Answers about your first scan, devices, findings, billing, and privacy. Search below or browse by category.
Tip: press / from anywhere on this page to focus the search.
From signup to your first ranked finding in about two minutes.
1. Sign up with your work email — verification email arrives in under a minute.
2. Open the dashboard, paste any public URL in the New Scan field, and pick at least one device profile (we suggest iPhone 15 Pro + Desktop Chrome for your first run).
3. Click Run. Your scan returns ranked findings as fast as the browser can render and the AI can grade — typically 1-3 minutes on Free's 3 devices, longer on Studio's 17. You'll see live progress per device while it runs.
4. Open any finding to see the screenshot, console output, and reproduction steps. Hit Share to send it to anyone — they don't need an account.
If you don't know, start with iPhone 15 Pro, Pixel 8, and Desktop Chrome. That covers about 70% of real visitor sessions for most marketing sites.
Add iPad Pro if you sell to creatives or have a heavy tablet audience. Add Galaxy S25 Ultra if you target Android markets outside the US. Add Desktop Safari if your customers skew Apple.
Every additional device profile re-runs the scan from scratch on that device, so it counts against your scan budget. Pick what matters; you can always re-run later.
Scan time scales with device count and pages: typically 1-3 minutes for a Free-tier 3-device single-page scan, up to 6-10 minutes for Studio's 17-device fleet or multi-page crawls. Longer if the target site is slow to respond.
You don't have to wait — close the tab and we'll email you a summary if the scan turns up at least one blocker finding. Lower-severity findings stay quiet in the dashboard.
Localhost (127.0.0.1, localhost) and any RFC1918 private IP are rejected by our SSRF guard — the scanner runs in our cloud, not on your machine, so it has no path to your local network.
For staging, use a public staging URL (e.g. staging.yourapp.com or a Vercel/Netlify preview URL). If your staging requires auth, we can't reach it in v1 — see Scanning auth-protected staging.
Failed scans don't count against your monthly budget. You'll see the failure reason directly in the dashboard (DNS, TLS, navigation timeout, etc).
Most common causes: aggressive bot-protection on the target site (Cloudflare challenge, Akamai bot manager), a redirect chain that loops, or a 503 from the origin under load. Try again in a few minutes — if it keeps failing, email support with the run ID.
What counts, what's captured, how multi-page crawl works.
One scan is one run against one URL, across all the device profiles you selected for that run. Selecting 5 devices is still one scan against your monthly budget.
On Pro and above, a single scan can also crawl multiple pages — 2 on Pro, 4 on Studio — and each page is captured on every selected device. Still one scan.
If your site has a sitemap.xml, we read it. Otherwise we do a BFS link discovery from the URL you provided, staying same-origin only.
We respect your tier's per-scan page cap (1 on Solo, 2 on Pro, 4 on Studio). Pages are picked by relevance: landing-style URLs and high-traffic paths first, deep PDP/article URLs only if you have budget.
To force-include specific URLs, paste a comma-separated list in the New Scan field instead of a single URL.
For each device + page combination, we:
We don't click destructive buttons (Delete, Cancel subscription, Sign out) or fill forms that look like checkout / login.
If your site is changing often: before every deploy, plus a weekly full-site scan to catch regressions in pages you didn't touch.
If your site is fairly static: once a week is usually enough. Add a one-off scan whenever you ship a new section.
Scheduled scans (recurring on a cron) are on the Studio-plan roadmap — until they ship, you can re-run from the dashboard in two clicks.
No raw HTML. We store three things: the rendered screenshot as captured — the image is not redacted, anything the browser drew on screen is in it (this matters most for Pro/Studio authenticated scans, where the session may see customer or billing data); a small DOM excerpt with text-pattern PII (emails, phones, JWTs, Bearer / Authorization tokens, Stripe / AWS / GitHub / Slack key patterns, credit-card-like and SSN-like strings) masked before it's sent to the LLM; and the captured console + network signals, also masked.
Screenshots are not redacted. Free-text fields like names, postal addresses, and account balances aren't pattern-matched either, so any of those visible on the page reach our vision sub-processors (Google Gemini on the primary path, Anthropic Claude on the fallback path) as image bytes under each provider's commercial API terms. Stored screenshots are purged on our daily sweep once they age past your plan's history window.
See the Security page and the Privacy page for the full data inventory and sub-processor list.
How we rank, what to trust, what to ignore.
Critical — the page is broken for real visitors right now. Blank hero, modal blocking the whole page, signup form throwing errors, payment widget failing to load.
High — a primary user task is broken on at least one device. Mobile nav unclickable, CTA button cut off, key product image missing.
Medium — degraded UX but the page still works. Layout overflow on small viewports, slow LCP, console errors that don't block rendering.
