Acceptable Use Policy

Last updated: March 28, 2026

1. Introduction

This Acceptable Use Policy ("AUP") governs your use of the CanaryGuard platform, including all canary token services, APIs, alert channels, and related infrastructure operated at canaryguard.app. By using CanaryGuard, you agree to comply with this policy. Violation of this AUP may result in immediate suspension or termination of your account.

2. Permitted Use

CanaryGuard is designed for legitimate cybersecurity monitoring. You may use the platform for the following purposes:

Deploying canary tokens on systems, networks, and digital assets that you own or are expressly authorized to monitor.
Legitimate security monitoring and breach detection within your organization or on behalf of clients under a written agreement.
Authorized penetration testing where canary tokens are part of an agreed-upon scope of work.
Academic security research conducted on infrastructure you control, in compliance with applicable laws and institutional policies.
Incident response and forensic investigation on systems where you have lawful authority to operate.

3. Prohibited Use

The following activities are strictly prohibited on the CanaryGuard platform. This list is non-exhaustive; CanaryGuard reserves the right to determine whether any activity violates the spirit of this policy.

3.1 Harassment and Surveillance

Using canary tokens to stalk, harass, or intimidate any individual.
Tracking individuals without their knowledge or consent, including embedding tokens in personal communications to monitor a specific person's activity.
Deploying tokens to surveil employees, partners, or any person in a manner that violates applicable privacy or labor laws.

3.2 Unauthorized Deployment

Deploying canary tokens on systems, networks, or digital assets you do not own or are not authorized to monitor.
Embedding tokens in content distributed to third parties without proper disclosure where required by law.
Placing tokens in public spaces or shared resources with the intent to indiscriminately collect data on unsuspecting individuals.

3.3 Malicious Activities

Using CanaryGuard tokens or infrastructure for phishing, social engineering, or pretexting attacks against unauthorized targets.
Impersonating law enforcement, government agencies, or any other entity when deploying or referencing canary tokens.
Creating tokens that contain, deliver, or link to malware, ransomware, or any malicious payload.
Using canary tokens as a mechanism to exfiltrate sensitive data from systems.
Abusing the callback infrastructure (svccdns.com) to perform denial-of-service attacks or to generate excessive alert traffic intended to disrupt CanaryGuard services or third-party systems.

3.4 Platform Abuse

Circumventing plan limits, usage limits, or other technical controls through any means.
Reselling or redistributing CanaryGuard services without written authorization.
Reverse-engineering, scraping, or attempting to extract proprietary logic from the CanaryGuard platform or APIs.
Using automated tools to create accounts in bulk or to abuse free-tier allocations.

4. Token Deployment Rules

When deploying any of the supported token types (HTTP/URL, DNS, Web Image, Email pixel, Word DOCX, PDF, or QR Code), you must adhere to the following rules:

You may only deploy tokens on systems and networks where you have documented authorization to perform security monitoring.
If deploying tokens on behalf of a client, you must have a written agreement that explicitly authorizes the use of canary tokens.
Tokens embedded in documents (DOCX, PDF) must not be distributed to parties outside the authorized monitoring scope.
QR code tokens placed in physical locations must be on premises you own or control.
Email pixel tokens may only be embedded in communications where you are an authorized party or have explicit consent from the sender.

5. Alert Data Handling

When a canary token is triggered, CanaryGuard collects alert data that may include the IP address, approximate geolocation, user agent, and timestamp of the triggering event. You are responsible for handling this data in compliance with all applicable laws and regulations, including but not limited to:

The General Data Protection Regulation (GDPR) for data subjects in the European Economic Area.
The California Consumer Privacy Act (CCPA) and similar US state privacy laws.
Any applicable sector-specific regulations (e.g., HIPAA, PCI-DSS) that may govern how you process or store alert data.
Local data protection and privacy laws in any jurisdiction where your tokens may be triggered.

Important: IP addresses and geolocation data derived from canary token alerts may constitute personal data under GDPR and similar regulations. You are the data controller for any alert data you collect through CanaryGuard and are responsible for establishing a lawful basis for processing.

6. Alert Channel Responsibilities

CanaryGuard supports delivery of alerts via Slack, Discord, and custom webhooks (with HMAC signature verification). You are responsible for:

Securing the endpoints that receive alert data from CanaryGuard.
Ensuring that alert data delivered to third-party platforms (Slack, Discord) is handled in accordance with those platforms' terms of service and applicable data protection laws.
Validating HMAC signatures on webhook payloads to prevent spoofed alerts from being acted upon.
Restricting access to alert channels to authorized personnel only.

7. API Usage

Use of the CanaryGuard REST API (v1) is subject to this AUP and any applicable usage policies. API keys (prefixed with cg_live_) must be kept confidential and must not be embedded in client-side code, public repositories, or shared with unauthorized parties.

8. Reporting Abuse

If you become aware of any misuse of the CanaryGuard platform, or if you believe canary tokens are being used against you without authorization, please report it immediately:

Report abuse: support@canaryguard.app
Please include as much detail as possible, including token URLs, alert evidence, and any relevant context about the suspected misuse.

9. Consequences of Violation

CanaryGuard takes violations of this AUP seriously. Depending on the severity and nature of the violation, we may take one or more of the following actions:

Issuing a formal warning with a requirement to remediate the violation within a specified timeframe.
Temporarily suspending your account and disabling all active tokens pending investigation.
Permanently terminating your account and deleting all associated tokens and data.
Reporting the activity to relevant law enforcement authorities where we believe illegal activity has occurred.
Cooperating with law enforcement investigations, including providing account information and logs as required by valid legal process.
Pursuing civil remedies for damages caused by the violation.

10. Changes to This Policy

We may update this Acceptable Use Policy from time to time. Material changes will be communicated via email to the address associated with your account at least 30 days before they take effect. Continued use of the platform after changes become effective constitutes acceptance of the revised policy.

11. Contact

For questions about this Acceptable Use Policy, contact us at support@canaryguard.app.