Privacy

Privacy Policy

Last updated: 2 May 2026

This policy describes how Crox Ltd ("Crox", "we", "us"), the operator of Canary at canary.crox.io, collects and uses your personal data when you visit the site, sign up for an account, or subscribe to a paid tier. We aim to keep this short and readable. If anything is unclear, email [email protected].

Who we are

Canary is a product of Crox Ltd, registered in England and Wales. The data controller for personal data collected through canary.crox.io is Crox Ltd. Contact: [email protected].

What we collect

Information you give us

Your email address, when you sign up for Canary Watch, Track, or Oversee.
Your name, firm, and role, when you provide them on signup or in correspondence.
Billing information, when you subscribe to a paid tier. Card details are processed by our payments provider and never stored on Canary servers.
The local authorities you elect to monitor, and any preferences you set.

Information collected automatically

Standard server logs: IP address, browser, referring page, timestamps. Used for security and diagnostics. Retained for 30 days.
Product analytics: pages visited, features used. Aggregated and used to improve Canary. See the cookie policy for tooling and opt-out.

What we do not collect

Canary processes data published by the Care Quality Commission. That data is public, not personal to you, and is not collected from you. We do not collect special category data, health information, or data about the people receiving care services.

Why we use it

Purpose	Lawful basis (UK GDPR)
Operate your Canary account, deliver the monthly synthesis, send alerts you opted into.	Performance of contract.
Process payments for paid tiers.	Performance of contract.
Send service messages (downtime, billing, policy changes).	Legitimate interest in keeping you informed.
Improve Canary based on aggregate product analytics.	Legitimate interest in product development.
Send occasional product updates by email.	Consent. Unsubscribe in any email.
Comply with legal obligations and respond to valid legal requests.	Legal obligation.

Who we share it with

We share your data only with the processors required to run Canary:

Hosting and infrastructure: cloud providers based in the UK and EU.
Email delivery: a transactional email provider for monthly synthesis and account messages.
Payments: a PCI-compliant payments processor.
Analytics: a privacy-respecting product analytics provider. See cookies.

We do not sell personal data. We do not share your data with advertisers. A current list of subprocessors is available on request to [email protected].

Where it lives

Canary's primary infrastructure is hosted in the United Kingdom. Some processors operate in the European Economic Area, the United States, or both. Where personal data leaves the UK or EEA, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an equivalent safeguard.

How long we keep it

Account data: for the life of your account, plus 30 days after deletion to handle any final billing or support queries.
Billing records: seven years, to meet UK accounting and tax obligations.
Server logs: 30 days.
Marketing email lists: until you unsubscribe.

Your rights

Under UK and EU GDPR you have the right to:

Access the personal data we hold about you.
Have inaccurate data corrected.
Have your data erased, where we have no overriding lawful reason to keep it.
Restrict or object to processing.
Receive your data in a portable format.
Withdraw consent for marketing at any time.
Lodge a complaint with the Information Commissioner's Office at ico.org.uk.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

Security

Canary uses TLS in transit, encryption at rest, role-scoped access, and audit logging. Account passwords are hashed using a modern key-derivation function. We will notify affected users without undue delay in the event of a personal data breach that meets the UK GDPR threshold.

Children

Canary is a B2B product. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided data to us, contact [email protected] and we will delete it.

Changes to this policy

We will post material changes here and notify active subscribers by email. The “last updated” date at the top reflects the most recent revision.

Contact

Questions, requests, or complaints: [email protected].