Privacy Policy

Last updated: March 18, 2026

1. Introduction

FlareCanary ("we," "us," or "our") operates the FlareCanary API monitoring service at flarecanary.com. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data. We are committed to protecting your privacy and handling your data transparently.

By using FlareCanary, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Service.

2. Information We Collect

Account Information: When you create an account, we collect your email address and authentication credentials. Passwords are hashed using bcrypt and are never stored in plaintext.

API Endpoint Data: We store the API endpoint URLs, custom headers (such as authentication tokens), and response schemas you configure for monitoring. We poll these endpoints on your behalf and store response schemas for comparison. We do not store full API response bodies — only the structural schema.

Usage Data: We collect basic usage information including login timestamps, pages visited within the application, feature usage patterns, and the number of endpoints monitored. This data is used to improve the Service and is not shared with third parties for marketing purposes.

Waitlist: If you join our waitlist, we collect your email address solely to notify you about product availability.

Contact Form: If you contact us, we collect your name, email, and message content to respond to your inquiry.

Payment Information: If you subscribe to a paid tier, payment processing is handled by Stripe. We do not store your credit card number, CVV, or full payment details. We receive and store only a customer identifier, subscription status, and billing email from Stripe.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you signed up for (account data, endpoint monitoring).
  • Legitimate interests: Improving the Service, preventing abuse, and ensuring security.
  • Consent: Where required, such as for optional marketing communications. You may withdraw consent at any time.
  • Legal obligation: Where we are required to retain or disclose data by law.

4. How We Use Your Information

  • To provide, maintain, and improve the FlareCanary service
  • To send you alerts about detected schema drift on your monitored endpoints
  • To respond to support inquiries and contact form messages
  • To send transactional emails (account verification, password resets, billing notifications)
  • To send product updates and announcements (you can opt out at any time)
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising or profiling purposes.

5. Data Storage, Security & Retention

Your data is stored on Neon (PostgreSQL database hosting) with servers in the United States. The application is served via Vercel. All data is encrypted in transit via TLS. Passwords are hashed using bcrypt.

We retain your account data for as long as your account is active. After account deletion, we delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or preventing fraud). Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics purposes.

Waitlist emails are retained until the waitlist is closed or you request removal. Contact form submissions are retained for up to 12 months.

6. Third-Party Services

We use the following third-party services to operate FlareCanary. Each processes data only as necessary to provide their service:

  • Vercel — application hosting and deployment (United States)
  • Neon — PostgreSQL database hosting (United States)
  • Resend — transactional email delivery for alerts and contact form responses
  • Stripe — payment processing for paid subscriptions

We do not share your personal data with any other third parties unless required by law.

7. International Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We ensure that any data transfers comply with applicable data protection laws, including through the use of standard contractual clauses where required.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data. You can delete your account at any time, and we will process data deletion within 30 days.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing of your data based on legitimate interests.
  • Restriction: Request that we restrict processing of your data under certain circumstances.
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

For California residents (CCPA/CPRA): You have the right to know what personal information we collect and how it is used, to request deletion of your personal information, to opt out of the sale of personal information (we do not sell your data), and to not be discriminated against for exercising your rights. To submit a request, contact us at privacy@flarecanary.com.

To exercise any of these rights, contact us at privacy@flarecanary.com. We will respond to all legitimate requests within 30 days.

9. Cookies & Tracking

FlareCanary uses only essential cookies required for authentication and session management. We do not use analytics cookies, advertising cookies, or third-party tracking scripts. We do not participate in cross-site tracking or retargeting.

10. Children's Privacy

FlareCanary is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For privacy-related inquiries, data access requests, or to exercise your rights, contact us at privacy@flarecanary.com.

For general inquiries, contact us at hello@flarecanary.com or use our contact form.