Privacy Policy

Your privacy is important to us. This Privacy Policy explains how Canary collects, uses, and protects your information when you use our mobile application.

Last updated: 23 June 2026

1. Who we are and how to contact us

Your privacy matters to us. This Privacy Policy explains how Canary (the "App", available at singwithcanary.com and through the Apple App Store and Google Play) collects, uses, shares, and protects your personal data, and the rights you have over it.

Data controller. The entity responsible for your personal data (the "data controller" under the EU General Data Protection Regulation (GDPR) and the UK GDPR) is:

- Laxir LLC ("Canary", "we", "us", "our")
- A limited liability company organized in California, United States
- Registered address: Los Angeles, California, United States

Privacy contact. For any privacy question or to exercise your rights, contact:
- Email: team@laxir.us

2. Scope

This policy applies to the Canary mobile app, our website at singwithcanary.com, and related services. It does not apply to third-party services we link to or integrate with, which are governed by their own privacy policies (see §10).

This version materially expands the previous policy to reflect how the App actually works today, including: a complete list of the third-party providers we use; the fact that karaoke and pronunciation audio is processed in the cloud (not only stored on your device); our use of AI for transcription, vocabulary, grammar and recommendations; location, map and social-discovery features; in-app messaging and photo/video sharing; and the legal bases, retention periods, and transfer safeguards that apply.

3. Quick summary

Who controls your data
Laxir LLC (see §1)

What we collect
Account details, profile (incl. optional photo, "about me", gender, age range), optional precise location, learning activity, optional karaoke/pronunciation audio, messages and shared media, device/usage data, subscription status.

Why
To provide and secure the App, deliver paid features, personalize learning, enable social features, analyze and improve the product, and meet legal obligations.

Legal bases
Contract, consent, legitimate interests, and legal obligation (see §6).

Who we share with
Service providers that process data on our behalf (Firebase/Google, OpenAI, RevenueCat, analytics, attribution, push, error-monitoring, search) and other users for the parts of your profile/content you choose to make visible (see §10).

Where it goes
Some processing occurs outside the EU/UK, mainly in the United States, under appropriate safeguards (see §11).

How long
Only as long as needed for the purposes in this policy; see the retention table in §12.

Your rights
Access, rectification, erasure, restriction, objection, portability, and to complain to a supervisory authority (see §13).|

Minimum age
16+

4. The personal data we collect

We collect data you give us directly, data generated as you use the App, and alimited amount of data from third parties (e.g. sign-in providers and attributionpartners). Where data is optional, we say so; everything else is needed toprovide the App or a feature you request.

4.1 Account and identity data (required)
- Email address and authentication identifiers.
- If you sign in with Google or Apple: the identifier, name and email those  providers share with us (Sign in with Apple may relay a private email).
- Account metadata: account creation date, last sign-in, roles/status.

4.2 Profile and social data

- Name / display name shown to other users on your profile.
- Profile photo / avatar - visible to other users; we also  generate a small (64×64) version used as a map marker.
- About me free text (optional)
- Gender
and age range (optional) - used to personalize the experience  and for aggregate analytics.
- Languages you are learning and your self-declared proficiency
- Blocked users list, so we can hide blocked accounts from you.

4.3 Location data (optional, permission-based)
- If you grant location permission and enable location sharing, we collect your  device location, including precise GPS coordinates, to place you on the  in-app map and to power location-based discovery and "practice near me"–style  social features.
- Your public profile shows your city (and country), not your exact  coordinates. You control whether your location is shared via the in-app  "show location" setting, and you can turn it off or revoke the OS permission at  any time.

4.4 Learning activity and progress (required to provide the service)
- Songs played and completed, lessons, quizzes and quiz results, vocabulary you  save or look up, grammar practice, search history, streaks, XP and levels,  badges and achievements, and in-app "feather" balance.
- Timestamps of certain activities (e.g. quizzes, searches, dictionary look-ups)  used to compute streaks, limits and progress.