Low — polish issues. Misaligned spacing, minor typography drift, low-priority console warnings.
Severity is set by the vision LLM based on what the bug actually breaks, not by the rule that matched it.
Each capture goes to a vision-capable LLM with a tightly-tuned QA prompt. The model returns candidate findings from what's visible in the screenshot plus the console / network signals we recorded.
A second verification pass re-grades each candidate for confidence — runs the screenshot back through with a different prompt and checks whether the evidence really supports the finding. Low-confidence candidates are dropped before they reach your dashboard.
Most scans produce 3-8 verified findings on real production sites. If you're seeing more than 15 from a single page, the site is likely shipping a real regression — not noise.
If a critical-severity finding is genuinely wrong, email support with the share link — we treat false-critical findings as bugs in our own product and keep a list of patterns to tighten the detector on. Per-finding dismissal that feeds back into the verifier is on the roadmap.
Every finding includes the URL, device profile, viewport size, and user-agent string we used. To reproduce on your machine:
If you can't reproduce, open the scan's run from the Runs page and use the row's kebab menu → Re-run scan — sometimes flaky third-party scripts only break on specific runs.
Available on Pro and Studio. After each scan, we compare it to your most recent baseline scan of the same URL and highlight what's new, what's resolved, and what's persisting.
Use it before deploying: scan the staging URL, then scan production, and the diff shows you what broke between them. The diff is also embedded in the share link, so you can send "here's what changed since Tuesday" to anyone on your team.
Upgrades, downgrades, refunds, invoices. Handled through Stripe.
Settings → Billing → Change plan. Pick the new tier. Upgrades take effect instantly and are prorated — you get the new quota right away and we only charge the difference for the rest of the current cycle.
Downgrades take effect at the end of your current billing cycle so you don't lose paid time. Your higher-tier features (more devices, more pages, regression diff) keep working until the cycle rolls over.
Settings → Billing → Manage subscription opens the Stripe customer portal. Cancel takes effect at the end of your current billing period — no auto-renew, no surprise charge.
You can get a full refund of your first paid subscription when all three are true:
Scans you ran while on the free tier don't count toward the 20-scan limit — only paid scans do.
Why first plan only: the free tier (3 scans/month across 3 device profiles) is the real "try it" path. The paid-plan refund is for buyers who committed to evaluating, gave it an honest shot, and decided it's not for them. Once you've been on any paid plan — refunded or not — that signal is locked in and future plans aren't eligible.
How to request it: email support@canaryflux.com from your account address and we'll process the refund within 5-10 business days. No forms, no "tell us why."
The fine print: Annual plans qualify for the same 14-day / 20-scan window from initial purchase (renewals aren't refundable — cancel before the renewal date instead). Tier upgrades mid-cycle (e.g., Solo → Pro on day 5) stay under the original first-plan window on the price difference — not a new refund window. Service outages, scanner errors, and billing mistakes are refunded separately and aren't subject to the 20-scan cap or the first-plan rule. Accounts suspended for Terms of Service violations aren't eligible. EU, UK, and Turkey customers retain their statutory cooling-off rights regardless of usage.
Yes — annual billing is self-serve. On the pricing page, toggle Annual · Save 20% above the plan cards and pick your tier. You'll be charged once for the full year at a 20% discount versus the monthly rate (Solo $278/yr, Pro $758/yr, Studio $2,390/yr). If you'd prefer to be invoiced rather than charged on a card, email sales@canaryflux.com and we'll set up a manual annual invoice.
Annual plans qualify for the same 14-day / 20-scan refund window from initial purchase — but only if it's your first paid plan on Canaryflux. If you've already had a monthly subscription, switching to annual is treated as a new plan and isn't refundable. After day 14 (or 20 scans, whichever comes first), annual plans run until the end of the paid term; mid-cycle downgrades to monthly take effect at the next renewal, in line with our Terms.
Settings → Billing → Manage subscription opens Stripe's portal, which has every invoice with a download link. Invoices are also emailed to your account address on the day of charge.
Need a custom billing address, VAT number, or PO on the invoice? Update it in the Stripe portal under Billing info; the next invoice will use the new details.
The Run button is disabled and the dashboard shows a banner with your usage. Quotas reset on the 1st of each calendar month at midnight UTC.
If you need more scans right now, upgrade — the upgrade is prorated and your new quota is available immediately.
Login, password resets, email changes, team seats.
Click Log in → Forgot password. Enter your account email and we send a single-use reset link with a 1-hour TTL.
If the reset email doesn't arrive, check spam — and confirm you're using the same email you signed up with. Requesting a second reset immediately invalidates the first.
Email changes aren't self-serve in v1. Email support from your current account and tell us the new address — we'll move your account and confirm when it's done. Your runs, findings, and billing carry over.
