Privacy & Security Policy

1. WHAT IS CANOPACT’S APPROACH TO PRIVACY?
We at Canopy Impact Limited ("Canopact", “we”, “us”, “our”) know that our users and customers (“you”, “your”) care about how your personal data is used and shared and we take your privacy seriously. We are focused on protecting your personal data and doing the right thing by you in terms of your privacy rights. For the purposes of the UK Data Protection Act 2018 (“UK-GDPR”) and General Data Protection Regulation (EU) 2016/679 (“EU-GDPR”) (the UK-GDPR and/or the EU-GDPR are also referred to herein as "GDPR", Canopact is the ‘controller’ and responsible for your data as part of using Canopact’s Website or Services (as defined below).

2. WHAT DOES THIS PRIVACY POLICY COVER?
This Privacy Policy sets out how we collect, process, disclose or otherwise use data in connection with our website ("Website") and the various products and services provided by Canopact (“Services”). Our Privacy Policy may also apply to the processing of data in connection with Canopact’s marketing and publicity activities. This policy does not apply to the data practices and processing undertaken by our customers, nor to companies that we do not own or control nor to individuals that we do not employ or manage.
“Personal Data” as used in this Privacy Policy has the meaning given to it in the GDPR, which as at the effective date above means information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. We process Personal Data when you are accessing or using our Website or Services.

3. INSTALLATION & AUTHENTICATION
As part of our Services, Canopact can be installed into a team's Slack Workspace by a Slack Administrator.Users can then be authenticated using Slack OAuth - users do not create a username and password specifically for Canopact. This provides the benefit that when a user leaves their Slack workspace, their Canopact account is deleted automatically and their permissions are revoked - you don't need to manually remove users in Canopact.
You can review Canopact’s permissions as an app within Slack as part of the installation process and as an existing user. As an existing user, go to the Slack API website, select Canopact on the ‘Your Apps’ page, and then choose ‘OAuth & Permissions’ from the list of options on the left panel. Canopact can be uninstalled at any time through the Slack app directory by a Slack Administrator or by contacting us at info@canopact.com. When data is deleted by Canopact, it is permanently deleted (as opposed to soft deleted).

4. WHAT INFORMATION DOES CANOPACT COLLECT?
We gather Personal and Company Data, (i) in connection with your access to our Website and Services and (ii) if we are entitled or obligated to process Personal and Company Data under applicable law. Set out below in this Section 4 is the Personal Data and Company Data that we use and the purposes for which we use them. We operate on a basis of lease-privilege: employees are only given access as needed to perform their job.
A. Information You Provide to Us:
Your Personal Data: We process Personal Data you actively and knowingly provide to us. For example, we collect your email address if you request a demo of our Services. By signing up for our Services, some information is provided to Canopact (Slack username, Slack profile image and email address). If you choose not to provide us with certain information, you may not be able to register with us or to take advantage of some of our features. Canopact does not collect any Slack login IDs or passwords.
Your Company Data: We process data on your company which you actively and knowingly provide to us. For example, we collect your workspace name and ID when you install Canopact into your team’s Slack workspace. We process message data when Canopact is used to schedule posts on Slack. This data is processed for the sole purpose of providing the Services and is only retained for as long as strictly necessary. For more information on Canopact’s approach to security and encryption, review Section 5. If you choose not to provide us with certain information, you may not be able to register with us or to take advantage of some of our features. Canopact does not process or collect billing/ payment information. Billing information is provided via secure payment processing services. Canopact uses Stripe as our third-party payment processor. Please note that you should read Stripe’s terms and conditions and privacy policy before making any payment.
Sensitive Data: We do not knowingly process information revealing political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (collectively, “Sensitive Information”).
B. Information Collected Automatically:
Cookies: Our Website uses Google Analytics, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 (“Google”). Google Analytics uses cookies and similar technologies to collect and analyse information about the use of the Website to and report on activities and trends. This service may collect information regarding the use of other websites, apps and online resources. For more information on how Google uses data when you use our Website, please follow this link. You may be able to opt-out of some or all of Google Analytics features by downloading the Google Analytics opt-out browser add-on. For more information about interest-based ads, or to opt out of having your web browsing information used for behavioural advertising purposes, please visit this site.
Log Data: The hosting platform for Canopact’s Slack application (Render) collects log data when there are error messages to help debug issues and improve our service to our customers. Canopact’s Website is hosted on Carrd.
Prevent or Opt-out: In any case, you are able to change the preferences on your browser or mobile device to prevent or limit your computer or device’s acceptance of these technical means, but this may prevent you from taking advantage of some of our Website’s or Service’s features. As the means by which you can refuse cookies through your internet browser controls vary depending on the browser or device used, you should visit your device or browser's help menu for more information.
C. Email and Other Communications:
We may contact you by email or by other means. For example, we may communicate with you about your use of the Website or Services. If you do not want to receive email or other communications from us, please indicate your preferences by emailing info@canopact.com. We may also contact you by email or by other means about new Canopact products or services, offers or other marketing initiatives if you have requested to receive this information from us and have not opted out of receiving this type of information. Canopact will still send you notices as strictly required by applicable law regardless of whether you opt-out or unsubscribe from communications.

