Privacy Overview


Canary takes your privacy seriously. The regulatory landscape governing privacy is undergoing significant change worldwide, and governments and consumers alike are demanding increased transparency and individual control. The EU’s General Data Protection Regulation (GDPR) is the latest and most profound example of this trend. Canary welcomes the arrival of the GDPR. The success of our company depends on maintaining the trust of our users and other stakeholders in our ability to deliver a secure and quality product. A summary of our GDPR-compliant policies for the benefit of our customers can be found below. You may find a full version of our policy here.

Personal Data We Collect

The information Canary accesses and collects depends on the way you use it. By default, Canary does not collect or store the content of your personal email messages, whether incoming or outgoing.

In order to function properly, Canary Mail for Mac, iOS, and Android accesses your name, email address, credentials (such as OAuth access tokens for email servers which support them), and email content. This information is stored on your device and is never shared with 3rd parties. We may store your email address in order to contact you regarding important security and / or product updates.

The only scenario in which we will temporarily store this data is if users of Canary Mail for iOS or Android choose to enable Push notifications when they receive email, or if users use the Cloud Sync feature. For delivering Push notifications, Canary will temporarily store your email address, credentials, sender, subject line, and first line of the message on our server. Data associated with a specific email is deleted as soon as the notification for that email is delivered to your device. All data is cleared from our server when notifications are disabled on Canary Mail for iOS or Android or when you switch from Push to Fetch mode, in which case all data is stored locally only and new emails are fetched directly from your device. Similarly, data associated with Cloud Sync is also cleared as soon as you disable Cloud Sync from your device(s).

Canary's Copilot feature leverages cutting-edge ML technology. Your data including that from Google services, is not used to develop, improve, or train generalized/non-personalized AI and/or ML models. Personalised ML models - including for prioritization are created, trained and stored on-device. Only you have access to your own models.
State-of-the-art language models are extremely large and computationally intensive and hence must be hosted on server. Using Copilot for writing, summarizing or replying to emails, or using the Copilot chat feature will leverage models offered by top-tier providers such as OpenAI, Anthropic, Cohere, Google and others. However, we have opted out of data sharing - your data will not be used to train or improve 3rd party models. Diagnostic data will only be collected if the 'Help improve Canary' setting is enabled.

How We Use Personal Data

The information we collect is used only to operate and maintain Canary Mail. We do not use cookies or similar technology to show you interest-based advertising, nor do we extract data from the content of your emails for tracking or advertising purposes.

We do use certain data we collect from you for internal purposes such as analyzing how Canary is used, diagnosing service or technical problems, and maintaining security. This includes information such as the marketing channel from which you learned about and downloaded Canary Mail, how often you use it, aggregated usage data, and other performance data.

Canary’s use of information received from Gmail APIs adheres to Google's Limited Use Requirements.

Reasons We Share Personal Data

As is true of most websites and apps, Canary uses the services of third parties to support its operation and maintenance. These include parties which provide services for usage analytics, hosting and backend infrastructure, infrastructure monitoring, and customer support. Some of these third parties gather only anonymized and aggregated data and are not granted access to personal data such as names, email addresses, and IP addresses. Users who do not wish to make their data available to third-party vendors can disable analytics in the in-app settings or choose not to use their features. We do not have special relationships with any of these service providers. Canary has also entered into Data Processor Agreements with its third-party service providers as necessary in order to ensure that they are under the same GDPR privacy obligations as Canary.

Access and Control of Your Personal Data

Canary provides its users with as much control over their data as possible. Users can connect Canary with a number of third-party services, such as Google Drive and Dropbox for uploading large files, Unsplash for a selection of background images, and Intercom for customer support. These are optional services which we have provided for our users’ convenience. Users can also choose to sync preferences, accounts, signatures, etc. across devices via their personal iCloud account. They can opt-in for this functionality and later opt-out and delete all data stored on iCloud at any time. Canary iOS or Android users can instantly delete information stored to deliver Push notifications by disabling notifications or switching to Fetch.

Information storage and security

We implement rigorous security measures to protect the integrity and confidentiality of your data, including data from Google services. All data is encrypted in rest and in transit.

Know Your Rights

Under the GDPR, if you are an EU citizen you have the right:

  • to access your personal data
  • to be provided with information about how your personal data is processed
  • to have your personal data corrected
  • to have your personal data erased in certain circumstances
  • to object to or restrict how your personal data is processed
  • to take any complaints about how we process your data to the DataProtection Authority in your country

Contact Us

Your information is controlled by Cartasec Pte. Ltd. You may direct any questions regarding this policy to: info [at]