CanaryFlow AICanaryFlow AI

Privacy Policy

Last updated: 23 March 2026

1. Introduction

CanaryFlow AI Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website at canaryflow.ai and our AI visibility monitoring platform at app.canaryflow.ai (together, the "Service").

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller is:

CanaryFlow AI Ltd
71-75 Shelton Street, Covent Garden
London, England, WC2H 9JQ
[email protected]

3. Data We Collect

We collect and process the following categories of personal data:

Account Information

When you create an account, we collect your email address. We use email-based passwordless authentication (magic links) to sign you in.

Workspace & Product Data

When you use the Service, we store data related to your workspaces, team memberships, AI visibility monitoring runs, displacement analysis results, and demand analysis results.

Feedback & Error Reports

If you submit feedback through our in-app widget, we collect your feedback text and your email address. If you encounter login errors, we may automatically send your email address and error details to our error reporting service to help us resolve issues.

Booking Information

If you schedule a call through our website, your booking information is processed by Cal.com under their own privacy policy.

4. How We Use Your Data

We use your personal data to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Process your AI visibility monitoring runs and deliver results
  • Respond to your feedback and support requests
  • Diagnose and fix technical issues
  • Send you service-related communications (e.g. workspace invites)

We do not use your personal data for advertising, profiling, or automated decision-making. We do not sell your personal data.

5. Legal Basis for Processing

Under UK GDPR, we rely on the following lawful bases:

  • Contract: Processing necessary to provide the Service you have signed up for (account management, running analyses, delivering results).
  • Legitimate interests: Diagnosing errors, improving the Service, and ensuring security, where these interests are not overridden by your rights.
  • Consent: Where you voluntarily submit feedback or schedule a booking.

6. Cookies

We use strictly necessary cookies to manage your authentication session. These cookies are essential for the Service to function and cannot be disabled.

We do not use any analytics, advertising, or tracking cookies.

7. Third-Party Services

We share data with the following third-party services as necessary to operate the Service:

  • Supabase — Database hosting and authentication. Stores your account data, workspace data, and session information.
  • OpenAI, Anthropic, Google, and Perplexity — AI model providers used to perform AI visibility analysis. Your brand and product queries (not personal data) are sent to these services.
  • DataForSEO — Search engine results and AI Overview data provider.
  • Formspree — Processes feedback submissions and error reports.
  • Cal.com — Booking widget embedded on our website, subject to their own privacy policy.
  • Logo.dev — Provides brand logos displayed within the Service.

Each third-party provider processes data according to their own privacy policies. We only share the minimum data necessary for each service to function.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you request deletion of your account, we will delete your personal data within 30 days, except where we are required to retain it by law.

Error reports and feedback submissions are retained for up to 12 months to help us improve the Service.

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate personal data.
  • Erasure — Request deletion of your personal data.
  • Restriction — Request that we limit processing of your personal data.
  • Data portability — Request a machine-readable copy of your personal data.
  • Objection — Object to processing based on legitimate interests.
  • Withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. International Transfers

Some of our third-party service providers operate outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions, in accordance with UK GDPR requirements.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. This includes encrypted connections (HTTPS), secure authentication, and access controls.

12. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

CanaryFlow AI Ltd
71-75 Shelton Street, Covent Garden
London, England, WC2H 9JQ
Email: [email protected]