Your privacy is important to us. This Privacy Policy explains how Canary collects, uses, and protects your information when you use our mobile application.
Last updated: 23 June 2026
team@laxir.usWe rely on the following legal bases. Where more than one could apply, we identify the primary basis.
| Purpose | Data involved | Legal basis |
| Creating/operating your account; delivering core learning features; providing and billing Premium | Account, profile, learning activity, subscription data | Contract (Art. 6(1)(b)) — necessary to provide the service you signed up for |
| Optional location sharing, map and discovery features | Approximate/coarse location | Consent (Art. 6(1)(a)) — via OS permission and the in-app location toggle |
| Optional karaoke/pronunciation recording, transcription and sharing | Audio/video recordings | Consent (Art. 6(1)(a)) for recording; Contract for returning the result you requested |
| Push notifications and marketing communications | Push token, contact details, preferences | Consent (Art. 6(1)(a)); withdrawable in settings or the OS |
| Analytics, session replay, A/B testing, product improvement | Usage, device and diagnostic data | Legitimate interests (Art. 6(1)(f)) — to understand and improve the App; consent where required by local law / for non-essential tracking |
| Marketing attribution and measurement | Attribution and device identifiers | Consent (Art. 6(1)(a)) where tracking requires it (incl. iOS ATT); otherwise legitimate interests |
| Security, fraud prevention, content moderation, abuse handling | Account, device, content and report data | Legitimate interests (Art. 6(1)(f)); legal obligation where applicable |
| Customer support | Communications and related account data | Contract / legitimate interests |
| Meeting legal, tax and regulatory obligations | As required | Legal obligation (Art. 6(1)(c)) |
Legitimate interests. Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms (a "legitimate interest assessment"). In summary, we believe analytics, product improvement, security and moderation are necessary to run a safe, functioning service, are limited to what is needed, and do not override your interests — particularly because you can object (see §13) and because we minimize and, where possible, aggregate the data used. You can ask us for more detail about a given assessment.
Special category data. We do not intentionally collect special-category data (such as health, religion, or sexual orientation). Please do not include such information in free-text fields, your profile, or messages.
Canary includes social and community features. To keep them safe:
- Visibility. Your profile (name, optional photo, city, "about me") is visible to other users. Content you post or share is visible to the audience you choose. Messages are delivered to the people you send them to and may remain in their copy of the conversation.
- Storage and access. Messages and shared media are stored in our cloud (Firestore/Firebase Storage). Access to production user data is restricted to authorized personnel through an internal admin console and is used for support, moderation, safety and operating the service.
- Moderation. We use a combination of automated image-safety screening and human review (including in response to user reports) to detect and act on content that violates our terms (e.g. abusive, explicit or illegal content).
- Blocking and reporting. You can block other users and report content or accounts. We may remove content, restrict features, or suspend accounts that breach our rules.
- Removal and retention. When you delete content, or when we remove reported content, it is removed from the App; residual copies may persist briefly in backups (see §12) and we may retain limited records of moderation actions and reports for safety, legal and audit purposes.
We do not sell your personal data. We share it only as described here.
a) Other users — the parts of your profile and content you choose to make visible (see §9).
b) Service providers (processors) acting on our instructions. We use the following key providers. Each processes only the data needed for its function, under a data processing agreement (see §11):
| Provider | Function | Data involved | Role |
| Google Firebase / Google Cloud (Auth, Firestore, Storage, Cloud Functions, Crashlytics, Analytics) | Core backend, authentication, database, file storage, crash reporting, analytics | Account, profile, learning, content, recordings, device, diagnostic | Processor |
| CellGoogle Sign-In / Apple Sign in with Apple | Authentication | Identifiers, name, email | Independent controllers for the sign-in step |
| Google Maps | Map display for location features | Location, map interactions | Processor / provider |
| OpenAI | AI transcription and learning-content generation | Audio recordings, lyrics/learning text | Processor |
| RevenueCat + Apple App Store / Google Play | Subscription management and payments | Subscription/purchase data, app-store identifiers | Processor (RevenueCat); independent controllers (Apple/Google) |
| PostHog | Product analytics, session replay, A/B testing | Usage, device, event and replay data | Processor |
| Sentry | Error and performance monitoring | Diagnostic and device data | Processor |
| OneSignal | Push notifications | Push token, device data, notification events | Processor |
| Algolia | Search | Search queries and indexed catalog data | Processor |
| AppsFlyer, Meta (Facebook) App Events, GoMarketMe | Marketing attribution and measurement | Device/attribution identifiers, install/event data | Processor / partners |
| YouTube / Google | Music and video playback | Playback interactions, device data | Independent controller (Google) |
| Translation services | Word/phrase translation | Text submitted for translation | Processor / provider |
This list reflects our current providers and may change as the App evolves; we will keep it up to date. We maintain an internal inventory of processors and sub-processors.
c) Legal, safety and corporate — we may disclose data where necessary to comply with the law, respond to lawful requests, enforce our terms, protect the rights and safety of users and the public, or in connection with a merger, acquisition or asset sale (with appropriate safeguards).
Canary uses providers located in, or that process data in, the United States and other countries outside the EU/EEA and UK. This means your data may be transferred internationally.
Where we transfer personal data outside the EU/EEA or the UK, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum), together with additional technical and organizational measures.
As the platform scales, we are actively putting in place data processing agreements (DPAs) and Standard Contractual Clauses with our processors and mapping all sub-processors. We are also reviewing EU-region hosting options where appropriate. You can contact us (see §1) to ask which safeguards apply to a specific transfer or to request a copy of the relevant mechanism.
