Privacy Policy

Last updated: 22 March 2026

1. Introduction

This Privacy Policy explains how Mini Acres Garden Co trading as Canopy ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Canopy mobile application and web platform ("Service"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Mini Acres Garden Co trading as Canopy is the data controller for the personal data processed through the Service. You can contact us at: [email protected]

3. What Data We Collect

3.1 Account Data

When you create an account, we collect:

Full name
Email address
Password (stored encrypted)
Company name and business details
Role within your organisation (owner or staff)

3.2 Business Data

In the course of using the Service, you may input:

Client names, addresses, email addresses, and phone numbers
Job details, schedules, and visit records
Staff names, pay rates, and team assignments
Financial information including invoices, quotes, and payment records
Photographs (before/after job photos)
Materials and supplier information

3.3 Technical Data

We automatically collect:

Device type and operating system
IP address
App version
Error logs and crash reports (via Sentry)
Usage patterns and feature interactions

3.4 Payment Data

Payment processing is handled by Stripe. We do not store your full credit card details on our servers. Stripe's privacy policy applies to payment data: stripe.com/privacy.

4. How We Use Your Data

Purpose	Legal Basis (UK GDPR)
Providing and maintaining the Service	Performance of contract (Art. 6(1)(b))
Processing subscription payments	Performance of contract (Art. 6(1)(b))
Sending service-related communications	Performance of contract (Art. 6(1)(b))
Error monitoring and crash reporting	Legitimate interest (Art. 6(1)(f))
Improving the Service and developing new features	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))
Marketing communications (with consent)	Consent (Art. 6(1)(a))

5. Data Sharing

We do not sell your personal data. We share data only with the following categories of service providers, who process data on our behalf:

Supabase — Database hosting and authentication (data stored in EU)
Stripe — Payment processing
Sentry — Error tracking and crash reporting (data stored in EU)
Netlify — Website hosting

We may also disclose your data if required by law, regulation, or legal process, or to protect the rights, safety, or property of our users or the public.

6. Data Storage and Security

Your data is stored on servers located within the European Union. We implement appropriate security measures including:

Encryption of data in transit (TLS/SSL) and at rest
Row-level security ensuring strict data isolation between companies
Role-based access controls within the application
Regular security reviews and updates
Secure password hashing

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you cancel your subscription or delete your account:

Your data will be retained for 30 days to allow for reactivation
After 30 days, your data will be permanently deleted from our systems
We may retain anonymised, aggregated data for analytical purposes
Financial records may be retained for up to 7 years as required by UK tax law

8. Your Rights

Under UK GDPR, you have the following rights:

Right of access — Request a copy of the personal data we hold about you
Right to rectification — Request correction of inaccurate data
Right to erasure — Request deletion of your data ("right to be forgotten")
Right to restrict processing — Request we limit how we use your data
Right to data portability — Request your data in a machine-readable format (CSV export)
Right to object — Object to processing based on legitimate interest
Right to withdraw consent — Withdraw consent for marketing communications at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Cookies

The Canopy web platform uses essential cookies required for authentication and session management. We do not use third-party advertising or tracking cookies. The mobile application does not use cookies.

10. Children's Privacy

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. International Transfers

Your data is processed and stored within the European Economic Area (EEA). If we need to transfer data outside the EEA in the future, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113

14. Contact Us

For any questions about this Privacy P