This activity data is **linked to your account** so we can show your progressacross devices and personalize learning.

4.5 Audio and video recordings
(optional)
- If you use karaoke / sing-along recording or pronunciation practice, we  collect the audio (and, where applicable, video) you record.
- These recordings are uploaded to our cloud storage (Firebase Storage) so they  can be played back and, where you share them, shown to other users. Audio is also  sent to our AI transcription provider (OpenAI Whisper) to align lyrics and  assess pronunciation.
- We do not use your recordings to train our own or third parties' AI models.  Our AI provider processes audio only to return the transcription/result and does  not use API content to train its models (see §8 and §10).- Pronunciation features that use your device's built-in speech recognition may  send short voice snippets to Apple or Google speech services, governed by  their privacy policies.

4.6 User-generated content and messages (optional)
- In-app messages you send in chats, and any photos or videos you attach,  are stored in our cloud (Firestore and Firebase Storage) so they can be delivered  to the recipient(s).
- Content you post to community surfaces (e.g. shared takes, stories/shorts) is  visible to the audience you choose.

4.7 Subscription and purchase data
- Subscription status, plan, entitlements, and purchase/renewal events for Canary  Premium, processed through RevenueCat and the Apple App Store / Google  Play. We do not receive or store your full payment-card details - those are  handled by Apple/Google.

4.8 Device, technical and diagnostic data
- Device model, operating system and version, app version, language/region  settings, device and installation identifiers, push token (for notifications),  approximate region/IP-derived data, and crash/diagnostic logs.

4.9 Usage, analytics and attribution data
- How you interact with the App (screens viewed, features used, events, and session replays of in-app interactions), used to understand and  improve the product and to run A/B experiments.
- Marketing attribution data (e.g. which campaign or referral led you to  install), collected via attribution partners and, on iOS, subject to your App  Tracking Transparency choice (see §14).

4.10 Communications and support
- Messages you send us (e.g. support requests, feedback, bug reports) and the  contents of those communications.

5. How we use your data

We use personal data to:

- create and manage your account and authenticate you;
- provide core learning features (songs, lyrics, quizzes, vocabulary, grammar, progress tracking) across your devices;
- transcribe and align audio, assess pronunciation, and generate learning content (quizzes, grammar, vocabulary) using AI (see §8);
- provide social and community features (profiles, the map, discovery/matching, practice requests, messaging, shared content) and let you control visibility, blocking and reporting;
- deliver and manage Canary Premium subscriptions and entitlements;
- send notifications you've enabled (e.g. reminders, social and learning nudges);
- personalize content and recommendations (see §8);
- measure, analyze and improve the App, including A/B testing and session replay;
- attribute installs and measure marketing, subject to your tracking choices;
-keep the App secure, prevent fraud and abuse, and moderate content;
- provide customer support and respond to your requests;
- comply with legal obligations and enforce our terms.

6. Legal bases for processing (GDPR / UK GDPR)

We rely on the following legal bases. Where more than one could apply, we identify the primary basis.

PurposeData involvedLegal basis
Creating/operating your account; delivering core learning features; providing and billing PremiumAccount, profile, learning activity, subscription dataContract (Art. 6(1)(b)) — necessary to provide the service you signed up for
Optional location sharing, map and discovery featuresApproximate/coarse locationConsent (Art. 6(1)(a)) — via OS permission and the in-app location toggle
Optional karaoke/pronunciation recording, transcription and sharingAudio/video recordingsConsent (Art. 6(1)(a)) for recording; Contract for returning the result you requested
Push notifications and marketing communicationsPush token, contact details, preferencesConsent (Art. 6(1)(a)); withdrawable in settings or the OS
Analytics, session replay, A/B testing, product improvementUsage, device and diagnostic dataLegitimate interests (Art. 6(1)(f)) — to understand and improve the App; consent where required by local law / for non-essential tracking
Marketing attribution and measurementAttribution and device identifiersConsent (Art. 6(1)(a)) where tracking requires it (incl. iOS ATT); otherwise legitimate interests
Security, fraud prevention, content moderation, abuse handlingAccount, device, content and report dataLegitimate interests (Art. 6(1)(f)); legal obligation where applicable
Customer supportCommunications and related account dataContract / legitimate interests
Meeting legal, tax and regulatory obligationsAs requiredLegal obligation (Art. 6(1)(c))


