Privacy Policy

Last updated: 2026-06-08

1. Who we are

Canary2 (“we”) is the data controller for the personal data described here. Contact privacy@example.com.

2. Data we collect

• Account: email, name, and authentication data (managed by our auth provider).
• API keys: key name, prefix, creation and expiry — never the secret value.
• Usage & billing: request counts, credit usage, plan, and subscription status.
• Technical: IP address and request metadata, used for security and rate limiting.

3. Lawful basis (GDPR Art. 6)

• Contract: providing your account, the API/MCP service, and billing.
• Legitimate interest: security, abuse prevention, and rate limiting.

4. Retention

Account data is kept while your account is active and deleted on request. Billing records may be retained as required by law (typically up to 7 years).

5. Subprocessors

• Hetzner (EU) — hosting
• Polar — payments (merchant of record) & subscription billing
• Scaleway (EU) — transactional email
• Bunny.net — content delivery (CDN)

6. Cookies

We use a single strictly-necessary cookie for your login session. We do not use analytics or tracking cookies, so we do not show a cookie consent banner.

7. Your rights

You can access, rectify, erase, export, and object to the processing of your data. From your account page you can export your data or delete your account, or email us.

8. International transfers

Our infrastructure is EU-based. Where a subprocessor transfers data outside the EU, it is covered by Standard Contractual Clauses or an adequacy decision.

9. AI features

Canary2 exposes an AI-agent (MCP) interface. Requests you make through it are processed only to provide the service; we do not use your request content to train models.

10. Changes & complaints

We may update this policy; material changes will be announced. You may lodge a complaint with your local data protection authority.