Legal
Privacy Policy
Effective June 22, 2026 — v1.1 adds breach-notification SLA, third-party site-owner removal channel, and a screenshot-retention cap.
This page explains what data Canaryflux collects, why we collect it, and who we share it with.
We try to keep it short and in plain language. If anything's unclear, email
support@canaryflux.com and we'll explain.
Who we are
Canaryflux is a website QA scanning service operated as a sole-proprietor business by
Farid Islas, registered with Mexico's Servicio de Administración Tributaria
(SAT) under the Persona Física con Actividad Empresarial (PFAE) regime in Mérida,
Yucatán, Mexico. When this policy says "we," "us," or "Canaryflux," it means that business.
The data controller for the purposes of Mexico's LFPDPPP
(and the GDPR, where applicable) is Farid Islas, and the contact address for any privacy
request is support@canaryflux.com.
What we collect
We collect only what we need to run the product:
- Account data — your email, your name (if provided), and a bcrypt hash of
your password. We never store your password in plaintext.
- Scan data — the URLs you ask us to scan, the screenshots our scanner takes
of those URLs, the masked DOM excerpts and console logs the scanner captures, and the
findings our AI extracts. For Pro+ projects with authenticated scanning enabled, we also
store the session cookie or Authorization header you pasted (encrypted at rest — see the
Security section below). See the Cookies & local storage and
What we collect (detailed) sections further down for the full enumeration.
- Authenticated-scan content (Pro+ only). When you enable authenticated
scanning on a project, the screenshots and DOM excerpts we capture include whatever data
is visible to the session you provided. If you point Canaryflux at
/admin/customers
with an admin session, the customer list ends up in the screenshot we send to our vision
sub-processors for grading (Google Gemini as the primary provider; Anthropic Claude as the
fallback when Gemini is unavailable — see Sub-processors below for full details) and store
on our server until your tier’s retention window expires.
The encryption we apply protects the cookie at rest; it does not redact the content the
cookie unlocks. Screenshots themselves are not redacted — our PII masker
pattern-matches DOM text (emails, phone numbers, tokens, card numbers) before the LLM call,
but anything visible on the rendered image (names, postal addresses, account balances, free-text
fields) reaches our vision sub-processors as image bytes — Google Gemini on the primary
path, Anthropic Claude on the fallback path. A small number of Canaryflux engineers can open stored
screenshots when strictly needed for support tickets you open or abuse-of-service investigations;
access is logged. Do not paste sessions that reveal health, financial-account, biometric, or
government-ID data (GDPR Art 9 / LFPDPPP “datos sensibles”) without express consent
and a processor agreement covering that category. We recommend using a low-privilege test-account
session whenever possible — see
Authenticated scanning — what we see in
the security page for the full picture.
- Usage data — how many scans you run per month, which device profiles you
use, and when your account was created. This drives the quota system and is used to bill you.
- Onboarding survey (optional) — your role, your workspace name, what kinds
of bugs you want Canaryflux to catch, and how you heard about us. These answers are
forwarded to the founder's inbox so we know what customers are signing up for and can
prioritize what to build next. You can skip the questions; blanks are persisted as blanks.
We do not share these answers with anyone outside Canaryflux.
- Payment data — handled entirely by Stripe. We receive only a customer
identifier and the subscription tier you're on. We never see your card number.
- Server logs — IP addresses of incoming requests, retained briefly for
rate-limiting and abuse prevention.
What we do with it
- Run scans you've asked us to run, and show you the results.
- Email you when a scan finishes with critical findings, when your account needs verifying,
or when you ask to reset your password.
- Bill you for paid plans (via Stripe) and enforce your monthly quota.
- Prevent abuse — rate-limiting, brute-force lockouts, anti-spam on the contact endpoints.
- Improve the scanner — we may look at anonymized failure patterns to make the detector better.
We do not train models on your scan data.
Who else sees your data
We use a small set of third-party processors to run Canaryflux. Each of them only sees the
slice of data they need:
- Google (Gemini API) — primary vision LLM. Receives the screenshots and
masked DOM excerpts your scans produce (Free and paid tiers alike) so Gemini 2.5 Flash-Lite
can extract findings. Canaryflux operates exclusively on the paid Gemini API tier, whose
commercial terms prohibit Google from using customer prompts or outputs to train Google's
models (the free Gemini API tier does not carry that commitment, and we do not use it).
Processing in the United States, under Standard Contractual Clauses where EU/UK personal data
is involved. Subject to
Google's privacy policy
and the Gemini API Additional Terms.
- Anthropic — fallback vision LLM. Receives the same screenshots and masked
DOM excerpts only when Gemini is unavailable (e.g. 5xx from Google's API) so Claude Sonnet 4.6
can extract findings on the failover path. Anthropic's commercial API terms prohibit training
on customer inputs or outputs. Processing in the United States. Subject to
Anthropic's privacy policy.
- Stripe — handles all payment data. Subject to
Stripe's privacy policy.
- Resend — sends transactional emails (verification, reset, finding notifications).
Subject to Resend's privacy policy.
- Railway — hosts the scanner backend. Subject to
Railway's privacy policy.
- Vercel — hosts the dashboard front-end. Subject to
Vercel's privacy policy.
- Cloudflare — DNS + TLS termination for canaryflux.com. Subject to
Cloudflare's privacy policy.
- Sentry — receives anonymized client-side error events (stack traces,
URL path, browser type) from the dashboard so we can fix bugs. We strip emails,
Authorization headers, and cookies before sending. Subject to
Sentry's privacy policy.
- Vercel Analytics — anonymous page-view telemetry on the public marketing
pages (no personal identifiers, no cross-site tracking). Subject to
Vercel's privacy policy.
