Legal Privacy

Privacy Policy

Effective June 12, 2026

The short version. Crusader is built local-first. The desktop app keeps your work — proxy history, captures, site map, findings, identities, notes, and plugins — in a database on your machine and sends us nothing by default. There is no usage telemetry in the app. This page explains the handful of cases where data does leave your device (all of which you initiate), and the limited, privacy-preserving analytics on this website.

01Scope

This policy applies to the Crusader desktop application ("the app"), the crusaderproxy.com website, and the account and licensing system used for paid plans. It is operated by [Crusader legal entity] ("Crusader", "we", "us"). It does not cover the third-party systems you test with Crusader, or third-party services you choose to connect (such as an LLM provider) — those are governed by their own terms.

02The app is local by default

Everything you capture and create in Crusader is stored locally on your device in a SQLite database and supporting files. That includes proxy history, request/response captures, the site map, scanner findings, tagged identities, comments, notes, and any plugins you write. We do not collect this data, cannot see it, and it never leaves your machine unless you take one of the explicit actions described in the next section.

The app contains no embedded analytics or usage telemetry — no event tracking, no "anonymous usage statistics," no phone-home on launch. Crash logs, if generated, are written to a local folder on your device only and are never automatically transmitted to us.

03When the app connects out

The app makes network connections only in these cases, each of which you control:

  • Testing traffic. When you use the proxy, Repeater, Intruder, scanner, or transport features, the app sends the requests you direct at the targets you choose. That traffic goes to those targets — not to us. We never see it.
  • Software updates (off by default). If you turn on update checks, the app requests a version manifest from api.crusader.sh. That request necessarily reveals your IP address, platform, and current version to our update host. Automatic update checks are disabled until you opt in.
  • License activation (paid plans only). When you activate, refresh, or deactivate a paid license, the app contacts our license server — only when you trigger it. See Accounts & licensing. The free tier never contacts the license server.
  • AI / LLM features (opt-in). See AI / LLM features. Data goes to the provider you configure, not to us.
  • Beacon (OAST) and Team Mode. These use infrastructure you configure or operate (your interaction server, your team workspace). Data flows where you point it.

04The website (crusaderproxy.com)

We use Cloudflare Web Analytics, which is cookieless and privacy-preserving. It records aggregate metrics — page views, referrers, and coarse country/device-class data — without cookies, without cross-site tracking, and without collecting personal information or building visitor profiles.

Hosting and content delivery are provided by Cloudflare, which processes connection metadata (such as IP address and request headers) to serve the site and protect it from abuse. If you arrive through an affiliate link, see Cookies.

05Accounts & licensing (paid plans)

The free tier requires no account and no activation. When you purchase or activate a paid plan, we collect and store:

  • your email address;
  • your license key and subscription/seat status;
  • a machine hash — a one-way fingerprint of your device used to bind seats and prevent license sharing (it is not reversible into device details);
  • the activation user-agent (app version and operating system) and activation timestamps.

Payments are processed by Stripe. We do not receive or store your full card number. We use account data to validate licenses, enforce seat limits, provide support, send transactional and billing emails, and meet tax and accounting obligations. We do not use it for advertising and we do not sell it.

06AI / LLM features (opt-in)

Features such as "Review diff" can send redacted evidence to the large-language-model provider you configure (for example Anthropic, OpenAI, or a local model). That data travels directly from your machine to that provider under the provider's own privacy terms — we do not receive, proxy, or store it. If you configure a local model, nothing leaves your machine. These features are off until you set them up.

07Cookies

The website uses no advertising or cross-site tracking cookies, and our analytics are cookieless. The only cookie we may set is an affiliate-referral cookie (lasting up to 60 days) if you click a partner's affiliate link; it stores only an affiliate identifier and a timestamp so referrals can be attributed. Cloudflare may set strictly necessary cookies for security and performance.

08Sharing & sub-processors

We do not sell your personal data and do not share it for advertising. We rely on a small set of processors to run the service:

  • Cloudflare — website hosting/CDN and cookieless analytics;
  • Stripe — payment processing for paid plans;
  • [Transactional email provider] — license, billing, and support emails;
  • any LLM provider you configure yourself — only for the opt-in AI features, and only data you send.

We may disclose information if required by law, to enforce our terms, or to protect the rights, safety, and security of our users or the public.

09Retention

Local app data stays on your device until you delete it — you control its lifetime entirely. Account and licensing data is retained for the life of your account and for as long as required afterward for legal, tax, and accounting purposes, then deleted or anonymized. Website analytics are aggregate and contain no personal data.

10Your rights

Depending on where you live (for example under the EU/UK GDPR or the CCPA in California), you may have the right to access, correct, delete, port, or object to the processing of your personal data, and to lodge a complaint with your local authority. Because we hold very little personal data — essentially your account email and license records — most requests are quick to honor. To exercise any right, email privacy@crusaderproxy.com.

11International transfers

We and our processors may process data in [primary operating jurisdiction] and in other countries where our processors (such as Cloudflare and Stripe) operate. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses to protect data transferred across borders.

12Security

Secrets stored by the app (such as API keys and tokens) are encrypted at rest on your device — on Windows via the OS Data Protection API. Account and licensing data is protected with industry-standard administrative and technical measures. No system is perfectly secure, and we cannot guarantee absolute security, but we work to protect your information and to keep the app's default posture private.

13Children

Crusader is a professional security tool intended for adults. It is not directed to anyone under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

14Changes to this policy

We may update this policy as the product evolves. We will revise the effective date above, and for material changes we will provide notice through the app or by email where appropriate. Continued use after an update means you accept the revised policy.

15Contact

Questions about privacy or your data: privacy@crusaderproxy.com. For everything else, see our Terms of Service.