Privacy Policy

Last updated: 25 June 2026

CanaryCue is a product of Context Risk Advisory Limited, a company registered in Ireland (CRO No. 772442). Our lead supervisory authority under EU GDPR is the Data Protection Commission (DPC) of Ireland.

1. Our Two Roles

Context Risk Advisory Limited processes personal data in two distinct capacities:

2. Website Visitors

When you visit canarycue.com we collect standard server logs (IP address, browser type, pages visited, referrer) for security and performance purposes. We do not use advertising cookies, tracking pixels, or third-party analytics. We use strictly necessary session cookies only.

If you contact us via a form or email, we retain your message and contact details to respond. Lawful basis: legitimate interests (Article 6(1)(f)) — operating a secure website and responding to enquiries.

3. Customer Account Data (Controller)

Lawful basis: contract (Article 6(1)(b)) for delivering the Service; legal obligation (Article 6(1)(c)) for billing records required by Irish tax law.

4. Alert Telemetry Data (Processor)

When a canary deployed by a customer is triggered, we collect and store the following on the customer's behalf:

This data is accessible only to the account holder who deployed the canary. The customer is the Data Controller and is solely responsible for having a lawful basis to collect it and for handling data subject rights requests relating to it.

Lawful basis (as processor): the customer's documented instruction. The typical lawful basis customers rely on is legitimate interests (Article 6(1)(f)) — specifically, detecting and evidencing unauthorised access to their network and information systems, as contemplated by GDPR Recital 49.

5. Sales & Marketing Outreach

We may contact individuals at organisations who may benefit from CanaryCue (for example, IT managers, CISOs, and security decision-makers at SMEs) by email. We obtain contact details from publicly available professional sources. Each message includes a clear unsubscribe link and we honour all opt-out requests immediately. Lawful basis: legitimate interests (Article 6(1)(f)) — promoting our services to likely-interested professional recipients, balanced against the low intrusiveness of a short, relevant email sequence (no more than three messages, stopping on any reply or opt-out). You can opt out at any time by replying "unsubscribe" or clicking the link in any message. A Legitimate Interest Assessment supporting this processing is maintained internally.

Where we obtain your contact details from publicly available professional sources, this notice constitutes the information required under Article 14 of the GDPR. The first email you receive from us will link to this page.

6. Aggregated Statistics & Threat Intelligence

We may derive aggregated, platform-level statistics from canary activity (e.g. alert frequency distributions, canary type usage rates, attacker geo-distribution by country). This processing is authorised by customers as part of the Service terms. Lawful basis: legitimate interests (Article 6(1)(f)) — improving and securing the Service.

Customers may optionally consent to contribute alert data (source IP country and canary type — no IP address) to a cross-customer threat-intelligence pool. This feature is off by default and toggled in your profile. Lawful basis: consent (Article 6(1)(a)).

7. Data Processor Terms (Article 28)

Where CanaryCue processes personal data on a customer's behalf in connection with canary alert telemetry:

7.1 Processing scope. We process canary-collected personal data only to: (a) deliver alert notifications to the customer; (b) store alert records in the customer's account; and (c) derive aggregated, non-identifiable platform statistics, which customers authorise as part of the Service terms. No other processing occurs without the customer's instruction, except where required by EU or Irish law.

7.2 Customer responsibilities. The customer is solely responsible for: (a) having a lawful basis for deploying canaries and collecting the resulting telemetry; (b) providing any legally required notices to individuals who may trigger canaries; (c) handling data subject access, erasure, and rectification requests; and (d) reporting personal data breaches to the relevant supervisory authority.

7.3 Our obligations. We implement appropriate technical and organisational measures to protect canary-collected data, assist you in fulfilling data subject rights requests where technically feasible, and notify you without undue delay upon becoming aware of a personal data breach affecting your data.

7.4 Sub-processors. We engage the sub-processors listed below. Each is bound by data-protection obligations no less protective than this policy. Where a vendor DPA is available, we accept it. Customers will be given reasonable notice of any new sub-processor addition.

Sub-processorPurposeRegion / Transfer basis
Amazon Web ServicesCloud infrastructure, file storageEU (eu-west-1, Ireland)
SupabaseDatabase & authenticationEU (eu-west-1, Ireland)
VercelApplication hosting & serverless computeGlobal edge; storage EU. SCCs apply for non-EEA processing.
CloudflareEdge network, canary URL handling (Worker)Global edge; SCCs apply for non-EEA processing.
Hetzner Online GmbHAI trap-suggestion & threat-profiling computeEU (Germany)
Mistral AIAI-powered trap suggestions & threat profileEU (Paris)
Hunter.ioCompany contact enrichmentEU (France)
PostmarkEmail alert deliveryUS — vendor DPA / SCCs
TwilioSMS alert deliveryUS — vendor DPA / SCCs
StripePayment processingUS — vendor DPA / SCCs
ip-api.comIP geo-location enrichmentEU
AbuseIPDBIP reputation scoringUS — vendor DPA / SCCs
SentryError monitoringEU (Germany)

Company-enrichment data is additionally obtained from public company registries — the Irish Companies Registration Office (CRO) and OpenCorporates (UK, covered by adequacy decision) — which act as data sources rather than sub-processors and do not receive personal data from us.

7.5 International transfers. Canary alert data is stored within the EU (AWS eu-west-1, Ireland). Edge and CDN processing by Vercel and Cloudflare may occur outside the EEA; this is covered by Standard Contractual Clauses. Where other sub-processors are based outside the EEA, transfers are governed by SCCs or an applicable adequacy decision.

8. Data Retention

9. Your Rights

Under EU GDPR you have the right to: access your personal data; rectify inaccurate data; erasure where applicable; restrict or object to processing; data portability; and to withdraw consent at any time where consent is the lawful basis.

To exercise any of these rights, email info@contextrisk.ie. We will respond within one calendar month.

You may also lodge a complaint with the Data Protection Commission (Ireland) at dataprotection.ie.

10. Security

All data in transit is encrypted via TLS 1.3. Data at rest is encrypted by AWS and Supabase. Access to production systems is restricted to authorised personnel under least-privilege controls. We operate breach-detection monitoring and will notify affected customers within 72 hours of becoming aware of a personal data breach, as required by GDPR Article 33.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to account holders at least 14 days before taking effect. The current version is always available at canarycue.com/privacy.

12. Contact

Data protection enquiries: info@contextrisk.ie
Security disclosures: info@contextrisk.ie
Controller: Context Risk Advisory Limited, Ireland
Supervisory authority: dataprotection.ie (Data Protection Commission, Ireland)