1. WHAT IS CANOPACT’S APPROACH TO PRIVACY?
We at Canopy Impact Limited ("Canopact", “we”, “us”, “our”) know that our users and customers (“you”, “your”) care about how your personal data is used and shared and we take your privacy seriously. We are focused on protecting your personal data and doing the right thing by you in terms of your privacy rights. For the purposes of the UK Data Protection Act 2018 (“UK-GDPR”) and General Data Protection Regulation (EU) 2016/679 (“EU-GDPR”), Canopact is the ‘controller’ and responsible for your personal data as part of using Canopact’s Website or Services (as defined below).
We process Personal Data when you are accessing or using our Website as a user of a Canopact customer (“Customer User”). Our Services are accessible to you after you have signed up or have logged on as a Customer User to your Canopact Account.
3. WHAT INFORMATION DOES CANOPACT COLLECT?
We gather Personal Data, (i) in connection with your access to our Website, (ii) if and to the extent it is necessary to provide our Services to you, and (iii) if we are entitled or obligated to process Personal Data under applicable law. Set out below in this Section 3 are the categories of Personal Data and other data that we use and the purposes for which we use them. The categories of companies or persons who may receive Personal Data are set out Section 5 below.
A. Information You Provide to Us:
Your Personal Data: We process Personal Data you actively and knowingly provide to us. For example, we collect Personal Data such as your name and email address if you sign up for a newsletter or you request a demo of our Services. If you sign up for our Services, some information is required to create a Canopact Account, such as your position at your company. If you choose not to provide us with certain information, you may not be able to register with us or to take advantage of some of our features.
Your Company Data: We process basic data on your company which you actively and knowingly provide to us. For example, we collect your company name, sector, and number of employees (within a range) when you sign up to Canopact. If you choose not to provide us with certain information, you may not be able to register with us or to take advantage of some of our features.
API Keys: In order to connect your Canopact account to a third-party software provider (e.g. Expensify) via an API, we will ask for you to input the API keys for your account with the relevant third-party provider. An API key is a simple encrypted string that identifies an application without any principal. Canopact doesn’t have the ability to view or use your API keys, but the API keys will be securely stored on our Website in order for the API connection to function effectively. If you choose not to provide us with an API key,you may not be able to take advantage of some of our features.
Travel & Expense Data: You may be using an email-based workflow in lieu of an API connection. If this is the case, we will ask for you to send travel booking confirmations and/ or expense receipts to email@example.com. We ensure that this data is securely processed on our email servers and is not sent to another email address or downloaded as a file. Our retention policy is to delete all travel booking confirmations and expense receipts within 7 days of them being received. If you choose not to send us this data, you may not be able to take advantage of some of our features.
Sensitive Data: We do not knowingly process information revealing political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (collectively, “Sensitive Information”).
B. Information Collected Automatically:
Technical Means: Whenever you interact with our Website or Services, we – or the service providers commissioned by and processing data on Canopact’s behalf – automatically process information on server logs by using so-called “browser cookies” or similar technical means. These technical means are either transferred to or communicate with your computer or mobile device to remember that you have registered and are logged in to your Canopact Account, or to recognize the browser or mobile device and tell us how and when pages on our Website are visited.
Log Data: When you visit the Website, whether as a Customer User or Individual User, our servers automatically record information about the browser or mobile app with which our Website is opened (“Log Data”). Log Data include your computer’s/mobile’s browser type, the requested webpage of our Website or feature of our Service, webpages visited before our Website, the time spent on those pages or features, subjects of searches on our Website and Services, access times and dates, and other related statistics. Analytics and Monitoring: We use this Log Data to monitor and analyse the use of the Website and the Services and for the Website’s technical administration, to increase our Website’s functionality and user-friendliness, and to better tailor it to our visitors’ needs.
C. Email and Other Communications:
We may contact you by email or by other means. For example, we may communicate with you about your use of the Website or Services. If you do not want to receive email or other communications from us, please indicate your preferences by following the instructions we provide to you in each of our emails to unsubscribe or opt-out of the relevant publication or updates. We may also contact you by email or by other means about new Canopact products or services, offers or other marketing initiatives if you have requested to receive this information from us and have not opted out of receiving this type of information.
Canopact will still send you notices as strictly required by applicable law regardless of whether you opt-out or unsubscribe from communications.
4. WHERE DO WE STORE YOUR PERSONAL DATA?
We process and store information (including Personal Data) about our customers in the United Kingdom. We may also transfer your information to other countries where our service providers operate facilities.
