Privacy policy.

1. Who I am

I'm Jan-Willem Bobbink, operating Botsanalyser from Den Haag, the Netherlands. References to "I", "me", and "my" in this policy mean that operator. You can reach me at [email protected].

2. Scope

This policy covers two distinct data flows:

• Waitlist signups on www.botsanalyser.com. If you enter your email address on this site, I process it to notify you when the product launches.
• Bot activity captured through the product. Once installed on a customer's site, Botsanalyser captures non-human crawler requests. This section applies to the customer (the site owner) and to the bot operators whose crawlers are captured.

3. What I collect

Waitlist

When you submit the signup form:

• Your email address.
• The timestamp of your signup.
• Your IP address, stored temporarily for rate limiting (ten minutes), then discarded.

I do not set cookies on this site. I do not run behavioural tracking. I do not profile signups for advertising.

Product (once installed on a customer site)

Botsanalyser captures requests from declared crawlers. For each crawler hit, Botsanalyser stores:

• The user-agent string.
• The URL path requested (not query strings, by default).
• The HTTP response status code.
• The country of the request, derived from the IP address.
• A timestamp.

Botsanalyser does not store the visitor IP address. It does not store request bodies. It does not fire on human browser sessions. It does not set cookies on the customer's site through the plugin or the universal script tag.

4. Why this is GDPR and CCPA safe by design

Bots are not data subjects under GDPR or CCPA. A user-agent string belonging to GPTBot, ClaudeBot, PerplexityBot, Googlebot, Bingbot, Applebot, or any of the other declared crawlers Botsanalyser tracks is not personal data. There is no consent banner requirement because there is no cookie and no human subject.

The only personal data I process is the email address you choose to give me, and I process it for the single purpose of notifying you at launch. That processing has a clear lawful basis under GDPR Article 6(1)(a) (consent, freely given when you submit the form) and Article 6(1)(f) (legitimate interest, when replying to you).

5. Data location and subprocessors

All product data is stored on Cloudflare infrastructure, in the EU region by default. EU customers can stay in the EU region. US customers can choose the US region at sign-up.

I use the following subprocessors:

• Cloudflare. Hosting, edge, storage (D1, KV, R2). EU or US region.
• Resend. Transactional and waitlist email delivery. EU region where possible.

I do not share any data with advertising networks, data brokers, or social platforms.

6. How long I keep data

• Waitlist email. Retained until you unsubscribe, or until six months after launch if you never convert.
• Bot hits. Retained for 13 months by default, or less if the customer configures a shorter retention window.
• Signup rate-limit counters. Ten minutes, then discarded.

7. Your rights

Under GDPR, CCPA, and similar laws, you can ask me to:

• Confirm what data I hold about you.
• Send you a copy of that data.
• Correct inaccurate data.
• Delete your data.
• Restrict processing.
• Object to processing.
• Withdraw consent.

Email [email protected] and I will act within 30 days. You can also lodge a complaint with your data protection authority. In the Netherlands that is the Autoriteit Persoonsgegevens.

8. Security

All connections are encrypted in transit. Data at rest is encrypted on Cloudflare. API keys are scoped, rotatable, and hashed in storage. Every subprocessor on this page has its own SOC 2, ISO 27001, or equivalent attestation.

9. Changes

If I change this policy in a material way, I will update the version and the date at the top of this page, and email waitlist members before the change takes effect. The current version is visible in the legal footer of every product page.