Privacy Policy

Last updated: 27 March 2026 · CanaryCue is a company registered in Ireland.

1. Who We Are

CanaryCue ("we", "us", "our") is a company registered in Ireland. We operate an insider risk and access monitoring platform that allows organisations to deploy deception assets ("canary tokens") and receive alerts when those assets are accessed. Our lead supervisory authority under EU GDPR is the Data Protection Commission (DPC) of Ireland.

Contact: info@canarycue.com

2. Two Distinct Roles

CanaryCue processes personal data in two distinct capacities:

Data Controller — for personal data we collect directly from our customers (account holders): name, email address, phone number, billing information, and platform usage data.
Data Processor — for alert telemetry data (IP addresses, usernames, hostnames, etc.) collected when an end-user triggers a customer-deployed canary. In this role we act on the documented instructions of the customer, who is the Data Controller for that data. See Section 7 for the full processor relationship.

3. Data We Collect About Customers (Controller)

Account data: email address, and optionally a secondary email and phone numbers for alert routing. Collected at registration and maintained in your profile.

Billing data: subscription status and renewal date. Payment card details are processed and held by Stripe — we do not store card numbers.

Usage data: scenario configurations, canary types deployed, and alert history associated with your account.

Authentication data: login sessions managed via Microsoft OAuth or Google OAuth. We do not store passwords.

4. Alert Telemetry Data (Processor)

When a canary deployed by a customer is triggered, we collect and store telemetry on the customer's behalf. Depending on the canary type, this may include:

Network data: source IP address, HTTP user agent string.
Host identity data: operating system username, device hostname, and current working directory — captured by local canary types (e.g. folder shortcuts, Windows batch files) at the moment of execution on the triggering device.
Credential data: usernames and passwords submitted via monitored login portal canaries.
Event metadata: timestamp and scenario stage triggered.

This data is stored securely and is accessible only to the account holder who deployed the canary. The customer is the Data Controller for this data and is solely responsible for ensuring they have a lawful basis to collect it and for complying with data subject rights requests relating to it.

5. Legal Bases for Processing (Controller Activities)

Contract (Article 6(1)(b)): account data and usage data processed to deliver the Service you have subscribed to.
Legitimate interests (Article 6(1)(f)): platform security, fraud prevention, and service improvement.
Legal obligation (Article 6(1)(c)): retaining billing records as required by Irish tax and company law.

6. Anonymised Telemetry (Platform Statistics)

We may derive and retain anonymised, aggregated statistics from canary activity across the platform — for example, alert frequency distributions, canary type usage rates, and response time benchmarks. Before retention for this purpose, data is irreversibly anonymised such that no individual or customer can be identified.

These aggregated statistics may be used to improve the Service and to publish threat intelligence insights. As anonymised data is not personal data under EU GDPR, no consent or Article 6 basis is required for this processing.

7. Data Processor Agreement

Where CanaryCue processes personal data on behalf of a customer (the controller) in connection with canary alert telemetry, the following terms apply in accordance with EU GDPR Article 28:

7.1 CanaryCue will process canary-collected personal data only for the purposes of delivering alert notifications and storing alert records for the customer's account. No other processing will occur without the customer's instruction, except where required by EU or Irish law.

7.2 The customer (Controller) is solely responsible for: (a) having a lawful basis for deploying canaries and collecting the resulting telemetry; (b) providing any legally required notices to individuals who may trigger canaries; (c) handling data subject access, erasure, and rectification requests; and (d) reporting any personal data breaches relating to canary-collected data to the relevant supervisory authority.

7.3 CanaryCue will implement appropriate technical and organisational measures to protect canary-collected data, assist the Controller in fulfilling data subject rights requests where technically feasible, and notify the Controller without undue delay upon becoming aware of a personal data breach.

7.4 Sub-processors. CanaryCue engages the following sub-processors: Amazon Web Services (cloud infrastructure, EU — eu-west-1 region), Supabase (database), Postmark (email notifications), Stripe (payment processing), and Twilio (SMS notifications). CanaryCue imposes equivalent data protection obligations on all sub-processors. Customers will be given reasonable notice of any new sub-processor additions.

7.5 Data transfers. Canary alert data is stored within the EU (AWS eu-west-1, Ireland). Where any sub-processor operates outside the EEA, appropriate transfer mechanisms are in place, including Standard Contractual Clauses approved by the European Commission.

8. Data Retention

Account data: retained for the duration of your subscription and deleted within 90 days of account closure, except where retention is required by law.
Alert telemetry: retained while your account is active. Upon account closure, canary-collected personal data will be deleted within 90 days unless you request earlier deletion.
Billing records: retained for 7 years as required by Irish tax law.
Anonymised statistics: retained indefinitely as they contain no personal data.

9. Your Rights

Under EU GDPR, as a customer you have the right to: access your personal data; rectify inaccurate data; erasure ("right to be forgotten") where applicable; restrict or object to processing; data portability; and to lodge a complaint with the Data Protection Commission (Ireland) at dataprotection.ie.

To exercise any of these rights, email info@canarycue.com. We will respond within one calendar month.

10. Cookies

We use strictly necessary session cookies to maintain authentication state. We do not use advertising, tracking, or analytics cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to account holders. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

12. Contact

Data protection enquiries: info@canarycue.com