Privacy Policy

This privacy policy discloses the privacy practices for


We at Canopy Impact Limited ("Canopact", “we”, “us”, “our”) know that our users and customers (“you”, “your”) care about how your personal data is used and shared and we take your privacy seriously. We are focused on protecting your personal data and doing the right thing by you in terms of your privacy rights. For the purposes of the UK Data Protection Act 2018 (“UK-GDPR”) and General Data Protection Regulation (EU) 2016/679 (“EU-GDPR”), Canopact is the ‘controller’ and responsible for your personal data as part of using Canopact’s Website or Services (as defined below).


This Privacy Policy supplements our Terms of Use and sets out how we collect, process, disclose or otherwise use Personal Data in connection with our website ("Website") and the various products and services provided by Canopact (“Services”). Our Privacy Policy may also apply to the processing of your Personal Data in connection with Canopact’s marketing and publicity activities. This policy does not apply to the practices and processing of our customers, to companies that we do not own or control, to individuals that we do not employ or manage, to services provided by other companies but accessible through our Website and/or Services.

“Personal Data” as used in this Privacy Policy has the meaning given to it in the GDPR, which as at the effective date above means information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

We process Personal Data when you are accessing or using our Website as a user of a Canopact customer (“Customer User”). Our Services are accessible to you after you have signed up or have logged on as a Customer User to your Canopact Account.


We gather Personal Data, (i) in connection with your access to our Website, (ii) if and to the extent it is necessary to provide our Services to you, and (iii) if we are entitled or obligated to process Personal Data under applicable law. Set out below in this Section 3 are the categories of Personal Data and other data that we use and the purposes for which we use them. The categories of companies or persons who may receive Personal Data are set out Section 5 below.

A. Information You Provide to Us:

Your Personal Data: We process Personal Data you actively and knowingly provide to us. For example, we collect Personal Data such as your name and email address if you sign up for a newsletter or you request a demo of our Services. If you sign up for our Services, some information is required to create a Canopact Account, such as your position at your company. If you choose not to provide us with certain information, you may not be able to register with us or to take advantage of some of our features.

Your Company Data: We process basic data on your company which you actively and knowingly provide to us. For example, we collect your company name, sector, and number of employees (within a range) when you sign up to Canopact. If you choose not to provide us with certain information, you may not be able to register with us or to take advantage of some of our features.

API Keys: In order to connect your Canopact account to a third-party software provider (e.g. Expensify) via an API, we will ask for you to input the API keys for your account with the relevant third-party provider. An API key is a simple encrypted string that identifies an application without any principal. Canopact doesn’t have the ability to view or use your API keys, but the API keys will be securely stored on our Website in order for the API connection to function effectively. If you choose not to provide us with an API key,you may not be able to take advantage of some of our features.

Travel & Expense Data: You may be using an email-based workflow in lieu of an API connection. If this is the case, we will ask for you to send travel booking confirmations and/ or expense receipts to We ensure that this data is securely processed on our email servers and is not sent to another email address or downloaded as a file. Our retention policy is to delete all travel booking confirmations and expense receipts within 7 days of them being received. If you choose not to send us this data, you may not be able to take advantage of some of our features.

Sensitive Data: We do not knowingly process information revealing political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (collectively, “Sensitive Information”).

B. Information Collected Automatically:

Technical Means: Whenever you interact with our Website or Services, we – or the service providers commissioned by and processing data on Canopact’s behalf – automatically process information on server logs by using so-called “browser cookies” or similar technical means. These technical means are either transferred to or communicate with your computer or mobile device to remember that you have registered and are logged in to your Canopact Account, or to recognize the browser or mobile device and tell us how and when pages on our Website are visited.

Log Data: When you visit the Website, whether as a Customer User or Individual User, our servers automatically record information about the browser or mobile app with which our Website is opened (“Log Data”). Log Data include your computer’s/mobile’s browser type, the requested webpage of our Website or feature of our Service, webpages visited before our Website, the time spent on those pages or features, subjects of searches on our Website and Services, access times and dates, and other related statistics. Analytics and Monitoring: We use this Log Data to monitor and analyse the use of the Website and the Services and for the Website’s technical administration, to increase our Website’s functionality and user-friendliness, and to better tailor it to our visitors’ needs.

Prevent or Opt-out: In any case, you are able to change the preferences on your browser or mobile device to prevent or limit your computer or device’s acceptance of these technical means, but this may prevent you from taking advantage of some of our Website’s or Service’s features. As the means by which you can refuse cookies through your internet browser controls vary depending on the browser or device used, you should visit your device or browser's help menu for more information

C. Email and Other Communications:

We may contact you by email or by other means. For example, we may communicate with you about your use of the Website or Services. If you do not want to receive email or other communications from us, please indicate your preferences by following the instructions we provide to you in each of our emails to unsubscribe or opt-out of the relevant publication or updates. We may also contact you by email or by other means about new Canopact products or services, offers or other marketing initiatives if you have requested to receive this information from us and have not opted out of receiving this type of information.

Canopact will still send you notices as strictly required by applicable law regardless of whether you opt-out or unsubscribe from communications.


We process and store information (including Personal Data) about our customers in the United Kingdom. We may also transfer your information to other countries where our service providers operate facilities.

