Privacy Policy

About this Policy

This privacy policy covers the information we collect about you when you use Canary Mail. We refer to our products, services, and websites as "Services" in this policy.

This policy also explains your choices about how we use information about you.  Your choices include how you can object to certain uses of information about you and how you can access and update certain information about you. If you do not agree with this policy, do not access or use our Services or interact with any other aspect of our business.

What information we collect about you

We collect information about you when you provide it to us, when you use our Services, and from certain third parties as further described below.

Information to set up Canary Mail:  The information Canary accesses and collects depends on the way you use it. By default, Canary does not collect or store the content of your personal email messages, whether incoming or outgoing.

In order to function properly, Canary Mail for Mac, iOS and Android accesses your name, email address, credentials (such as OAuth access tokens for email servers which support them), and email content. All of this information is stored on your device and is never transferred to our servers.

The only scenario in which we will temporarily store this data is if users of Canary Mail for iOS or Android choose to enable Push notifications when they receive email, or if users use the Cloud Sync feature. For delivering Push notifications, Canary will temporarily store your email address, credentials, sender, subject line, and first line of the message on our server. Data associated with a specific email is deleted as soon as the notification for that email is delivered to your device. All data is cleared from our server when notifications are disabled on Canary Mail for iOS or Android or when you switch from Push to Fetch mode, in which case all data is stored locally only and new emails are fetched directly from your device. Similarly, data associated with Cloud Sync is also cleared as soon as you disable Cloud Sync from your device(s).

Canary's Copilot feature leverages cutting-edge ML technology. Your data including that from Google services, is not used to develop, improve, or train generalized/non-personalized AI and/or ML models. Personalised ML models - including for prioritization are created, trained and stored on-device. Only you have access to your own models.
State-of-the-art language models are extremely large and computationally intensive and hence must be hosted on server. Using Copilot for writing, summarizing or replying to emails, or using the Copilot chat feature will leverage models offered by top-tier providers such as OpenAI, Anthropic, Cohere, Google and others. However, we have opted out of data sharing - your data will not be used to train or improve 3rd party models. Diagnostic data will only be collected if the 'Help improve Canary' setting is enabled.

Information you provide through our support channels: The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service.

Device and Connection Information: If analytics is enabled, we may analyze information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you install, access, update, or use our Services. We analyze information through your device about your operating system, anonymized IP address, device info & identifiers, in-app events, and crash data. If you choose to use our customer support features provided by third-party vendors, we may use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience.

Cookies and Other Tracking Technologies: We include a number of scripts such as cookies and web beacons from third-party vendors on our website. These scripts may gather data for web statistics or be used to identify a returning visitor, and URLs of referring/exit pages. We do not utilize cookies directly for any purpose.

Canary's Cloud Sync Feature: You can choose to sync preferences, accounts, signatures, templates & other items, across all devices on which you use Canary. Synced data is stored securely in the Cloud in encrypted form. The encryption keys are stored securely in your private iCloud keychain and are only accessible by you. The Cloud Sync feature is disabled by default & can be enabled via in-app Settings. You can also disable / opt-out and delete all data stored on Cloud at any time.

How we use the data we collect

Below are the specific purposes for which we use the information we collect about you.

To provide the Services: We use information about you to provide the Services to you, authenticate you when you log in, provide customer support, and operate and maintain the Services.  If a Canary Mail for iOS or Android user chooses to receive Push notifications when they receive email, Canary will temporarily store the sender, subject, and first line of the message on our server. This information is then deleted as soon as the notification is delivered. Users desiring to maximize their security can use Fetch notifications on Canary Mail for iOS or Android, in which case your email is fetched from and stored directly on your device.

For research and development:  We are always looking for ways to make our Services smarter, faster, more secure, integrated, and useful to you.  We use collective learnings about how people use our Services and feedback provided directly to identify which features and preferences users find most useful, to refine the user interface, and to guide further application development. We use device identifiers only to assess performance of our inbound marketing campaigns.

To communicate with you about the Services: The email address you use with Canary will be used to send you important emails pertaining to security & legal announcements. If you sign up to receive news from Canary, we may send you emails regarding our latest products and services. You may unsubscribe at any time. We may also deliver a few helpful Push notifications to help you discover new features. You may opt out of these notifications via in-app settings.

