πŸ”’

Privacy Policy

Last updated: March 29, 2026

The TL;DR (because we respect your time)

We collect the minimum data needed to show you which users are bleeding your margins. We don't sell it. We don't mine it. We don't train AI models on it. Your data is yours β€” we just help you understand it.

Now, for the lawyers in the room…

1. Who we are

CostCanary ("we," "us," "the canary") is an AI cost monitoring platform for SaaS teams. When this policy says "Service," it means our web dashboard, SDK, API, VS Code extension, email digests, and any other CostCanary product.

2. What we collect

Account data

When you sign up via GitHub OAuth, we receive your email address, name, and GitHub profile avatar. That's it. We don't ask for your SSH keys, repo contents, or deepest secrets.

Usage telemetry (from your SDK)

When your app calls our SDK, we receive:

  • End-user IDs β€” the identifiers you choose to send us (could be UUIDs, emails, whatever you map)
  • Feature names β€” like "chat," "summarize," "translate"
  • Model names β€” e.g., "gpt-4o," "claude-3-haiku"
  • Token counts & computed cost
  • Call duration (optional)
  • Timestamps

We do not collect prompts, completions, API keys to your LLM providers, or any actual AI input/output content. We count tokens, not read conversations.

Stripe data (if you connect it)

When you connect Stripe, we receive webhook events containing customer IDs, subscription status, MRR amounts, and customer emails. We use this solely to calculate your per-user profitability. We never touch your Stripe customers' payment methods.

Automatically collected

Standard web stuff: IP addresses (for rate limiting, not stored long-term), browser type, and pages visited. No fingerprinting, no cross-site tracking pixels, no advertising cookies. We're a developer tool, not an ad network.

3. How we use your data

  • πŸ“Š Dashboard & analytics β€” powering your profitability reports
  • πŸ“¬ Weekly digest emails β€” if you opt in
  • 🚨 Alerts β€” triggering notifications when thresholds are crossed
  • πŸ† Benchmarks β€” aggregated, anonymized cost data across all users (you can't identify anyone else's data, and they can't identify yours)
  • πŸ”§ Service improvement β€” understanding usage patterns to build better features

We will never use your data to: sell to third parties, serve ads, train AI models, or do anything that would make you mass-uninstall our SDK in a rage.

4. Benchmark data & anonymization

Our industry benchmark feature aggregates cost-per-call data across all CostCanary users. This data is fully anonymized β€” stripped of user IDs, account identifiers, and any PII before aggregation. No one can reverse-engineer your specific costs from benchmark data. Think of it as a census, not a surveillance camera.

5. Data storage & security

  • Data is stored in PostgreSQL on Supabase (hosted in the US)
  • All connections use TLS encryption in transit
  • Database access requires authentication β€” no public endpoints to your raw data
  • API keys are used for SDK authentication
  • Stripe webhook signatures are verified per-user to prevent spoofing

We're a small, focused team. We don't have 47 microservices with unclear access controls. Your data touches our API, our database, and our background worker. That's the full list.

6. Third-party services

We use a small set of services to operate CostCanary:

  • Supabase β€” database hosting
  • Vercel β€” app hosting
  • Cloudflare Workers β€” background jobs (digests, alerts, benchmarks)
  • Resend β€” transactional email delivery
  • Stripe β€” payment processing & revenue data
  • GitHub β€” OAuth authentication

Each of these has their own privacy policy. We chose them because they're reputable and don't do weird things with customer data.

7. Data retention

  • Free tier: Usage data retained for 7 days
  • Starter tier: Usage data retained for 90 days
  • Account data: Retained until you delete your account

When data ages out of your retention window, it's deleted from our database. Not "soft deleted." Not "archived." Deleted.

8. Your rights

You can:

  • Export your data β€” email us and we'll send you everything we have
  • Delete your account β€” email us and we'll nuke it within 30 days
  • Opt out of digest emails β€” toggle in dashboard settings
  • Ask questions β€” we're real humans at support@costcanary.com

If you're in the EU (GDPR), California (CCPA), or anywhere else with data rights legislation β€” we respect all of it. Just reach out.

9. Cookies

We use exactly one category of cookie: authentication session cookies via NextAuth. No analytics cookies, no tracking pixels, no cookie banners that make you question your life choices.

10. Children

CostCanary is a B2B developer tool. We don't knowingly collect data from anyone under 16. If your 14-year-old is monitoring LLM margins, we're impressed but please have them wait a couple years.

11. Changes to this policy

If we make material changes, we'll email you and update the date at the top. We won't silently slip in a clause about selling your data to the highest bidder β€” that's not our vibe.

12. Contact

Questions? Concerns? Existential dread about your AI costs?

πŸ“§ support@costcanary.com

🐀
Questions about this privacy policy?
Email us at support@costcanary.com β€” we respond like real humans, because we are.