Legal
Privacy Policy
Last updated: July 17, 2026
What We Collect
When you use our contact form, we collect your name, email address, and company URL. We use IP addresses to rate-limit contact, audit, product-access, and AI-inference requests. Product access requests also collect requester type, an optional agency or business name, product interest, account range, reporting stack, and any use-case details you choose to provide. Contact rate limits remain in process memory; the audit and inference limits retain only a one-way hash and short-lived timestamps, not the raw IP address. We do not add IP addresses to new lead records. When you run the free onsite technical audit, we process the URL you submit. The AI-inference step may cache the submitted domain, derived business label, and generated result for up to 24 hours; it does not cache the full page content. Google Analytics collects website usage data as described in its own privacy documentation. On the audit page, we record first-touch campaign parameters when present, including UTM values, OpenAI's privacy-preserving referral value, the landing path, referrer origin, and capture time. The browser keeps this attribution for the current session. If you request a full report, the allowlisted attribution fields are saved with that lead.
How We Use It
Contact form submissions are used to respond to your inquiry and send the AI Visibility Report if requested. Audit URLs are processed in real time; the limited inference cache described above prevents duplicate analysis. Product access requests are used only to evaluate Canonry Embedded onboarding or Canonry Ads beta access. For agency users, client details introduced through product requests are not used to market Canonry Managed. We retain contact submissions only as long as needed to respond to the inquiry, manage the relationship, or maintain required business records. Analytics data helps us understand how the site is used. When OpenAI Ads measurement is enabled, we use one lead event ID in the browser and on the server to measure and deduplicate a completed full-report request.
Third Parties
We use Resend for email delivery, Google Analytics for site analytics, and Google Cloud Vertex AI for the optional AI-inference step in the free audit. That step sends up to 6,000 characters of publicly available visible page text and structured data to a Gemini model hosted through Vertex AI in the United States. Canonry may cache the submitted domain, derived business label, model ID, inferences, and summary for up to 24 hours; Canonry does not cache the full page content. We may use the OpenAI Ads Measurement Pixel and Conversions API to measure a lead created after an ad visit. The pixel may retain OpenAI's privacy-preserving referral value in a first-party cookie. The server event sends the event ID, event time, audit source URL, that referral value when available, and a SHA-256 hash of your normalized email address. We do not send your raw email address, name, company URL, audit results, or IP address to OpenAI for this event. We do not sell your data to third parties.
Your Rights
You can request deletion of your data at any time by emailing hello@canonry.ai.
Contact
Questions about this policy? Email hello@canonry.ai.