Privacy Policy

Overview

CRABB is designed with privacy as a core principle. The CLI scanner runs entirely locally on your machine and makes no network calls by default.

What We Don't Collect

• We do not track local scans
• We do not collect telemetry
• We do not store file paths, variable names, or secret values
• We do not collect machine identifiers or IP addresses beyond standard server logs

What We Collect (with --share only)

When you explicitly use the --share flag, the following aggregated data is sent to create a score card:

• Your CRABB score (0-100)
• Your grade (A-F)
• Finding counts by severity (critical, high, medium, low)
• Finding counts by scanner (credentials, skills, permissions, network)
• CLI version

We never receive: actual secrets, file paths, domain names, variable names, or any raw finding details.

Score Card Retention

Score cards are stored for 90 days and then automatically deleted. You can delete your score card at any time using the delete token provided when the card was created.

Website Analytics

We use minimal analytics to understand how the website is used. We track page views and referrers in aggregate. We do not use cookies for tracking.

Open Source

CRABB is fully open source. You can audit the code to verify our privacy practices at github.com/getcrabb/crabb

Contact

For privacy questions, open an issue on GitHub or email privacy@crabb.ai