5. WILL CANOPACT SHARE ANY OF THE PERSONAL DATA IT RECEIVES?
We neither rent nor sell your Personal Data in personally identifiable form to anyone. However, we may share such Personal Data with third parties as described below.
A. Trusted Third Parties:
We may employ other companies and people to either perform tasks on our behalf or to provide specific features to you on your request. Unless we tell you otherwise, such third parties do not have any right to use the Personal Data we share with them beyond what is necessary to assist us. This includes third party companies and individuals employed by us to facilitate our Services, including the provision of maintenance services, sales and marketing applications, database management, web analytics and general improvement of the Services.
B. Protection of Canopact and Others:
C. With your Consent:
Except as set forth above, you will be notified when your Personal Data may be shared with third parties and will be able to object to the sharing of this information.
6. IS THE PERSONAL DATA SECURE?
Canopact takes appropriate and reasonable precautions to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction
Your Canopact Account is protected by a password for your privacy and security. However, you must prevent unauthorized access to your Canopact Account and Personal Data by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.
The transmission of information via the Internet is never completely secure and we are only able to control our Website and Services, but not the connected communication system or systems you use for accessing the Website or Services (e.g. wifi). Accordingly, unauthorized entry or use, hardware or software failure, and other factors we can neither control nor foresee, may compromise the security of information transmitted over the internet at any time.
When we choose service providers, we assess their technical and organizational measures to ensure the protection of Personal Data. The same applies to other third parties to which we are allowed to transfer this information although these third parties are solely responsible for compliance with applicable laws.
7. DO WE PROCESS DATA OF CHILDREN?
Our Services are not directed to persons under the age of 16. We neither knowingly allow such persons to register for the Services on our Website nor knowingly collect Personal Data from children under 16. No one under age 16 may provide any Personal Data to us or on the Services.
If a parent or guardian becomes aware that his or her child has provided us with Personal Data without the parent’s consent, he or she should contact us at info@Canopact.com. If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information from our files.
8. WHAT PERSONAL DATA CAN I ACCESS BY MYSELF?
You have the right to access your Personal Data at any time (see Section 9 regarding your rights). You can access and, in some cases, edit or delete the following information you’ve provided to us through your Canopact Account by yourself:
- name and password
- email address
- company name
- position in company
The information you can view, update, and delete may change as the Website changes. If you have any questions about viewing or updating information we have on file about you, please contact us at info@Canopact.com.
Regarding your further rights concerning your Personal Data, please see below Section 9.
9. WHAT RIGHTS DO I HAVE?
In relation to your Personal Data, you always have the following rights to the extent available under applicable law:
- Right to get transparent information about processing of your Personal Data;
- Right to get access to your Personal Data;
- Right to rectify inaccurate Personal Data concerning you and to get information about any rectification;
- Right to erase Personal Data concerning you and to get information about any erasure;
- Right to restrict processing of Personal Data concerning you and to get information about any restriction;
- Right to receive Personal Data you provided to us and which concerns you and transmit this received Personal information to another provider;
- Right to object any data processing that is based on our legitimate interest;
- Right not to be subject of a decision solely based on automated processing including profiling.
You may be able to add, update, or delete information via your Canopact Account or the Services. However, when you update information, we may maintain a copy of the original information in our records (to the extent permitted by applicable law).
We will retain your information for as long as your Canopact Account is active or as reasonably necessary to provide you with the Services. You may request deletion of your Canopact Account by contacting us at info@Canopact.com. Please note that some information may remain in our private records after your deletion of such information from your account (only if and to the extent permitted by applicable law). We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may use any aggregated and anonymized data derived from or incorporating your Personal Data after you update or delete it, but not in a manner that would identify you personally.
If you demand the erasure or object to any data processing please keep in mind that some Personal Data may be needed to register with us or to take advantage of some of our Services.
In some cases, we may technically not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.
11. CANOPACT’S ONGOING COMMITMENT TO PRIVACY
12. CONCERNS AND RESOLUTION
We will make every effort to resolve your concerns fully and in a timely manner. In Europe, you can approach any supervisory authority that is competent under the General Data Protection Regulation. If you are resident in the EEA and the United Kingdom, the contact details for data protection authorities are available here. If you are resident in Switzerland, the contact details for the data protection authorities are available here. In the U.S., the regulatory agency with the authority to investigate and resolve claims should you consider our practices to be unfair or deceptive is the United States Federal Trade Commission. However, we encourage you to contact us first at info@Canopact.com, and then we will do our very best to resolve your concern.
Canopy Impact Limited is a registered company in England and Wales (Company number: 12660375).Last updated September 19th 2021