Docs
Data, privacy & security
How CrunchJunkie connects to your data, protects it, and lets you take it back.
Read-only, scoped, revocable access
Every platform connection uses OAuth — the same standard behind "Continue with Google". You authorize on the provider's own screen and CrunchJunkie receives a scoped, read-only token; we never see or store your platform password, and we never make changes to your campaigns. The access is revocable at any time, from either CrunchJunkie or the provider, and revoking it immediately cuts off our ability to read that source.
Because the grant is read-only and scoped to just the accounts you select, the access we hold is the minimum needed to build your reports — nothing more.
How tokens and keys are stored
The OAuth tokens that let us sync your data — and any AI provider keys you bring for AI Visibility — are held in our database, which is encrypted at rest by our infrastructure provider, and they only ever travel over encrypted (TLS) connections. They're used solely to sync your data or run your own scans — never shared, and never used for anything else.
This is also why a provider-side change — a password reset, a removed permission — can invalidate a token: the security model is working as intended. When that happens you'll see a reconnect prompt in Needs attention rather than silent failures.
Account security and 2FA
Protect your own login under Settings → Security by turning on two-factor authentication. Scan the QR code with any authenticator app — Google Authenticator, 1Password, Authy — and confirm the six-digit code to pair it. CrunchJunkie then issues one-time recovery codes; save them somewhere safe, as they're shown only once and let you back in if you lose your authenticator.
With 2FA on, a fresh code is required at every sign-in, so your workspace stays protected even if your password is ever compromised. Combined with role-based access for team members, it keeps control of your data in the right hands.
Requiring 2FA for your whole team
Workspace owners can make two-factor authentication mandatory for everyone. Turn on "Require two-factor authentication" under Settings → Team, and any member who hasn't set up 2FA is prompted to do so before they can keep using the workspace — no one slips through with a password alone. You'll need your own 2FA turned on first, so enforcing it can never lock you out of the setting.
Members who still need to enable it get a reminder by email until they do, so you don't have to chase anyone. Existing members simply set up their authenticator on their next visit; nothing else about their access changes.
Payments and PCI
Billing is handled securely by Stripe, a PCI-compliant payments provider. CrunchJunkie never stores full card details — they go straight to Stripe — and your invoices and receipts are available under Settings → Billing → Invoices, with your company billing details and VAT ID applied. Keeping payment data off our systems and with a specialist provider is the safest place for it.
Data deletion and GDPR
Your data stays yours. You can export your reports at any time, and if you decide to leave, request account deletion from Settings → Workspace. After deletion, account and workspace data is removed or anonymised within 30 days; billing records are retained only as long as the law requires. Revoking an integration likewise stops any further reading of that source.
If you'd like help exporting before you go, email hello@crunchjunkie.io and a real person will assist. The principle throughout is straightforward: least-privilege access, encryption at rest, and a clean exit whenever you want one.