In the situation where our sub-processors are not established in the European Economic Area ("EEA"), the United Kingdom or Switzerland, or otherwise process Personal Data outside the EEA, the United Kingdom and Switzerland, we take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with applicable data protection laws and this Privacy Policy. You can request a list of our sub-processors who process Personal Data, their respective locations and the adequate transfer mechanism used by email to


We neither rent nor sell your Personal Data in personally identifiable form to anyone. However, we may share such Personal Data with third parties as described below.

A. Trusted Third Parties:

We may employ other companies and people to either perform tasks on our behalf or to provide specific features to you on your request. Unless we tell you otherwise, such third parties do not have any right to use the Personal Data we share with them beyond what is necessary to assist us. This includes third party companies and individuals employed by us to facilitate our Services, including the provision of maintenance services, sales and marketing applications, database management, web analytics and general improvement of the Services.

B. Protection of Canopact and Others:

We may be compelled to access, read, preserve and/or disclose any information to (i) comply with applicable law or a court order; (ii) enforce or apply our Website Terms of Use or other agreements with you in our sole discretion; or (iii) protect the rights, property, or safety of Canopact, our employees, our users, or others in our sole discretion. We may send information to fraud protection and credit risk reduction agencies, but only in a manner limited to and consistent with that specific purpose.

C. With your Consent:

Except as set forth above, you will be notified when your Personal Data may be shared with third parties and will be able to object to the sharing of this information.


Canopact takes appropriate and reasonable precautions to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction

Your Canopact Account is protected by a password for your privacy and security. However, you must prevent unauthorized access to your Canopact Account and Personal Data by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

The transmission of information via the Internet is never completely secure and we are only able to control our Website and Services, but not the connected communication system or systems you use for accessing the Website or Services (e.g. wifi). Accordingly, unauthorized entry or use, hardware or software failure, and other factors we can neither control nor foresee, may compromise the security of information transmitted over the internet at any time.

Our Website may contain links to other sites. We cannot and have not reviewed these sites and cannot be responsible for the privacy policies and/or practices on these other sites. When following a link to another site you must read that site’s privacy policy and ensure you accept the terms of the same.

When we choose service providers, we assess their technical and organizational measures to ensure the protection of Personal Data. The same applies to other third parties to which we are allowed to transfer this information although these third parties are solely responsible for compliance with applicable laws.


Our Services are not directed to persons under the age of 16. We neither knowingly allow such persons to register for the Services on our Website nor knowingly collect Personal Data from children under 16. No one under age 16 may provide any Personal Data to us or on the Services.

If a parent or guardian becomes aware that his or her child has provided us with Personal Data without the parent’s consent, he or she should contact us at If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information from our files.


You have the right to access your Personal Data at any time (see Section 9 regarding your rights). You can access and, in some cases, edit or delete the following information you’ve provided to us through your Canopact Account by yourself:

The information you can view, update, and delete may change as the Website changes. If you have any questions about viewing or updating information we have on file about you, please contact us at

Regarding your further rights concerning your Personal Data, please see below Section 9.


In relation to your Personal Data, you always have the following rights to the extent available under applicable law:

Generally, you will find all information about data processing by us in this Privacy Policy.

You may be able to add, update, or delete information via your Canopact Account or the Services. However, when you update information, we may maintain a copy of the original information in our records (to the extent permitted by applicable law).

We will retain your information for as long as your Canopact Account is active or as reasonably necessary to provide you with the Services. You may request deletion of your Canopact Account by contacting us at Please note that some information may remain in our private records after your deletion of such information from your account (only if and to the extent permitted by applicable law). We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may use any aggregated and anonymized data derived from or incorporating your Personal Data after you update or delete it, but not in a manner that would identify you personally.

If you demand the erasure or object to any data processing please keep in mind that some Personal Data may be needed to register with us or to take advantage of some of our Services.

In some cases, we may technically not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.


We may amend this Privacy Policy from time to time and provide the new information to you on our Website. You are bound by any changes to the Privacy Policy when you use the Website after such changes have been first posted. If we make material changes in the way that we must obtain or renew your active prior consent for processing your Personal Data, we will notify you by sending you an email prior to the change becoming effective. If you don’t agree to the changes you may not be able to use the features or Services that are related to this consent.


We have established internal processes to ensure and monitor our compliance with this Privacy Policy and all applicable privacy laws. Additionally, we value the concepts of privacy by design and default and support any customer in fulfilling their obligations under applicable privacy laws. If you have any questions or comments about this Privacy Policy or how we process Personal Data, please feel free to contact us at


In compliance with applicable law, Canopact commits to resolve complaints about your privacy and our collection or use of your Personal Data promptly. Individuals with inquiries or complaints regarding this Privacy Policy should first contact Canopact at

We will make every effort to resolve your concerns fully and in a timely manner. In Europe, you can approach any supervisory authority that is competent under the General Data Protection Regulation. If you are resident in the EEA and the United Kingdom, the contact details for data protection authorities are available here. If you are resident in Switzerland, the contact details for the data protection authorities are available here. In the U.S., the regulatory agency with the authority to investigate and resolve claims should you consider our practices to be unfair or deceptive is the United States Federal Trade Commission. However, we encourage you to contact us first at, and then we will do our very best to resolve your concern.

Canopy Impact Limited is a registered company in England and Wales (Company number: 12660375).

Last updated September 19th 2021