We keep personal data only for as long as necessary for the purposes in this policy. Two rules apply when you remove data:
- Content you delete is removed immediately. When you delete a recording, a message, a shared photo/video, or other content, it is deleted from the service straight away. (Residual copies in routine backups are overwritten in the normal backup cycle — see the Backups row below.)
- Account deletion has a 30-day restoration window. When you delete your account, it is deactivated immediately and becomes unusable, but is held for 30 days so you can restore it if you change your mind. If you do not restore it within that window, your account and its associated personal data are permanently deleted after 30 days.
Some categories are governed by the retention settings of the providers that process them, and we may keep limited data longer where required by law or to resolve disputes.
| Data | Retention |
| Account and profile data | For the life of your account. On account deletion: deactivated immediately, restorable for 30 days, then permanently deleted. |
| Karaoke/pronunciation recordings and shared media | Until you delete them — deleted immediately on deletion; also removed when your account is permanently deleted. |
| In-app messages | Until you delete them — deleted immediately on deletion; a copy may remain in the other participant's conversation. Removed when your account is permanently deleted. |
| Audio sent to the AI transcription provider | Processed to return your result; our provider retains API inputs for a limited period (up to 30 days) for abuse monitoring, then deletes them, and does not train on them. |
| Learning activity and progress | For the life of your account (so we can show your progress); permanently deleted when your account is permanently deleted. |
| Analytics, session replay and attribution data | Governed by our analytics providers' retention settings; pseudonymized where possible and deleted following permanent account deletion. |
| Crash and diagnostic logs | Up to 90 days (per our error-monitoring providers' default retention). |
| Support communications | Kept while needed to handle and document your request, then deleted unless a longer period is legally required. |
| Moderation records and reports | As needed for safety, legal and audit purposes. |
| Backups | Routinely overwritten; residual copies of deleted data are cleared in the normal backup rotation (within 30 days). |
Inactive accounts. We may delete or anonymize accounts that have been inactive for an extended period (e.g. 24 months), after attempting to notify you.
Account deletion. You can delete your account in the App or by contacting us. Your account is deactivated immediately and held for 30 days, during which you can restore it; after 30 days it and its associated personal data are permanently deleted, except for any records we must keep by law and residual backup copies that are cleared in the normal backup rotation.
Subject to applicable law (and in particular the GDPR/UK GDPR for users in the EU/EEA and UK), you have the right to:
- Access - obtain a copy of the personal data we hold about you;
- Rectification - correct inaccurate or incomplete data;
- Erasure - have your data deleted ("right to be forgotten");
- Restriction - limit how we process your data in certain cases;
- Objection - object to processing based on legitimate interests, and to object to direct marketing at any time;
- Portability - receive certain data in a portable format, or have it sent to another controller where technically feasible;
- Withdraw consent - at any time, where processing is based on consent (see §7);-
- Lodge a complaint - with a data protection supervisory authority.
How to exercise your rights. Email us at team@laxir.us, or use the in-app account controls. We will respond within one month, as required by the GDPR (extendable by two further months for complex requests, in which case we will let you know). We may need to verify your identity before acting. These services are provided free of charge unless a request is manifestly unfounded or excessive.
Supervisory authority. If you are in the EU/EEA or the UK, you can complain to your local data protection authority. In the UK, the relevant authority is the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concerns first.
US users. Depending on your state, you may have additional rights (for example to access, delete, or opt out of certain sharing of your personal information). We do not sell your personal data. Contact us to exercise any such rights.
In the app. Canary does not rely on traditional browser cookies, but it does use software development kits (SDKs) and device identifiers that perform similar functions for analytics, performance, attribution and personalization. These include the analytics, error-monitoring, push and attribution providers listed in §10 (e.g. PostHog, Firebase Analytics, Sentry, AppsFlyer, Meta, GoMarketMe).
- Session replay. Our analytics tooling may capture replays of in-app interactions to help us diagnose issues and improve usability. We aim to mask sensitive fields where supported.
- iOS App Tracking Transparency (ATT). On Apple devices, we ask for your permission before engaging in cross-app/website tracking for attribution. If you decline, we do not use the identifier for tracking.
- Choices and opt-outs. You can limit analytics/tracking via your device settings (e.g. iOS ATT, "Limit Ad Tracking" / resetting your advertising ID on Android), by declining optional permissions, and-where offered-through in-app privacy settings. Essential processing needed to run the App and your account cannot be turned off while you use the service.
On the website. Our website (singwithcanary.com) may use cookies or similar technologies for basic functionality and analytics. Where required by law, we will present a cookie/consent banner and honor your choices.
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (e.g. HTTPS/TLS) and encryption at rest for data stored with our cloud providers;
- Access controls - access to production user data is restricted to authorized personnel on a need-to-know basis through our internal admin console, and is used for support, moderation, safety and operating the service;
- Authentication via trusted providers (Google, Apple) and platform security features;
- Monitoring for errors, abuse and security issues; and
- Vendor management - we select reputable providers and put data processing agreements in place (see §11).
No method of transmission or storage is completely secure. If we become aware of a personal data breach that is likely to present a risk to you, we will notify the relevant supervisory authority and affected users where required by law.
Canary is intended for users aged 16 and over, and is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will take steps to delete it.
We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by posting the updated policy in the App and on our website and updating the "Last updated" date above, and-where required-by additional notice or by asking for your consent.