About this Policy

This privacy policy covers the information we collect about you when you use Canary Mail. We refer to our products, services, and websites as "Services" in this policy.
This policy also explains your choices about how we use information about you.  Your choices include how you can object to certain uses of information about you and how you can access and update certain information about you. If you do not agree with this policy, do not access or use our Services or interact with any other aspect of our business.

What information we collect about you

We collect information about you when you provide it to us, when you use our Services, and from certain third parties as further described below.
Information to set up Canary Mail:  The information Canary accesses and collects depends on the way you use it. By default, Canary does not collect or store the content of your personal email messages, whether incoming or outgoing.
In order to function properly, Canary Mail for Mac and for iOS accesses your name, email address, credentials (such as OAuth access tokens for email servers which support them), and email content. All of this information is stored on your device and is never transferred to our servers.
The only scenario in which we will temporarily store this data is if users of Canary Mail for iOS choose to enable Push notifications when they receive email. In that case, Canary will temporarily store your email address, credentials, sender, subject line, and first line of the message on our server. All data is cleared from our server when notifications are disabled on Canary Mail for iOS or when a user switches from using Push notifications to Fetch mode, in which case all data is stored on the device.
Information you provide through our support channels: The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service.
Device and Connection Information: If analytics is enabled, we may analyze information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you install, access, update, or use our Services. We analyze information through your device about your operating system, anonymized IP address, device info & identifiers, in-app events, and crash data. If you choose to use our customer support features provided by third-party vendors, we may use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience.
Cookies and Other Tracking Technologies: We include a number of scripts such as cookies and web beacons from third-party vendors on our website. These scripts may gather data for web statistics or be used to identify a returning visitor, and URLs of referring/exit pages. We do not utilize cookies directly for any purpose.
  Other services you link to Canary: You can choose to sync features such as preferences, accounts, and signatures, across devices via your personal iCloud account. You can also opt-out and delete all data stored on iCloud at any time. We do not collect any information when users choose to integrate Canary Mail with third-party services such as Google Drive or Dropbox.

How we use the data we collect

Below are the specific purposes for which we use the information we collect about you.
To provide the Services: We use information about you to provide the Services to you, authenticate you when you log in, provide customer support, and operate and maintain the Services.  If a Canary Mail for iOS user chooses to receive Push notifications when they receive email, Canary will temporarily store the sender, subject, and first line of the message on our server. This information is then deleted as soon as the notification is delivered. Users desiring to maximize their security can use Fetch notifications on Canary Mail for iOS, in which case your email is fetched from and stored directly on your device.
For research and development:  We are always looking for ways to make our Services smarter, faster, more secure, integrated, and useful to you.  We use collective learnings about how people use our Services and feedback provided directly to identify which features and preferences users find most useful, to refine the user interface, and to guide further application development. We use device identifiers only to assess performance of our inbound marketing campaigns.
To communicate with you about the Services: If you sign up to receive news from Canary, we may send you emails regarding our latest products and services. You may unsubscribe at any time. We may also deliver a few helpful Push notifications to help you discover new features. You may opt out of these notifications via in-app settings.
Customer support: We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.
To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we may use information about you in connection with legal claims, compliance, regulatory functions, and disclosures in connection with the acquisition, merger or sale of a business.

Legal bases for processing

We collect and process information about EU residents only where we have legal bases for doing so under applicable EU laws. This means we collect and use your information only where:

  • We need it to provide you the Services, including to operate the Services, provide customer support and to protect the safety and security of the Services;
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
  • You give us consent to do so for a specific purpose; or
  • We need to process your data to comply with a legal obligation.
If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.  Where we are using your information because we have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.

How we share information we collect

We are not in the business of selling information about you to advertisers or other third parties. We only share information with the following third parties who help us operate, provide, improve, integrate, support, and market our Services.
Service Providers: We work with third-party service providers to provide for usage analytics, hosting and backend infrastructure, infrastructure monitoring, customer support and other services, which may require them to access or use information about you. In particular, we use:

  • Google Analytics: We use Google Analytics to understand application use. Users’ location and device information is collected via anonymized IP addresses and is only available in aggregate, meaning that it cannot be traced to any individual user.
  • Firebase: We use Firebase to store anonymized unidirectional hashes that facilitate the implementation and cross-device syncing of certain features such as read-tracking.
  • Crashlytics: We use Crashlytics for crash reporting. Crash reports do not contain any individual data such as names, email addresses, or IP addresses.
  • Intercom: We use Intercom to deliver customer support via our website and mobile versions. When you use the chat feature to receive technical support, Intercom collects certain information such as your IP address and information which can be derived from it, such as approximate geographical location.
  • AppsFlyer (iOS only): We use AppsFlyer provide us with install attribution analytics, which helps us to identify the effectiveness of inbound marketing campaigns. AppsFlyer analyzes users’ IP addresses, device information, and IDFA.
Users who do not wish to make their data available to third-party vendors can disable analytics in the in-app settings or choose not to use their features.
If a service provider needs to access information about you to perform services on our behalf, they do so under appropriate Data Processing Agreements, which include policies and procedures designed to protect your information. All of our third-party service providers have taken steps to comply with the GDPR.
Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect Canary, our users or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

Information storage and security

Our data is stored in a secure ISO 270001 certified and FINMA RS 08/7 compliant data center. While we implement cutting-edge encryption and other safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.

How long we keep information

We retain your information for as long as you utilize the Services. We do not store any personal data after you cease using Canary, but data collected by third-party vendors such as Google Analytics may remain with them as per their data processing policies, which are compliant with GDPR.

Your Rights

Under the GDPR, if you are an EU citizen you have the right:

  • to access your personal data
  • to be provided with information about how your personal data is processed
  • to have your personal data corrected
  • to have your personal data erased in certain circumstances
  • to object to or restrict how your personal data is processed
  • to receive a copy of your data in a machine-readable format
  • to take any complaints about how we process your data to the Data Protection Authority in your country.
Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we are permitted by law or have compelling legitimate interests to keep.  Where you have asked us to share data with third parties, for example, by syncing with third-party applications, you will need to contact those third-party service providers directly to have your information deleted or otherwise restricted.
  Request that we stop using your information:  In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don't have the appropriate rights to do so.  For example, if you believe Canary was connected to your email account without your permission, you can request that we disconnect it. Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time.  When you make such requests, we may need time to investigate and facilitate your request.  If there is delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honored or the dispute is resolved.
“Do Not Track” Signals: Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving marketing from us as described above.

How we transfer information we collect internationally

The information we collect is stored on our servers in Switzerland. Switzerland has been recognized by the European Commission as offering and an adequate level of data protection such that personal data can flow from the EU to that country without any need for further safeguards.
Some of the third parties described in this privacy policy, which provide services to us under contract, are based in other countries that may not have equivalent privacy and data protection laws to the country in which you reside. By using our Services, you consent to any transfer and processing in accordance with this policy. Whenever we transfer your information, we take steps to protect it.

Our policy towards children

The Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact our support services.

Changes to our Privacy Policy

We may change this privacy policy from time to time and will post any such changes on this page. We encourage you to review our privacy policy periodically to stay informed about our information practices and the ways you can help protect your privacy.
If you disagree with any changes to this privacy policy, you will need to stop using the Services.

Contact Us

Your information is controlled by Mailr Tech LLP. You may direct any questions regarding this policy to: info [at] canarymail.io.