Legitimate interests. Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms (a "legitimate interest assessment"). In summary, we believe analytics, product improvement, security and moderation are necessary to run a safe, functioning service, are limited to what is needed, and do not override your interests — particularly because you can object (see §13) and because we minimize and, where possible, aggregate the data used. You can ask us for more detail about a given assessment.

Special category data. We do not intentionally collect special-category data (such as health, religion, or sexual orientation). Please do not include such information in free-text fields, your profile, or messages.

7. Consent and how to withdraw it

Where we rely on consent, you can withdraw it at any time without affecting processing already carried out. You can:

- turn location sharing off in the app's settings or revoke the OS location permission;
- disable microphone/camera permissions to stop recording features;
- turn notifications off in the app or your device settings;
- change your tracking choice (iOS App Tracking Transparency) in device settings, and use available analytics opt-outs (see §14);
- delete recordings, messages or other content you've created.

8. Automated processing, AI and personalization

We want to be transparent about how the App uses automation and AI:

- AI-generated learning content. We use a third-party AI provider (OpenAI) to generate and process learning material — for example transcribing and aligning song audio (Whisper), creating quiz questions, extracting vocabulary, generating grammar explanations, and classifying song difficulty/genre. The inputs are typically song lyrics and learning text; for transcription and pronunciation features, the input includes the audio you record.
- Recommendations and personalization. We use your learning activity (e.g. level, languages, history) to recommend songs and content and to adapt difficulty. This is rule-based and statistical personalization designed to improve your experience.
- Content moderation. Images shared in the App may be automatically screened for unsafe content (e.g. using image-safety detection) and may be reviewed by our team following reports (see §9).
- No legally significant automated decisions. We do not make decisions that produce legal or similarly significant effects about you solely by automated means (Art. 22 GDPR). Personalization and moderation may flag content for human review but do not, by themselves, determine your legal rights.
- No model training on your content. We do not use your recordings, messages or content to train AI models, and our AI provider does not use data submitted via its API to train its models.

9. User-generated content, community and moderation

Canary includes social and community features. To keep them safe:

- Visibility. Your profile (name, optional photo, city, "about me") is visible to other users. Content you post or share is visible to the audience you choose. Messages are delivered to the people you send them to and may remain in their copy of the conversation.
- Storage and access. Messages and shared media are stored in our cloud (Firestore/Firebase Storage). Access to production user data is restricted to authorized personnel through an internal admin console and is used for support, moderation, safety and operating the service.
- Moderation. We use a combination of automated image-safety screening and human review (including in response to user reports) to detect and act on content that violates our terms (e.g. abusive, explicit or illegal content).
- Blocking and reporting. You can block other users and report content or accounts. We may remove content, restrict features, or suspend accounts that breach our rules.
- Removal and retention. When you delete content, or when we remove reported content, it is removed from the App; residual copies may persist briefly in backups (see §12) and we may retain limited records of moderation actions and reports for safety, legal and audit purposes.