We do not sell your data, share it with advertisers, or hand it to any other third party
beyond what's listed above.
Data Processing Agreement. If you process EU/UK personal data through Canaryflux
(including by pasting an authenticated-scan session that exposes your own end-customers' data),
you need a written DPA with us before scanning begins. Email
dpa@canaryflux.com — we ship a standard DPA with
Standard Contractual Clauses (SCCs) on request, normally within one business day.
Cookies & local storage
Canaryflux uses your browser's local storage (not third-party cookies) to keep you signed in
and to remember your active project. Specifically:
- Session JWT — stored in
localStorage on the dashboard so you
stay signed in across tabs. Cleared on sign-out or account delete. (Necessary — without this
you'd have to log in on every page load.)
- UI state — your active project id, sidebar collapse state, and onboarding
progress are stored locally so the dashboard reopens where you left it. (Necessary for the
product to work.)
- Vercel Analytics — the marketing pages send anonymous page-view pings to
Vercel. No personal identifiers are stored client-side; daily-rotated hashed visitor IDs
are used and reset every 24 hours. (Analytics — used to understand which pages convert.)
- Sentry session replay — disabled by default. If we ever enable session
replay on the dashboard, we will update this policy and gate it behind a consent prompt
for visitors in the EU/UK.
We do not use third-party advertising cookies, conversion pixels, or cross-site trackers.
You can clear local storage at any time from your browser settings; this signs you out and
resets dashboard state but does not affect data we hold on the server.
What we collect (detailed)
For completeness — and because privacy regulations require us to be specific about every
category of data we touch:
- Scan inputs — the URLs you ask us to scan, the device profiles you pick,
and (for Pro+ projects with authenticated scanning) the session cookie or Authorization
header you paste. The latter is encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256)
with a key derived from our server-side master secret.
- Scan outputs — full-page screenshots from each device, masked DOM excerpts
(we mask emails, phones, and obvious PII patterns before any LLM call), captured console
errors and network failures, and the findings our vision sub-processors (Google Gemini
primary, Anthropic Claude fallback) extract.
- Compliance audit trail — for projects with a scan-permission attestation,
we store the attested origin, the exact text you agreed to (snapshot at consent time), the
timestamp, and your IP + User-Agent at grant time. This evidentiary record exists so we can
respond to abuse reports about scans run on your project.
How long we keep it
- Account data — until you delete your account.
- Scan results — until you delete your account, with a hard cap of the
most recent 500 runs per user.
- Screenshots — saved to disk on the scanner, and served via signed URLs
that expire 7 days after issuance. Files themselves are kept until the account is deleted.
- Server logs — IP addresses cycle out of rate-limit memory within minutes.
Application logs are retained for up to 30 days for troubleshooting.
- Stripe data — retained by Stripe per their own policy; we keep only a
customer reference.
Your rights
Whether you're in Mexico (LFPDPPP), the EU (GDPR), the UK, California, or anywhere else,
you can:
- Access the personal data we hold about you — email support@canaryflux.com and we'll send it over.
- Correct anything inaccurate — most fields are editable in the dashboard.
- Delete your account and everything tied to it — use the "Delete account"
button in your dashboard settings (or email us). Deletion is immediate and not reversible.
- Export your scan history in a portable format — email us to request it.
- Object to specific processing or revoke consent at any time.
If you believe we're mishandling your data, you have the right to lodge a complaint with the
Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales
(INAI) in Mexico, or your local data-protection authority in your country.
If your site was scanned by a Canaryflux user
Canaryflux is a tool that our users point at URLs they tell us they own or have authorization
to test. If you believe a Canaryflux user has scanned a site you operate without your
permission, and you would like the resulting screenshots, DOM excerpts, and findings removed
from our systems, email support@canaryflux.com
with:
- The full origin URL that was scanned (e.g.
https://your-site.example.com).
- Approximate date / time of the scan, if known.
- A contact email at the affected domain (so we can confirm ownership before deleting).
- Optional: any specific screenshot URL or finding ID you'd like prioritized.
We will acknowledge receipt within 2 business days and, once domain ownership is verified
(typically via a DNS TXT record or an email to a role address at the domain), remove the
associated scan artifacts within 30 days. We may retain a minimal audit log of the takedown
request itself, but no scan content. If the scan involved authenticated content captured
on behalf of a Canaryflux Pro+ customer, we will also notify that customer of the takedown
so they can stop using the affected URL.
If you believe the scan violated applicable law (e.g. unauthorized active scanning of a
private system), you can also report the account to abuse@canaryflux.com
and we may suspend or terminate it per our Terms.
Security
Passwords are hashed with bcrypt (cost factor 12). Session tokens are signed JWTs with a
14-day expiry. All traffic is HTTPS. Screenshot URLs are HMAC-signed with a 7-day expiry to
prevent unauthorized access. Failed login attempts trigger an account lockout after 5 tries.
No system is perfectly secure. If you discover a security issue, please email
security@canaryflux.com with the details — we'll
respond and fix it promptly.
Security-incident notification. If we discover a personal-data breach
likely to affect you, we will notify affected users via email without undue delay and
at most within 72 hours of confirming the breach, including: the nature of the breach,
the categories and approximate number of users affected, the likely consequences, and
the measures we've taken or propose to take to address it. This meets the GDPR Art 33/34
timeline and applies regardless of your jurisdiction.
Children
Canaryflux is not directed at children under 13. We don't knowingly collect data from anyone
under 13. If you believe a child has signed up, email us and we'll delete the account.
Changes to this policy
If we materially change how we handle your data, we'll email all active users at least 14 days
before the change takes effect. The effective date at the top of this page always reflects the
current version.
Contact
Privacy requests, complaints, and anything else: support@canaryflux.com.