Skip to main content
CanaryLine
Legal

Privacy Policy

Last updated: April 2026

1. Who we are

CanaryLine is a SaaS platform operated within the European Union. We provide whistleblower reporting channel software to help organisations comply with EU Directive 2019/1937. All data processing occurs within the European Economic Area (EEA).

2. Data we collect

We collect the following categories of personal data:

  • Account data: Name, email address, company name, and role when you create an account or request a trial.
  • Usage data: Pages visited, features used, and session duration to improve our product.
  • Cookie data: As described in our cookie banner — only with your consent for non-essential cookies.
  • Contact form data: Email, company name, and employee count when you submit our lead capture form.

Whistleblower reports: Reports submitted through our platform are processed on behalf of our customers (the data controller). We act as a data processor and apply envelope encryption to protect reporter identity. We cannot access report contents without the customer's decryption keys.

3. How we use your data

  • To provide and improve our services
  • To respond to trial requests and support enquiries
  • To send product updates (only with consent)
  • To comply with legal obligations

4. Legal basis (GDPR Art. 6)

  • Consent — for marketing communications and non-essential cookies
  • Contract performance — to provide the service you subscribed to
  • Legitimate interest — for product improvement and security
  • Legal obligation — for tax, accounting, and regulatory compliance

5. Data storage and transfers

All data is stored in EU data centres located in Germany. We do not transfer personal data outside the EEA. Our sub-processors are contractually required to maintain equivalent data protection standards.

6. Data retention

We retain account data for the duration of your subscription plus 30 days. Whistleblower report data is retained according to the retention policy configured by each customer, in compliance with applicable member state laws. Contact form data is retained for a maximum of 12 months.

7. Your rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Request erasure of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

8. Cookies

We use strictly necessary cookies to operate the site. Analytics, marketing, and functional cookies are only set with your explicit consent via our cookie banner. You can change your preferences at any time using the "Cookie Settings" link in the footer.

9. Contact

For any privacy-related requests, contact our Data Protection Officer:

Email: privacy@canaryline.com

Terms of Service · EU Compliance