10. Who we share your data with

We do not sell your personal data. We share it only as described here.

a) Other users — the parts of your profile and content you choose to make visible (see §9).
b) Service providers (processors) acting on our instructions. We use the following key providers. Each processes only the data needed for its function, under a data processing agreement (see §11):

ProviderFunctionData involvedRole
Google Firebase / Google Cloud (Auth, Firestore, Storage, Cloud Functions, Crashlytics, Analytics)Core backend, authentication, database, file storage, crash reporting, analyticsAccount, profile, learning, content, recordings, device, diagnosticProcessor
CellGoogle Sign-In / Apple Sign in with AppleAuthenticationIdentifiers, name, emailIndependent controllers for the sign-in step
Google MapsMap display for location featuresLocation, map interactionsProcessor / provider
OpenAIAI transcription and learning-content generationAudio recordings, lyrics/learning textProcessor
RevenueCat + Apple App Store / Google PlaySubscription management and paymentsSubscription/purchase data, app-store identifiersProcessor (RevenueCat); independent controllers (Apple/Google)
PostHogProduct analytics, session replay, A/B testingUsage, device, event and replay dataProcessor
SentryError and performance monitoringDiagnostic and device dataProcessor
OneSignalPush notificationsPush token, device data, notification eventsProcessor
AlgoliaSearchSearch queries and indexed catalog dataProcessor
AppsFlyer, Meta (Facebook) App Events, GoMarketMeMarketing attribution and measurementDevice/attribution identifiers, install/event dataProcessor / partners
YouTube / GoogleMusic and video playbackPlayback interactions, device dataIndependent controller (Google)
Translation servicesWord/phrase translationText submitted for translationProcessor / provider

This list reflects our current providers and may change as the App evolves; we will keep it up to date. We maintain an internal inventory of processors and sub-processors.

c) Legal, safety and corporate — we may disclose data where necessary to comply with the law, respond to lawful requests, enforce our terms, protect the rights and safety of users and the public, or in connection with a merger, acquisition or asset sale (with appropriate safeguards).

11. International data transfers

Canary uses providers located in, or that process data in, the United States and other countries outside the EU/EEA and UK. This means your data may be transferred internationally.

Where we transfer personal data outside the EU/EEA or the UK, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum), together with additional technical and organizational measures.

As the platform scales, we are actively putting in place data processing agreements (DPAs) and Standard Contractual Clauses with our processors and mapping all sub-processors. We are also reviewing EU-region hosting options where appropriate. You can contact us (see §1) to ask which safeguards apply to a specific transfer or to request a copy of the relevant mechanism.

12. How long we keep your data

We keep personal data only for as long as necessary for the purposes in this policy. Two rules apply when you remove data:

- Content you delete is removed immediately. When you delete a recording, a message, a shared photo/video, or other content, it is deleted from the service straight away. (Residual copies in routine backups are overwritten in the normal backup cycle — see the Backups row below.)
- Account deletion has a 30-day restoration window. When you delete your account, it is deactivated immediately and becomes unusable, but is held for 30 days so you can restore it if you change your mind. If you do not restore it within that window, your account and its associated personal data are permanently deleted after 30 days.

Some categories are governed by the retention settings of the providers that process them, and we may keep limited data longer where required by law or to resolve disputes.

DataRetention
Account and profile dataFor the life of your account. On account deletion: deactivated immediately, restorable for 30 days, then permanently deleted.
Karaoke/pronunciation recordings and shared mediaUntil you delete them — deleted immediately on deletion; also removed when your account is permanently deleted.
In-app messagesUntil you delete them — deleted immediately on deletion; a copy may remain in the other participant's conversation. Removed when your account is permanently deleted.
Audio sent to the AI transcription providerProcessed to return your result; our provider retains API inputs for a limited period (up to 30 days) for abuse monitoring, then deletes them, and does not train on them.
Learning activity and progressFor the life of your account (so we can show your progress); permanently deleted when your account is permanently deleted.
Analytics, session replay and attribution dataGoverned by our analytics providers' retention settings; pseudonymized where possible and deleted following permanent account deletion.
Crash and diagnostic logsUp to 90 days (per our error-monitoring providers' default retention).
Support communicationsKept while needed to handle and document your request, then deleted unless a longer period is legally required.
Moderation records and reportsAs needed for safety, legal and audit purposes.
BackupsRoutinely overwritten; residual copies of deleted data are cleared in the normal backup rotation (within 30 days).

