Back to home
We do not sell your data to any third party.
To report a security vulnerability: security@canopy.pm
the canopy corporation
Privacy Policy
Last updated: 14 June 2026
We believe in minimal data collection, EU-first data residency, and full transparency. This policy covers all services operated by the canopy corporation.
1. Who we are
This Privacy Policy describes how the canopy corporation ("Canopy", "we", "us") collects, uses, and protects personal data in connection with the Canopy Platform, Cortex, Symphony, and any associated services (collectively, "Services").
Contact for privacy matters: privacy@canopy.pm
Contact for privacy matters: privacy@canopy.pm
2. Data we collect
- Account data: email address and hashed password when you sign up.
- Organisation data: your organisation or project name and the API keys you create.
- Usage data: request counts, token usage, ingestion job status, and error logs.
- Documents & training data: content you upload into knowledge bases or training datasets. Processed solely to provide the service; not used to train shared models.
- Conversation history: messages exchanged with assistants you configure.
- Billing data: handled by Stripe. We receive subscription status and invoice metadata only.
- Analytics: anonymised page-view data via self-hosted Plausible Analytics. No cookies, no cross-site tracking.
3. How we use your data
- To authenticate you and provide access to the Services.
- To process billing and enforce plan limits through Stripe.
- To send transactional emails (password reset, billing receipts, service notices). No marketing emails without explicit opt-in.
- To detect abuse, enforce rate limits, and maintain platform security.
- To monitor aggregate usage trends and improve the Services.
4. Data retention
We retain your personal data for as long as your account is active. On account deletion:
- Personal account data and uploaded content are purged within 30 days.
- Billing records are retained for 7 years where required by tax law.
- Anonymised aggregate usage statistics may be retained indefinitely.
5. Sub-processors
- Stripe — payment processing (EU Standard Contractual Clauses apply)
- Supabase / Postgres — managed database hosting (EU region by default)
- Hetzner — server infrastructure (EU data centres)
- External inference providers (Anthropic, OpenAI, etc.) — only if you configure your assistant to use an external provider.
We do not sell your data to any third party.
6. Your rights (GDPR)
If you are in the EEA, UK, or Switzerland, you have the right to:
Email privacy@canopy.pm and we will respond within 30 days.
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion ("right to be forgotten").
- Export your data in a portable format (available from the dashboard).
- Object to processing or withdraw consent at any time.
Email privacy@canopy.pm and we will respond within 30 days.
7. Data residency
By default, all data is stored in EU-based infrastructure (Hetzner, EU Supabase region). Customers requiring US or APAC data residency should contact us at hi@canopy.pm before signing up.
8. Security
- Passwords are hashed with PBKDF2-SHA256 (600,000 iterations).
- Data in transit is encrypted via TLS 1.2+.
- Provider API keys and secrets are encrypted at rest before storage.
- Customer resources are isolated at the project level.
- We follow OWASP security guidelines and conduct periodic security reviews.
To report a security vulnerability: security@canopy.pm
9. Cookies
The Cortex dashboard and Canopy Platform use only functional session cookies (for authentication). We do not use advertising cookies or third-party tracking cookies. Our analytics (Plausible) are cookieless.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated at least 30 days in advance by email or in-app notification. The current version is always available at canopy.pm/privacy.
11. Contact
Privacy enquiries: privacy@canopy.pm
Data export / deletion requests: privacy@canopy.pm
General: hi@canopy.pm
Data export / deletion requests: privacy@canopy.pm
General: hi@canopy.pm