Canary
Privacy Policy
TL;DR
Canary does not collect your personal information. It does not require an account, does not track your location, and does not store the content of your scans anywhere outside your device.
Canary does NOT collect
- Your name, email, phone number or any other account information
- The URLs or content of QR codes you scan
- Your location
- Your contacts or calendar
- Any device identifier linked to your identity (no IDFA, no IDFV)
What Canary does when it scans a QR
When you scan a QR code, Canary analyzes the QR content through a Canary-developed heuristic framework within the app.
For most QR types — contacts, calendar events, WiFi networks, plain text — analysis is performed entirely on your device and nothing is transmitted externally.
To improve risk assessment, Canary also relies on external security services who catalog and publish lists of fraudulent or suspicious entities. This keeps Canary current with malicious URLs, crypto wallets, and more.
Network requests to these external services pass through a proxy server operated by Mitch & Murray Holdings LLC. Only the data relevant to each check is transmitted — no user or device data, and no other user-identifying information is sent to the external provider. Providers see only the relevant data from the Canary server.
Raw QR content and URLs are not retained by these servers after a check is complete.
Third-party reputation services
Google Safe Browsing
When you scan a URL QR code, the destination URL is checked against Google Safe Browsing to identify known malicious sites.
Subject to Google’s Privacy Policy.
MistTrack
When you scan a cryptocurrency payment QR code, the wallet address is checked against MistTrack to identify addresses associated with reported fraud.
Subject to MistTrack’s Privacy Policy.
No external reputation check is performed unless it is relevant to the QR type being scanned. A contact card scan, for example, triggers none of the above. Phone and SMS numbers are checked using on-device analysis only — no phone number is sent to any external service.
What Canary collects
As part of each scan, Canary sends an anonymous telemetry tick to our server, which is used to monitor transaction load for capacity planning and external API consumption. This data is used to maintain and improve our service.
This telemetry tick contains:
- A randomly generated device identifier (reset when you reinstall the app)
- The type of QR code scanned (URL, WiFi, contact, etc.)
- The risk level assigned to the scan (safe, verify, caution, unsafe, danger)
- Which Canary heuristic signals fired during analysis
- Whether an external reputation check was performed for a URL or crypto wallet
The telemetry tick contains no URL content, no QR code content, no personal information, and no information that could identify you. The device identifier is anonymous and not linked to your Apple ID, name, email, or any other identity.
Scan history
Canary stores your scan history locally on your device. This data never leaves your device and is not accessible to Mitch & Murray Holdings LLC or any third party. You can delete your scan history at any time from within the app.
Children’s privacy
Canary is not directed at children under 13. We do not knowingly collect any information from children.
Changes to this policy
If we make material changes to this policy, we will update the effective date above. Continued use of Canary after changes constitutes acceptance of the revised policy.
Contact
Questions about this policy: support@mitchandmurrayllc.com