Privacy Policy
Effective: March 2026
Policy Canary provides AI-powered regulatory intelligence for the food, supplement, and cosmetics industries. This policy explains what data we collect, how we use it, and your rights.
1. What We Collect
We collect the following categories of information:
- Account information — your email address and name when you create an account
- Product profiles — the products you add for monitoring, including product names, types, ingredients, and categories
- Regulatory intelligence preferences — the sectors, topics, and product categories you choose to monitor
- Payment information — processed and stored entirely by Stripe; we do not store your card number or bank details
- Usage data — pages viewed, features used, and session information collected via PostHog analytics
- Email subscriber information — your email address when you sign up for the free weekly digest
2. How We Use Your Data
- Regulatory monitoring — matching FDA regulatory changes against your product profiles
- Personalized intelligence emails — delivering alerts and summaries tailored to your monitored products
- AI enrichment — analyzing regulatory documents using AI to extract relevance, affected product types, and impact assessments
- AI-powered search — enabling natural-language search across the regulatory intelligence database
- Weekly updates — sending digest emails summarizing the week's regulatory activity
- Analytics — understanding how the product is used so we can improve it
- Payment processing — managing subscriptions and billing through Stripe
3. Third-Party Service Providers
We use the following service providers to operate Policy Canary. Each processes data under their own privacy policies:
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database & authentication | Account data, product profiles, regulatory data |
| Vercel | Hosting & deployment | Request logs, IP addresses |
| Google (Gemini) | AI enrichment of regulatory documents | Regulatory document text (public FDA data) |
| OpenAI | AI search & embeddings | Search queries, regulatory text |
| Anthropic | AI-powered email personalization | Subscriber product context, regulatory text |
| Stripe | Payment processing | Payment details, billing information |
| Resend | Email delivery | Email addresses, email content |
| PostHog | Product analytics | Usage data, session information |
| Vultr | Content automation server | Regulatory data for content generation |
We do not sell your personal data to third parties.
4. Artificial Intelligence Disclosure
Policy Canary uses three AI providers to analyze and deliver regulatory intelligence:
- Google Gemini — processes publicly available FDA regulatory documents to extract structured data, impact assessments, and cross-references. No subscriber data is sent to Google.
- OpenAI — powers semantic search and generates embeddings for the regulatory intelligence database. Search queries are processed but not used for model training (API data usage policy).
- Anthropic (Claude) — personalizes intelligence emails based on subscriber product context. This means your product names, types, and categories may be sent to Anthropic to generate relevant summaries. Anthropic does not use API inputs to train models.
All AI providers are used via their API services with data processing agreements. None of the providers use your data to train their models.
5. Data Security
- All data is transmitted over HTTPS (TLS encryption in transit)
- Database encryption at rest via Supabase
- Row-level security (RLS) policies ensure subscribers can only access their own data
- Tenant isolation — your product profiles and preferences are not visible to other subscribers
- Payment data is handled entirely by Stripe, which is PCI DSS Level 1 certified
6. Data Retention
- Active accounts — your data is retained for as long as your account is active
- After cancellation — product profiles and account data are retained for 60 days after cancellation, then permanently deleted
- Email subscribers — your email address is retained until you unsubscribe
- Regulatory data — publicly sourced regulatory information is retained indefinitely as part of the intelligence database
7. Your Rights
You have the right to:
- Access — request a copy of the personal data we hold about you
- Deletion — request deletion of your account and associated data
- Export — export your product profiles and account data
- Correction — update or correct your personal information
- Unsubscribe — opt out of marketing and digest emails at any time using the unsubscribe link in any email
To exercise any of these rights, contact us at team@policycanary.io.
8. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know — you can request what personal information we collect, use, and disclose
- Right to delete — you can request deletion of your personal information
- Right to opt out of sale — we do not sell your personal information. There is nothing to opt out of.
- Non-discrimination — we will not discriminate against you for exercising your CCPA rights
9. Children's Privacy
Policy Canary is a business service not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at team@policycanary.io and we will delete it.
10. Changes to This Policy
We may update this privacy policy from time to time. If we make material changes, we will notify subscribers by email before the changes take effect. The “Effective” date at the top of this page indicates when the policy was last revised.
11. Contact
If you have questions about this privacy policy or your data, contact us:
- Email: team@policycanary.io
- Mail: Policy Canary, 9901 Brodie Lane Ste 160 #1323, Austin, TX 78748