BackCANARY

Privacy Policy

Last updated: January 2025

1. Introduction

Canary ("we," "our," or "us") is a dependency vulnerability scanning service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. By accessing Canary, you consent to the practices described in this policy.

2. Information We Collect

When you authenticate with GitHub OAuth, we receive and store:

  • Your GitHub username and display name
  • Your GitHub user ID
  • Your verified email address
  • Your public profile avatar URL

We also collect repository metadata (dependency manifests, lock files) that you explicitly connect for scanning. We do not access your source code beyond dependency manifest files.

3. How We Use Your Information

  • Authenticate and identify you within the service
  • Scan your project dependencies against vulnerability databases (GHSA, OSV, NVD, npm)
  • Deliver vulnerability alerts and reports
  • Improve and maintain the service

4. Cookies & Local Storage

We use a secure, HttpOnly session cookie to maintain your authenticated session. We also store a session token in your browser's local storage for API authentication. We do not use third-party tracking cookies or analytics scripts.

5. Third-Party Services

We integrate with the following third-party services:

  • GitHub — OAuth authentication and repository access
  • Cloudflare — Hosting, CDN, and edge compute infrastructure

Each service operates under its own privacy policy. We encourage you to review their respective policies.

6. Data Retention

We retain your account data for as long as your account is active. Session tokens expire after 7 days. If you delete your account or revoke GitHub access, we will remove your personal data from our systems within 30 days.

7. Data Security

We implement industry-standard security measures including encrypted connections (TLS), secure token storage, CSRF protection, and regular security reviews. However, no method of electronic transmission or storage is 100% secure.

8. Your Rights

You may at any time:

  • Request a copy of your stored data
  • Request deletion of your account and associated data
  • Revoke GitHub OAuth access from your GitHub settings

9. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the revised policy.

10. Contact

If you have questions about this Privacy Policy, contact us at privacy@canary.dev.