Privacy Policy

1. Introduction

This Privacy Policy explains how CANOPY Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the CANOPY mobile application and web platform (the "Service"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

CANOPY Ltd is the data controller for personal data processed through the Service. You can contact us at support@thecanopyapp.com.

3. What Data We Collect

3.1 Account Data

When you create an account, we collect:

Full name
Email address
Password (stored hashed; never accessible to us in plaintext)
Company name and business details
Role within your organisation (owner or staff)

3.2 Business Data

In the course of using the Service, you may input:

Client names, addresses, email addresses, and phone numbers
Job details, schedules, and visit records
Staff names, pay rates, and team assignments
Financial information including invoices, quotes, and payment records
Photographs (before/after job photos)
Materials and supplier information

3.3 Technical Data

We automatically collect:

Device type and operating system
IP address
App version
Error logs and crash reports (via Sentry)
Usage patterns and feature interactions

3.4 Payment Data

Payment processing is handled by Stripe. We do not store your full credit card details on our servers. Stripe's privacy policy applies to payment data: stripe.com/privacy.

4. How We Use Your Data

Purpose	Legal Basis (UK GDPR)
Providing and maintaining the Service	Performance of contract (Art. 6(1)(b))
Processing subscription payments	Performance of contract (Art. 6(1)(b))
Sending service-related communications	Performance of contract (Art. 6(1)(b))
AI-generated tax tips and business insights (anonymised summaries only)	Performance of contract (Art. 6(1)(b))
Error monitoring and crash reporting	Legitimate interest (Art. 6(1)(f))
Improving the Service and developing new features	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations (HMRC, ICO)	Legal obligation (Art. 6(1)(c))
Marketing communications	Consent (Art. 6(1)(a))

5. Data Sharing — Sub-processors

We do not sell your personal data. We share data only with the following sub-processors, each bound by a Data Processing Agreement (DPA) and processing data on our behalf for the specific purpose listed:

SupabaseDatabase, authentication, file storage · EU (Ireland)

StripeSubscription billing · EU/US

NetlifyWebsite hosting · EU primary

ResendTransactional email · EU

GoDaddyDomain & email forwarding · US

SentryCrash & error monitoring · EU residency

Anthropic (Claude API)AI tax tips & insights — anonymised financial summaries only, no client names · US

Apple (App Store)iOS app distribution · US/Global

For full sub-processor details including DPA links and data categories, see our Sub-processors page. We will notify users via email and update that page at least 30 days before adding any new sub-processor that processes personal data.

We may also disclose your data if required by law, regulation, or legal process, or to protect the rights, safety, or property of our users or the public.

6. Data Storage and Security

Your data is primarily stored within the European Union. Sub-processors outside the EU (e.g. Anthropic, GoDaddy, Apple) operate under appropriate safeguards including Standard Contractual Clauses approved by the UK Information Commissioner's Office. We implement:

Encryption of data in transit (TLS/SSL) and at rest
Row-level security ensuring strict data isolation between companies
Role-based access controls within the application
Regular security reviews and updates
Secure password hashing (bcrypt)

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. Retention varies by data type:

Account data: retained for the lifetime of your subscription, then deleted within 30 days of cancellation (subject to legal carve-outs below)
Financial & tax records (invoices, receipts, expense records, schedule data with financial impact, quotes, projects): retained for at least 6 years from the end of the relevant tax year, as required by HMRC under section 12B of the Taxes Management Act 1970. This legal obligation overrides individual erasure requests for these specific records, in accordance with UK GDPR Article 17(3)(b).
Job data (visit notes, photos, operational records): retained for 3 years from last activity, then deleted
Support conversations: 2 years from last interaction
Operational backups: 30-day rolling cycle
Anonymised analytics: may be retained indefinitely
Server logs: 90 days

For full details, see our Data Retention Policy.

8. Your Rights

Under UK GDPR, you have the following rights:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your data, subject to the financial-records retention requirement above
Right to restrict processing — request we limit how we use your data
Right to data portability — request your data in a machine-readable format (CSV export available in-app)
Right to object — object to processing based on legitimate interest
Right to withdraw consent — withdraw consent for marketing communications at any time

To exercise any of these rights, contact us at support@thecanopyapp.com. We will respond within 30 days.

9. Cookies

The CANOPY web platform currently uses zero cookies — no analytics, marketing, or functional cookies. The mobile application does not use cookies. If we add non-essential cookies in future, we will display a consent banner before any are set. See our Cookie Policy for details.

10. Children's Privacy

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. International Transfers

Your data is primarily processed and stored within the European Economic Area (EEA). Where sub-processors operate outside the EEA (Anthropic, GoDaddy, Apple), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk · Telephone: 0303 123 1113

14. Contact Us

For any questions about this Privacy Policy or how we handle your data, contact support@thecanopyapp.com.