Settings → Account → Delete account. You'll see exactly what gets removed (scans, findings, screenshots, account record) and what's cancelled (your active Stripe subscription — Stripe retains billing and tax records under its own policy, not ours), and you'll be asked to type your email to confirm.
Account deletion is permanent and cannot be undone. Active subscriptions are cancelled automatically — no further charges. If you have an unused refund window, request the refund before deletion.
Adding teammates — Canaryflux is single-user per account in v1. Each person on your team would create their own account. Multi-user workspace with role-based access is on the Studio-plan roadmap.
Authenticated scanning — available on Pro and Studio. From the project's kebab menu, choose "Authenticated scan…" and paste a session cookie or single Authorization header per project; we Fernet-encrypt it at rest and replay it on the next scan, capturing whatever the logged-in session can see. Free and Solo run as a logged-out visitor only. SSO redirects, MFA challenges, and per-request CSRF tokens still defeat cookie/header replay — for those, a long-lived test account or a staging URL behind basic-auth is your best bet. Only paste a test or staging session, never a real customer's. Do not paste sessions that reveal health, financial-account, biometric, or government-ID data (GDPR Art 9 / LFPDPPP “datos sensibles”) without express consent and a processor agreement covering that category. See the Authenticated scanning block on the Security page for the full handling model.
What we send to the LLM, what we never send, who can see your scans.
Inside the dashboard, scan data is gated to your workspace — other customers can't see it, we never sell it, and we don't use it to train any model. Behind the scenes our sub-processors (see the full list below) process it on our behalf: Google Gemini grades the screenshots on the primary path via the paid Gemini API (commercial terms prohibit training on inputs), Anthropic Claude grades them on the fallback path when Gemini is unavailable (commercial terms prohibit training on inputs), Railway stores them on our disk until your tier's retention window expires, Sentry receives client error events with credentials stripped. Canaryflux staff can access stored screenshots when strictly needed for support or abuse handling.
Share links you generate use 24-byte cryptographically random URL-safe tokens with a 90-day expiry; the server stores only the SHA-256 hash of each token. Anyone with the URL can view that one finding (no sign-in required), so be careful if the screenshot shows authenticated data — revoke any time from the finding's Share menu.
For each finding pass, we send the rendered screenshot plus a masked DOM excerpt with text-pattern PII and credentials redacted before the call: emails, phone numbers, credit-card-like numbers, SSN-like strings, JWTs, Bearer / Authorization tokens, and Stripe / AWS / GitHub / Slack key patterns. We also send masked console / network signals.
We do not send raw page HTML, your pasted scan cookies, or your pasted Authorization headers. The screenshot itself, however, is sent as-is — free-text fields like names, postal addresses, and account balances aren't pattern-matched in the DOM excerpt and are not redacted from the image either. Anything visible on screen reaches our vision sub-processors as image bytes — Google Gemini on the primary path, Anthropic Claude on the fallback path.
By default the scanner runs as a logged-out visitor. On Pro and Studio you can opt in to authenticated scanning (project kebab menu → "Authenticated scan…") — in that mode, the screenshot and DOM excerpt reflect whatever your test session can see, including billing pages, customer data, and PII inside the authenticated area. Use a test / staging session, not a real customer's.
We use Google's commercial Gemini API (paid tier) as the primary vision provider and Anthropic's commercial Claude API as the fallback. The standard commercial terms with both providers already prohibit training on customer API inputs or outputs. We do not currently hold a separate enterprise zero-data-retention agreement with either provider (which would also suppress provider-side abuse-monitoring buffers); customers with an explicit ZDR requirement should email dpa@canaryflux.com.
Findings and screenshots are retained for the window defined by your plan — 7 days on Free, 30 days on Solo, 90 days on Pro, and 365 days on Studio.
On account deletion, we immediately purge your user record, scans, findings, and screenshots from our active systems. Stripe retains billing records under its own policy to satisfy tax and anti-fraud requirements.
Only our sub-processors, each scoped to a specific job: Google Gemini API (primary vision LLM grading of screenshots + masked DOM), Anthropic Claude (fallback vision LLM grading of screenshots + masked DOM when Gemini is unavailable), Railway (compute + Postgres hosting), Vercel (marketing + dashboard static hosting), Vercel Analytics (anonymous page-view telemetry across both marketing and dashboard pages), Cloudflare (DNS + TLS termination), Stripe (billing), Resend (transactional email), Sentry (server- and client-side error monitoring — emails, cookies, and Authorization headers stripped before send).
Full sub-processor table with what each one sees on the Security page. EU/UK customers can request a standard DPA with SCCs at dpa@canaryflux.com.
Real humans read every support email. We typically reply within a few hours during the work week.