Inactive accounts. We may delete or anonymize accounts that have been inactive for an extended period (e.g. 24 months), after attempting to notify you.

Account deletion. You can delete your account in the App or by contacting us. Your account is deactivated immediately and held for 30 days, during which you can restore it; after 30 days it and its associated personal data are permanently deleted, except for any records we must keep by law and residual backup copies that are cleared in the normal backup rotation.

13. Your rights

Subject to applicable law (and in particular the GDPR/UK GDPR for users in the EU/EEA and UK), you have the right to:

- Access - obtain a copy of the personal data we hold about you;
- Rectification - correct inaccurate or incomplete data;
- Erasure - have your data deleted ("right to be forgotten");
- Restriction - limit how we process your data in certain cases;
- Objection - object to processing based on legitimate interests, and to object to direct marketing at any time;
- Portability - receive certain data in a portable format, or have it sent to another controller where technically feasible;
- Withdraw consent - at any time, where processing is based on consent (see §7);-
- Lodge a complaint - with a data protection supervisory authority.

How to exercise your rights. Email us at team@laxir.us, or use the in-app account controls. We will respond within one month, as required by the GDPR (extendable by two further months for complex requests, in which case we will let you know). We may need to verify your identity before acting. These services are provided free of charge unless a request is manifestly unfounded or excessive.

Supervisory authority. If you are in the EU/EEA or the UK, you can complain to your local data protection authority. In the UK, the relevant authority is the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concerns first.

US users. Depending on your state, you may have additional rights (for example to access, delete, or opt out of certain sharing of your personal information). We do not sell your personal data. Contact us to exercise any such rights.

14. Cookies, tracking and analytics

In the app. Canary does not rely on traditional browser cookies, but it does use software development kits (SDKs) and device identifiers that perform similar functions for analytics, performance, attribution and personalization. These include the analytics, error-monitoring, push and attribution providers listed in §10 (e.g. PostHog, Firebase Analytics, Sentry, AppsFlyer, Meta, GoMarketMe).

- Session replay. Our analytics tooling may capture replays of in-app interactions to help us diagnose issues and improve usability. We aim to mask sensitive fields where supported.
- iOS App Tracking Transparency (ATT). On Apple devices, we ask for your permission before engaging in cross-app/website tracking for attribution. If you decline, we do not use the identifier for tracking.
- Choices and opt-outs. You can limit analytics/tracking via your device settings (e.g. iOS ATT, "Limit Ad Tracking" / resetting your advertising ID on Android), by declining optional permissions, and-where offered-through in-app privacy settings. Essential processing needed to run the App and your account cannot be turned off while you use the service.

On the website. Our website (singwithcanary.com) may use cookies or similar technologies for basic functionality and analytics. Where required by law, we will present a cookie/consent banner and honor your choices.

15. Security

We implement appropriate technical and organizational measures to protect personal data, including:

- Encryption in transit (e.g. HTTPS/TLS) and encryption at rest for data stored with our cloud providers;
- Access controls - access to production user data is restricted to authorized personnel on a need-to-know basis through our internal admin console, and is used for support, moderation, safety and operating the service;
- Authentication via trusted providers (Google, Apple) and platform security features;
- Monitoring for errors, abuse and security issues; and
- Vendor management - we select reputable providers and put data processing agreements in place (see §11).

No method of transmission or storage is completely secure. If we become aware of a personal data breach that is likely to present a risk to you, we will notify the relevant supervisory authority and affected users where required by law.

16. Children's privacy

Canary is intended for users aged 16 and over, and is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will take steps to delete it.

17. Changes to this policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by posting the updated policy in the App and on our website and updating the "Last updated" date above, and-where required-by additional notice or by asking for your consent.

18. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: team@laxir.us


By using the Canary App, you acknowledge that you have read and understood this Privacy Policy.