Canaryflux
← Back
Legal

Privacy Policy

Effective June 22, 2026 — v1.1 adds breach-notification SLA, third-party site-owner removal channel, and a screenshot-retention cap.

This page explains what data Canaryflux collects, why we collect it, and who we share it with. We try to keep it short and in plain language. If anything's unclear, email support@canaryflux.com and we'll explain.

Who we are

Canaryflux is a website QA scanning service operated as a sole-proprietor business by Farid Islas, registered with Mexico's Servicio de Administración Tributaria (SAT) under the Persona Física con Actividad Empresarial (PFAE) regime in Mérida, Yucatán, Mexico. When this policy says "we," "us," or "Canaryflux," it means that business. The data controller for the purposes of Mexico's LFPDPPP (and the GDPR, where applicable) is Farid Islas, and the contact address for any privacy request is support@canaryflux.com.

What we collect

We collect only what we need to run the product:

What we do with it

Who else sees your data

We use a small set of third-party processors to run Canaryflux. Each of them only sees the slice of data they need:

We do not sell your data, share it with advertisers, or hand it to any other third party beyond what's listed above.

Data Processing Agreement. If you process EU/UK personal data through Canaryflux (including by pasting an authenticated-scan session that exposes your own end-customers' data), you need a written DPA with us before scanning begins. Email dpa@canaryflux.com — we ship a standard DPA with Standard Contractual Clauses (SCCs) on request, normally within one business day.

Cookies & local storage

Canaryflux uses your browser's local storage (not third-party cookies) to keep you signed in and to remember your active project. Specifically:

We do not use third-party advertising cookies, conversion pixels, or cross-site trackers. You can clear local storage at any time from your browser settings; this signs you out and resets dashboard state but does not affect data we hold on the server.

What we collect (detailed)

For completeness — and because privacy regulations require us to be specific about every category of data we touch:

How long we keep it

Your rights

Whether you're in Mexico (LFPDPPP), the EU (GDPR), the UK, California, or anywhere else, you can:

If you believe we're mishandling your data, you have the right to lodge a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) in Mexico, or your local data-protection authority in your country.

If your site was scanned by a Canaryflux user

Canaryflux is a tool that our users point at URLs they tell us they own or have authorization to test. If you believe a Canaryflux user has scanned a site you operate without your permission, and you would like the resulting screenshots, DOM excerpts, and findings removed from our systems, email support@canaryflux.com with:

We will acknowledge receipt within 2 business days and, once domain ownership is verified (typically via a DNS TXT record or an email to a role address at the domain), remove the associated scan artifacts within 30 days. We may retain a minimal audit log of the takedown request itself, but no scan content. If the scan involved authenticated content captured on behalf of a Canaryflux Pro+ customer, we will also notify that customer of the takedown so they can stop using the affected URL.

If you believe the scan violated applicable law (e.g. unauthorized active scanning of a private system), you can also report the account to abuse@canaryflux.com and we may suspend or terminate it per our Terms.

Security

Passwords are hashed with bcrypt (cost factor 12). Session tokens are signed JWTs with a 14-day expiry. All traffic is HTTPS. Screenshot URLs are HMAC-signed with a 7-day expiry to prevent unauthorized access. Failed login attempts trigger an account lockout after 5 tries.

No system is perfectly secure. If you discover a security issue, please email security@canaryflux.com with the details — we'll respond and fix it promptly.

Security-incident notification. If we discover a personal-data breach likely to affect you, we will notify affected users via email without undue delay and at most within 72 hours of confirming the breach, including: the nature of the breach, the categories and approximate number of users affected, the likely consequences, and the measures we've taken or propose to take to address it. This meets the GDPR Art 33/34 timeline and applies regardless of your jurisdiction.

Children

Canaryflux is not directed at children under 13. We don't knowingly collect data from anyone under 13. If you believe a child has signed up, email us and we'll delete the account.

Changes to this policy

If we materially change how we handle your data, we'll email all active users at least 14 days before the change takes effect. The effective date at the top of this page always reflects the current version.

Contact

Privacy requests, complaints, and anything else: support@canaryflux.com.

canaryflux.com · Terms of Service