Privacy Policy
DRAFT — Requires legal review before publication.
Last updated: 2026-07-07 | Status: Pre-launch draft
In plain language
Here's the short version, in everyday words. The full policy below is the legally binding part.
- What we collect: your account details as a business owner (name, email, business info), and — for your end customers — their name, email, phone, and booking history. We use it to run your website, take bookings, and send appointment texts.
- Card numbers: we never see or store them. Stripe handles all card data. Card numbers never touch Canopy's servers.
- Text messages: we send booking confirmations, reminders, and receipts by SMS through Twilio. Your customers can reply STOP to opt out at any time.
- Who else touches the data: a small set of trusted vendors — Supabase (database), Stripe (payments), Twilio (texts), and Vercel (hosting). We don't sell your data to anyone.
- Deletion: you can ask us to delete your data by emailing privacy@getcanopy.run. Some payment records must be kept for tax law, but they're anonymized so they can't identify anyone.
- Contact: questions about privacy? Email privacy@getcanopy.run.
1. Who We Are
This Privacy Policy explains how Canopy ("Canopy," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with the Canopy platform — our marketing website, admin dashboard, the business websites and booking systems we build and host, and related services (collectively, the "Platform").
This policy covers two groups of people:
- Business Owners — our direct customers, who sign up for a Canopy account to get a website and booking system for their local business.
- End Customers — the customers of those businesses, who book appointments and receive notifications through a Canopy-built website.
For your end customers' personal data, you (the Business Owner) are the data controller and Canopy acts as your data processor. For your own business-owner account data, Canopy is the data controller.
2. Information We Collect
2.1 Business Owner Account Data
When you create an account and set up your business, we collect:
- Your name, email address, and password (passwords are stored only as a secure hash, never in plain text).
- Your business name, address, and phone number.
- Business configuration you provide during onboarding: services, staff, hours, branding, booking rules, and no-show fees.
- References to your Stripe accounts (identifiers only — see Section 4).
2.2 End Customer Data
When an end customer books through a Canopy-built website, we collect on the Business Owner's behalf:
- Name, email address, and phone number.
- Booking history: appointment dates, services, assigned staff, and status.
- SMS opt-out status.
2.3 Payment Information
Canopy stores only reference identifiers and payment amounts — never raw financial data. We do not collect or store credit or debit card numbers, CVV codes, expiration dates, bank account numbers, SSNs, EINs, or identity-verification documents. Card entry is handled entirely by Stripe's hosted fields; card data never passes through Canopy's servers. See Section 4.
2.4 Technical and Session Data
To keep you logged in and to operate and secure the Platform, we process:
- Session cookies and tokens that authenticate your login.
- Basic request metadata such as IP address, used for rate limiting and security logging.
- Delivery status of the SMS messages we send.
We do not use third-party advertising or cross-site tracking cookies. (A cookie-consent banner is out of scope for this release.)
3. How We Use Information
We use the information above to:
- Build, host, and operate your business website and booking system.
- Take bookings and process payments through Stripe.
- Send transactional SMS notifications (see Section 5).
- Provide your admin dashboard, reporting, and account management.
- Keep the Platform secure — rate limiting, fraud prevention, and audit logging.
- Meet our legal, tax, and record-keeping obligations.
We do not sell personal information, and we do not use end-customer data for any purpose other than providing the Platform to the Business Owner.
4. Payments and Card Data
Canopy uses Stripe to process two separate money flows: Business Owner subscriptions (Stripe Billing) and end-customer booking payments (Stripe Connect). In both cases:
- Card numbers and other raw financial data are collected and stored exclusively by Stripe through Stripe's hosted card fields. They never touch Canopy's systems.
- Canopy stores only Stripe reference identifiers (such as customer, subscription, and payment-intent IDs) and payment amounts, for reporting and audit.
- Stripe independently retains payment records, payout data, and — for Business Owners who onboard to Stripe Connect — identity-verification (KYC) data, under Stripe's own privacy policy and retention schedule.
Because card entry is handled entirely by Stripe's hosted fields, Canopy's PCI DSS scope is limited to SAQ A. Stripe's handling of your data is governed by Stripe's Privacy Policy.
