Privacy Policy

Last updated: May 29, 2026

This Privacy Policy explains how Canopy Tech LLC(“Canopy,” “we,” “us”) collects, uses, shares, and protects information in connection with the Canopy customer-feedback platform, our websites, and related services (collectively, the “Service”). It applies to our business customers (“Workspaces”), their authorized users, and the end-customers those Workspaces survey through Canopy. Capitalized terms not defined here have the meaning given in our Terms of Service.

1. Scope & our role

Canopy provides a hosted platform that lets service businesses send short feedback surveys to their customers (by email and SMS) and review the responses. Our privacy responsibilities differ by data type:

Controllerfor the operational data of your Canopy account — the names, emails, and settings of the people who administer a Workspace.
Processorfor the end-customer data a Workspace sends us to run surveys (customer names, emails, phone numbers, survey responses). The Workspace is the controller of that data and decides why it is collected; we process it only on the Workspace's instructions to deliver the Service.

If you are an end-customer who received a survey and have a privacy request, contact the business that surveyed you (they control your data), or reach us at support@canopytech.io and we will route it to them.

2. Information we collect

A. Information you provide directly

Account data: name, email, password (stored only as a hash), role, and workspace details (name, industry, locations) supplied during sign-up and onboarding.
Billing data: billing email and a Stripe customer ID. Card numbers and CVCs are entered directly with Stripe and never reach our servers.
Support data: the contents of support requests you send us.

B. Information collected automatically

Usage + device data: IP address, user agent, and timestamps recorded in our audit logs for security and debugging.
Cookies: a small set of strictly-necessary and functional cookies (see Section 5 and our Cookie Policy). We do not use advertising or cross-site tracking cookies.

C. Information from integrations

When a Workspace connects a CRM (HubSpot, Pipedrive, Salesforce), we receive OAuth access + refresh tokens (stored encrypted) and the event + contact data needed to trigger and address surveys.

D. End-customer data a Workspace sends us

To deliver surveys we process customer names, email addresses, phone numbers, order/event metadata, survey scores, and free-text comments. A Workspace supplies this via CRM events or direct webhooks. We act as a processor for this data (Section 1).

3. How we use information

Provide the Service: send surveys, collect responses, surface alerts, render dashboards and reports.
Apply AI categorization to free-text comments (sentiment / hidden-detractor detection) for workspaces on the Plus tier and above. Comments from Starter-tier workspaces are not sent to our AI provider. Our model provider is Anthropic; we do not train models on your data.
Send transactional + service messages (account confirmation, password reset, billing receipts, survey delivery).
Maintain security, prevent abuse, debug, and keep an audit trail.
Comply with legal obligations and enforce our agreements.

We do not sell personal information and we do not use it for third-party advertising. See our Do Not Sell or Share notice.

We share information only with service providers (“subprocessors”) who help us operate the Service, and only for that purpose. Each is contractually bound to handle data on our instruction. Current subprocessors:

Supabase — database, authentication, file storage (US)
Vercel — application hosting, edge compute (US)
Resend — transactional + survey email delivery (US)
Twilio — SMS delivery and inbound reply routing (US)
Upstash — rate-limit + cache state (US)
Anthropic — AI categorization of customer comments (US)
Stripe — payment processing (US)
The CRM provider(s) a Workspace chooses to connect (HubSpot / Pipedrive / Salesforce), only on OAuth connect

We may also disclose information to comply with law, enforce our agreements, protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with notice to affected Workspaces).

5. Cookies & tracking

We use only strictly-necessary and functional cookies (session authentication and interface preferences). We do not run analytics, marketing, or advertising cookies, and we do not engage in cross-site tracking. Because every cookie we set is essential or functional, we do not display a consent banner. Full detail is in our Cookie Policy.

Full SMS messaging terms, frequency, opt-out keywords (HELP / STOP / etc.), data-rates disclosure, and consent-collection requirements live on a dedicated page: SMS Messaging Terms. That page is incorporated into this Privacy Policy by reference.

7. Data retention

We retain customer responses and audit logs for the life of the Workspace, plus 30 days after deletion for short-window restoration; backups roll off within 90 days. Email-event records (delivered / bounced / unsubscribed) are kept for 12 months. SMS opt-out records are retained indefinitely to honor opt-outs permanently. Payment records are kept for 7 years per tax-law requirements. Survey response links expire 14 days after dispatch.

8. Security

We protect data with measures including: TLS/HTTPS in transit with HSTS; AES-256-GCM encryption at rest for OAuth tokens and webhook signing secrets; row-level security isolating each Workspace's data; signature verification on inbound webhooks; rate limiting on authentication and ingest endpoints; and audit logging of sensitive actions. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

9. Your rights & choices

Subject to applicable law, you may ask us to access, export, correct, restrict, or delete your personal information. Delete your Workspace from Settings → Profile → Delete Account, or email support@canopytech.io. We honor verifiable requests within 30 days (extendable once where permitted). For end-customer data, requests are directed to the controlling Workspace; we assist as processor.

10. Region-specific disclosures

California (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioral advertising. California residents may exercise rights to know, delete, correct, and limit use of sensitive information, and will not be discriminated against for doing so. See our Do Not Sell or Share notice and Section 9.

EU / UK (GDPR)

Where the GDPR or UK GDPR applies, our legal bases for processing are: performance of a contract (providing the Service), legitimate interests (security, product operation), consent (where required, e.g. certain messaging), and legal obligation. EU/UK data subjects have rights of access, rectification, erasure, restriction, portability, and objection. For end-customer data we act as processor under the Workspace's instructions. A formal Data Processing Addendum is available to Workspaces on request.

11. International data transfers

Canopy and its subprocessors are based in the United States; data is stored and processed in the US. If you access the Service from outside the US, you understand your information will be transferred to and processed in the US. Where required for transfers from the EU/UK, we rely on appropriate safeguards such as the Standard Contractual Clauses.

12. Children's privacy

Canopy is a business product not directed at children under 16, and account holders must be at least 18. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.

13. Changes to this policy

We will post material changes here and notify active Workspaces by email at least 14 days before they take effect. The “Last updated” date at the top reflects the latest revision.

14. Contact us

Questions or requests: support@canopytech.io. Mailing address available on request.