5. WHERE DO WE STORE AND PROTECT DATA?
Canopact uses Render, which is a secure hosting platform for our servers (located in Germany). Render uses the Advanced Encryption Standard (AES) provided by Amazon RDS for PostgreSQL to encrypt data at rest and during transfer, using 256-bit encryption. Render provides fully managed TLS certificates and redirects all HTTP requests to HTTPS so that users’ security is never compromised. Canopact’s servers support TLS v1.2 and above, providing secure communications over our network. Render also backs up databases on a daily basis to prevent data loss, retaining all backups for at least 7 days.
We process and store information (including Personal Data) about our customers in the European Economic Area ("EEA"), the United Kingdom or Switzerland. We may also transfer your information to other countries where our service providers operate facilities. In the situation where our sub-processors are not established in the European Economic Area ("EEA"), the United Kingdom or Switzerland, or otherwise process Personal Data outside the EEA, the United Kingdom and Switzerland, we take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with applicable data protection laws and this Privacy Policy. You can view a list of our sub-processors, the service provided and their respective locations at the end of this page.
If you are a resident of the EEA, the United Kingdom or Switzerland, we use a variety of legal mechanisms to help ensure your Personal Data and rights are protected. We ensure that the recipient of your Personal Data offers an adequate level of protection and security, for instance by entering into the appropriate back-to-back agreements and, if required, standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulator. Where required by applicable law, we will only share, transfer or store your Personal Data outside of your jurisdiction with your prior consent.

6. WILL CANOPACT SHARE ANY OF THE DATA IT RECEIVES?
We neither rent nor sell your Personal or Company Data to anyone. However, we may share such data with third parties as described below.
A. Trusted Third Parties: We may employ other companies and people to either perform tasks on our behalf or to provide specific features to you on your request. Unless we tell you otherwise, such third parties do not have any right to use the Personal or Company Data we share with them beyond what is necessary to assist us. This includes third party companies and individuals employed by us to facilitate our Services, including the provision of maintenance services, sales and marketing applications, database management, web analytics and general improvement of the Services.
B. Protection of Canopact and Others: We may be compelled to access, read, preserve and/or disclose any information to (i) comply with applicable law or a court order; (ii) enforce or apply other agreements with you in our sole discretion; or (iii) protect the rights, property, or safety of Canopact, our employees, our users, or others in our sole discretion. We may send information to fraud protection and credit risk reduction agencies, but only in a manner limited to and consistent with that specific purpose.
C. With your Consent: Except as set forth above, you will be notified when your Personal Data may be shared with third parties and you will be able to object to the sharing of this information.

7. IS THE DATA SECURE?
Canopact takes appropriate and reasonable precautions to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Canopact is accessed through your team’s Slack workspace and does not require a separate username and password. However, you must prevent unauthorized access to your team’s Slack workspace and data by selecting and protecting your Slack password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.
The transmission of information via the Internet is never completely secure and we are only able to control our Website and Services, but not the connected communication system or systems you use for accessing the Website or Services (e.g. Wifi). Accordingly, unauthorized entry or use, hardware or software failure, and other factors we can neither control nor foresee, may compromise the security of information transmitted over the internet at any time.
Our Website may contain links to other sites. We cannot and have not reviewed these sites and cannot be responsible for the privacy policies and/or practices on these other sites. When following a link to another site you must read that site’s privacy policy and ensure you accept the terms of the same.
When we choose service providers, we assess their technical and organizational measures to ensure the protection of Personal Data. The same applies to other third parties to which we are allowed to transfer this information although these third parties are solely responsible for compliance with applicable laws.