Customer support: We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.

To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we may use information about you in connection with legal claims, compliance, regulatory functions, and disclosures in connection with the acquisition, merger or sale of a business.

Canary’s use of information received from Gmail APIs adheres to Google's Limited Use Requirements.

How we share information we collect

We are not in the business of selling information about you to advertisers or other third parties. We only share information with the following third parties who help us operate, provide, improve, integrate, support, and market our Services.

Service Providers: We work with third-party service providers to provide for usage analytics, hosting and backend infrastructure, infrastructure monitoring, customer support and other services, which may require them to access or use information about you. In particular, we use:

  • Firebase Analytics: We use Firebase / Google Analytics to understand application use. Users’ location and device information is collected via anonymized IP addresses and is only available in aggregate, meaning that it cannot be traced to any individual user.
  • Firebase: We use Firebase to store anonymized unidirectional hashes that facilitate the implementation and cross-device syncing of certain features such as read-tracking.
  • Crashlytics: We use Crashlytics for crash reporting. Crash reports do not contain any individual data such as names, email addresses, or IP addresses.
  • Intercom: We use Intercom to deliver customer support via our website and mobile versions. When you use the chat feature to receive technical support, Intercom collects certain information such as your IP address and information which can be derived from it, such as approximate geographical location.
  • AppsFlyer (iOS & Android): We use AppsFlyer provide us with install attribution analytics, which helps us to identify the effectiveness of inbound marketing campaigns. AppsFlyer analyzes users’ IP addresses, device information, and IDFA.

Users who do not wish to make their data available to third-party vendors can disable analytics in the in-app settings or choose not to use their features.

If a service provider needs to access information about you to perform services on our behalf, they do so under appropriate Data Processing Agreements, which include policies and procedures designed to protect your information. All of our third-party service providers have taken steps to comply with the GDPR.

Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect Canary, our users or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

Information storage and security

We implement rigorous security measures to protect the integrity and confidentiality of your data, including data from Google services. All data is encrypted in rest and in transit.

How long we keep information

We retain your information for as long as you utilize the Services. We do not store any personal data after you cease using Canary, but data collected by third-party vendors such as Google Analytics may remain with them as per their data processing policies, which are compliant with GDPR.

Your Rights

Under the GDPR, if you are an EU citizen you have the right:

  • to access your personal data
  • to be provided with information about how your personal data is processed
  • to have your personal data corrected
  • to have your personal data erased in certain circumstances
  • to object to or restrict how your personal data is processed
  • to receive a copy of your data in a machine-readable format
  • to take any complaints about how we process your data to the Data Protection Authority in your country.

Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we are permitted by law or have compelling legitimate interests to keep.  Where you have asked us to share data with third parties, for example, by syncing with third-party applications, you will need to contact those third-party service providers directly to have your information deleted or otherwise restricted.

Request that we stop using your information:  In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don't have the appropriate rights to do so.  For example, if you believe Canary was connected to your email account without your permission, you can request that we disconnect it. Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time.  When you make such requests, we may need time to investigate and facilitate your request.  If there is delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honored or the dispute is resolved.

“Do Not Track” Signals: Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving marketing from us as described above.

How we transfer information we collect internationally

The information we collect is stored on our servers in Germany. Germany has been recognized by the European Commission as offering and an adequate level of data protection such that personal data can flow from the EU to that country without any need for further safeguards.

Some of the third parties described in this privacy policy, which provide services to us under contract, are based in other countries that may not have equivalent privacy and data protection laws to the country in which you reside. By using our Services, you consent to any transfer and processing in accordance with this policy. Whenever we transfer your information, we take steps to protect it.

Our policy towards children

The Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact our support services.

Changes to our Privacy Policy

We may change this privacy policy from time to time and will post any such changes on this page. We encourage you to review our privacy policy periodically to stay informed about our information practices and the ways you can help protect your privacy.

If you disagree with any changes to this privacy policy, you will need to stop using the Services.

Contact Us

Your information is controlled by Cartasec Pte. Ltd. You may direct any questions regarding this policy to: info [at]