5. SMS Notifications
We send automated, transactional SMS messages to end customers through Twilio for: booking confirmations, 24-hour reminders, cancellation confirmations, no-show charge notices, and payment receipts.
These are service messages tied to a booking — not marketing. End customers can opt out at any time by replying STOP; we honor opt-outs and stop sending. We retain SMS delivery logs for a limited period (currently about 90 days) for delivery tracking and debugging.
6. Cookies and Sessions
Canopy uses cookies and similar technologies only for essential functions:
- Authentication — keeping Business Owners and end customers logged in securely.
- Security — protecting against abuse and verifying requests.
We do not use advertising, analytics-profiling, or cross-site tracking cookies on the Platform.
7. Who We Share Data With (Subprocessors)
We share personal information only with the service providers we rely on to run the Platform. Each is bound by contract to protect the data and use it only to provide services to us.
| Subprocessor | Purpose | What They Handle |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, end-customer records, bookings, uploaded assets |
| Stripe | Payment processing | Card data (held by Stripe), payment records, KYC for Connect |
| Twilio | SMS delivery | Phone numbers and message content for booking notifications |
| Vercel | Application hosting | Serves the Platform; processes request metadata in transit |
We do not sell personal information to any third party. We may disclose information if required by law, to enforce our Terms, or to protect the rights, safety, and security of our users and the Platform.
8. Data Retention
We keep personal data only as long as needed to provide the Platform and meet legal obligations:
- Account and operational data — retained until the account is deleted or a valid deletion request is fulfilled.
- SMS delivery logs — approximately 90 days.
- Payment records — retained (in anonymized form after a deletion request) for 7 years, to satisfy IRS and tax record-keeping requirements. Anonymized records cannot be used to identify an individual.
9. Your Rights and Choices
Depending on where you live, you may have rights to access, correct, or delete your personal data, including under the EU GDPR (Right to Erasure, Art. 17) and the California CCPA (Right to Delete). We apply the same process to all deletion requests regardless of the stated legal basis.
- Business Owners may request access, correction, or deletion by emailing privacy@getcanopy.run.
- End Customers should contact the Business Owner they booked with; the Business Owner submits the request to us. End customers may also email privacy@getcanopy.run, and we will route the request through the Business Owner to confirm before acting.
We acknowledge deletion requests within 5 business days and aim to complete them within 30 days. Our full deletion process — including what is deleted, what is anonymized, and what must be retained — is described in our internal deletion runbook and summarized in Section 8.
Note that Stripe maintains independent records of payment transactions for its own legal obligations. To request access to or deletion of data Stripe holds, contact Stripe directly at stripe.com/privacy.
10. Data Security
We protect personal data with industry-standard measures, including encryption in transit, hashed passwords, row-level security in our database, verified payment webhooks, and audit logging of security-relevant events. No system is perfectly secure, but we work to protect your information and to limit what we collect and store in the first place.
11. Children's Privacy
The Platform is intended for business owners and their adult customers. It is not directed to children, and we do not knowingly collect personal information from children under 13 (or the minimum age in your jurisdiction).
12. International Users
The Platform is operated from and hosted in the United States and is currently intended for US-based businesses. If you access the Platform from outside the United States, your information will be processed in the United States.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify Business Owners at their registered email address. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
Questions, concerns, or requests about your privacy? Contact us at:
Canopy Privacy Team Email: privacy@getcanopy.run
For general support, email support@getcanopy.run.
Legal review checklist (before publication):
- [ ] Confirm subprocessor list is complete and current (Supabase, Stripe, Twilio, Vercel)
- [ ] Confirm CCPA "Do Not Sell" and notice-at-collection requirements are satisfied
- [ ] Confirm GDPR lawful basis and processor/controller framing for end-customer data
- [ ] Confirm retention periods match the deletion runbook (docs/legal/gdpr-ccpa-deletion-process.md)
- [ ] Confirm the registered business entity name and physical/contact address to publish
- [ ] Decide whether a cookie-consent mechanism is needed for any target market