8. DO WE PROCESS DATA OF CHILDREN?
Our Services are not directed to persons under the age of 16. We neither knowingly allow such persons to register for the Services on our Website nor knowingly collect Personal Data from children under 16. No one under age 16 may provide any Personal Data to us on our Website or via our Services. If a parent or guardian becomes aware that his or her child has provided us with Personal Data without the parent’s consent, he or she should contact us at info@canopact.com. If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information from our files.

9. WHAT PERSONAL DATA CAN I ACCESS BY MYSELF?
You have the right to access your Personal Data at any time (see Section 10 regarding your rights). You can access the following information you’ve provided to us as part of installing Canopact in your Slack workspace:
• Slack username
• Slack profile picture
• Email address
The information you can view, update, and delete may change as the Website and Services change. If you have any questions about viewing or updating information we have on file about you, please contact us at info@canopact.com. Regarding your further rights concerning your Personal Data, please see below Section 10.

10. WHAT RIGHTS DO I HAVE?
In relation to your Personal Data, you always have the following rights to the extent available under applicable law:

• Right to get transparent information about the processing of your Personal Data;
• Right to get access to your Personal Data;
• Right to rectify inaccurate Personal Data concerning you and to get information about any rectification;
• Right to erase Personal Data concerning you and to get information about any erasure;
• Right to restrict processing of Personal Data concerning you and to get information about any restriction;
• Right to receive Personal Data you provided to us and which concerns you and to transmit this received Personal Data to another provider;
• Right not to be the subject of a decision solely based on automated processing including profiling.

Generally, you will find all information about data processing by us in this Privacy & Security Policy. You may be able to add, update, or delete information by contacting us. However, when you update information, we may maintain a copy of the original information in our records (to the extent permitted by applicable law). We will retain your information for as long as you are an existing Canopact user or as reasonably necessary to provide you with the Services. You may request deletion of the Canopact application by contacting us at info@canopact.com. Please note that some information may remain in our private records after your deletion of such information from your account (only if and to the extent permitted by applicable law). We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may use any aggregated and anonymized data derived from or incorporating your Personal Data after you update or delete it, but not in a manner that would identify you personally.
If you demand the erasure or object to any data processing, please keep in mind that some Personal Data may be needed to register with us or to take advantage of some of our Services. In some cases, it may not be technically feasible to remove your Personal Data, in which case we will let you know if we are unable to do so and why.

12. CANOPACT’S ONGOING COMMITMENT TO PRIVACY
We value the concepts of privacy by design and default and support any customer in fulfilling their obligations under applicable privacy laws. If you have any questions or comments about this Privacy Policy or how we process Personal Data, please feel free to contact us at info@canopact.com.

13. CONCERNS AND RESOLUTION
In compliance with applicable law, Canopact commits to resolve complaints about your privacy and our collection or use of your Personal Data promptly. Individuals with inquiries or complaints regarding this Privacy Policy should first contact Canopact at info@canopact.com. We will make every effort to resolve your concerns fully and in a timely manner. In Europe, you can approach any supervisory authority that is competent under the General Data Protection Regulation. If you are resident in the UK, the contact details for data protection authorities are available here. If you are resident in the EEA, the contact details for data protection authorities are available here. If you are resident in Switzerland, the contact details for the data protection authorities are available here. In the U.S., the regulatory agency with the authority to investigate and resolve claims should you consider our practices to be unfair or deceptive is the United States Federal Trade Commission.
However, we encourage you to contact us first at info@canopact.com, and then we will do our very best to resolve your concern.
Canopy Impact Limited is a registered company in England and Wales (Company number: 12660375) and we are registered with the Information Commissioner's Office in the UK.


Canopact's Sub-Processors