCCs + ad-hoc Schrems II assessment
CapSolver	CAPTCHA solving (where enabled)	Hong Kong	Ad-hoc transfer assessment, user-supplied API key
IPRoyal / Decodo / Bright Data	Residential / datacenter proxy (where enabled)	Mixed (US, IL, EE)	User-supplied credentials, downstream sub-processor of customer's choice

* DeepSeek transfers are subject to documented adequacy decision review; users may opt out of DeepSeek-routed AI auto-fix in project settings.

8. International Transfers

Where Personal Data is transferred from the European Economic Area to a third country that has not been the subject of an adequacy decision under Article 45 of the GDPR, Trawl relies on the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) of 4 June 2021 (Commission Implementing Decision (EU) 2021/914), supplemented where appropriate by additional contractual, technical, and organisational measures (e.g. encryption in transit and at rest, access controls, data minimisation) in line with EDPB Recommendations 01/2020 following the Schrems II decision. A copy of the SCCs in force for a given sub-processor will be provided on written request to brisorgueilp@gmail.com under reasonable confidentiality conditions.

For sub-processors whose primary establishment is outside the EEA without a Commission adequacy decision (in particular AI providers in the United States and CapSolver in Hong Kong), Trawl performs an ad-hoc Transfer Impact Assessment that identifies the categories of data exported, the legal regime of the destination country, the supplementary technical and organisational safeguards, and the residual risk to data subjects. The User may opt out of the AI Auto-fix feature in project settings to prevent any export of telemetry to AI providers.

9. Your Rights (GDPR)

Under the GDPR, you may exercise the following rights at any time by writing to brisorgueilp@gmail.com from the email registered with your account: (i) right of access (Article 15): obtain confirmation that your Personal Data is processed and a copy of that data; (ii) right of rectification (Article 16): correct inaccurate or incomplete data; (iii) right to erasure (Article 17): request deletion subject to legal retention obligations; (iv) right to restriction (Article 18); (v) right to data portability (Article 20): receive your data in a structured, commonly used, machine-readable format; (vi) right to object (Article 21): including objection to processing based on legitimate interests; (vii) right not to be subject to automated decision-making (Article 22); (viii) right to withdraw consent at any time without affecting prior processing. Trawl responds within thirty (30) days as required by Article 12.3 of the GDPR. You also have the right to lodge a complaint with the French data protection authority (CNIL) at https://www.cnil.fr/en/plaintes.

10. Cookies & Consent

Trawl uses the following cookies on trawl.me:

Strictly necessary (always active, not subject to consent under Art. 6.1.f GDPR): (a) an authenticated session cookie issued upon login and required to keep you signed in; (b) cookies set by Stripe Checkout when you initiate a payment, governed by Stripe's privacy policy; (c) a cookie_consent localStorage entry that stores your banner preference (accept/reject) for 12 months.

Analytics (consent-gated under Art. 6.1.a GDPR): PostHog analytics cookies are set only if you click Accept on the consent banner shown at your first visit. If you click Reject, no analytics cookies or tracking pixels are stored.

You may change your choice at any time: if you have previously accepted, click the Cookie settings link in the footer to open the preference centre and revoke consent; if you have previously rejected, the banner will reappear automatically when consent expires (12 months) or when you clear localStorage. Revoking consent stops future data collection and triggers PostHog opt-out; it does not retroactively delete already-collected analytics events (which are retained for 90 days per Section 6).

11. Security Measures

Trawl implements technical and organisational measures designed to ensure a level of security appropriate to the risk, including: TLS 1.3 in transit; AES-256 at rest on databases and object storage; encrypted credential vault (ACCOUNT_ENCRYPTION_KEY) for OAuth tokens, proxies, and target-site logins; multi-factor authentication available to all Users; role-based access control with CASL abilities; structured audit logging of administrative actions; least-privilege staff access on a need-to-know basis under confidentiality undertakings; regular vulnerability scanning of third-party dependencies; secure software development lifecycle with mandatory code review and CI checks; backup retention and tested restore procedures. The detailed list of security measures applicable when Trawl acts as a Processor is set out in Annex 3 of the DPA at /dpa.

Trawl undertakes to keep these measures under regular review and to update them as the threat landscape and the state of the art evolve. The User remains responsible for the security of credentials they choose to store on Trawl, in particular target-site logins, proxy credentials, and CAPTCHA-solver API keys, and undertakes to rotate them periodically. The User is also responsible for the security configuration of their own account, including the use of strong passwords and the activation of multi-factor authentication where the activity warrants it.

12. Data Breach Notification

In the event of a Personal Data Breach within the meaning of Article 4(12) of the GDPR, Trawl assesses the likelihood and severity of risk to data subjects and, where required by Article 33, notifies the CNIL within seventy-two (72) hours of becoming aware. Where the Breach is likely to result in a high risk to the rights and freedoms of the affected data subjects, Trawl notifies the affected Users without undue delay and, in any event, within forty-eight (48) hours, by email to the address registered with the account. The notification includes the nature of the Breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed to mitigate the risk.

13. Contact and Complaints

Any privacy inquiry, data subject right exercise, or complaint should be addressed to brisorgueilp@gmail.com. Trawl undertakes to respond within thirty (30) days. If you believe Trawl has not satisfactorily addressed a privacy concern, you may lodge a complaint with the French data protection authority (CNIL): https://www.cnil.fr/en/plaintes; postal address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France. You may also file a complaint with the supervisory authority of your country of residence within the European Economic Area.

14. Changes to This Policy

Trawl may amend this Privacy Policy from time to time to reflect product changes, new sub-processor engagements, or evolving legal requirements. Material changes (in particular changes to the lawful bases relied upon, to retention periods, or to the list of sub-processors located outside the EEA) will be notified at least thirty (30) days in advance, by email to the address registered with the account and via a banner displayed in the dashboard. The effective date is displayed at the top and bottom of this Policy. Continued use of the Service after the effective date constitutes acceptance of the amended Policy.

Last updated: 2026-05-22 · Data Controller contact: brisorgueilp@gmail.com