canary.audio

Privacy Policy

Last updated: 30 April 2026.

canary.audio is an open archive of domesticated canary song recordings. It is operated by Floor van den Berghe, reachable at [email protected].

1. What we collect

Account and device data.

When you create an account we store your email address, display name, and a bcrypt-hashed password. Your email is used only to identify your account and is never shared with third parties or used for marketing.

Each recording device is registered with a name and an authentication token. The raw token is shown to you exactly once and is never stored; only a SHA-256 hash is kept. Device heartbeat data (disk usage, recording counts) is collected for operational monitoring.

2. Recording data

Audio files, metadata, and location.

Uploaded recordings consist of an audio file (WAV), a spectrogram image (PNG), and a metadata sidecar that includes the recording timestamp, duration, and signal characteristics. If your device has environmental sensors, temperature, humidity, and similar readings may also be attached.

Your recording station may be associated with a geographic location. Precise GPS coordinates are stored privately and are only visible to you. Public-facing metadata displays city and country only — exact coordinates are never published.

Standard server access logs (IP address, user agent, request path) are retained for operational and security purposes and are not shared.

3. How recordings are published

Open data, permanently.

All recordings you upload are released under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0). This means anyone may use, copy, adapt, and redistribute them for non-commercial purposes, as long as appropriate credit is given.

Recordings appear publicly in the archive alongside your display name, the recording date, and the city and country of origin.

Recordings are permanent. Once a recording is uploaded and published it becomes part of the public archive and cannot be removed. If you delete your account, your account credentials (email, password) are deleted, but your recordings remain in the archive attributed to your former display name. By uploading you acknowledge and agree to this.

4. Your responsibilities

You are responsible for what you record and upload.

You must only upload recordings that:

  • Were made in a location where you have the legal right to record audio.
  • Do not contain identifiable human speech or other private communications of third parties without their explicit consent.
  • You own or have the rights to contribute under CC BY-NC 4.0.

Recording laws differ by country and region — some require the consent of all parties who can be heard. You are solely responsible for ensuring your recording setup and uploads comply with the applicable laws in your jurisdiction. canary.audio does not verify the content of uploads and accepts no liability for recordings that violate third-party rights or local law.

5. Data retention

What is kept and what is deleted.

  • Account deletion: email, password hash, and display name are permanently deleted. Recordings remain in the archive as described above.
  • Device deletion: the device record and its hashed token are deleted. Recordings previously uploaded from that device are not affected.
  • Recordings: retained indefinitely as part of the open archive.

6. Third-party services

Infrastructure we rely on.

Audio files, spectrograms, and metadata are stored on Cloudflare R2 (Cloudflare, Inc., USA). Files are served via short-lived signed URLs. We do not use third-party advertising, behavioural analytics, or tracking scripts.

7. Your rights (GDPR)

Rights for users in the European Economic Area.

If you are based in the EEA you have the right to access, correct, and delete the personal data we hold about you; to receive a portable copy of your data; and to object to or restrict processing in certain circumstances. Note that the right to erasure applies to account data — recordings that have been published under CC BY-NC 4.0 remain part of the public archive.

To exercise these rights, contact [email protected].

8. Security

How we protect your data.

Passwords are hashed with bcrypt (cost factor 12). Device authentication tokens are stored as SHA-256 hashes; the raw token is shown once and never stored. Sessions use httpOnly, SameSite=Strict cookies over HTTPS. Registration is gated by an invitation code.

9. Changes

Policy updates.

We may update this policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of the service after a change constitutes acceptance of the updated policy.

10. Contact

Questions and requests.

Floor van den Berghe — [email protected]