Privacy Policy
Last updated: 15 June 2026
1. Who we are
Canopy (“we”, “us”, “our”) is a family organisation application operated by Chris Wiggins, based in the United Kingdom. We are the data controller for all personal data processed through the Canopy service.
Contact: hello@canopy-app.app
We are registered with the Information Commissioner’s Office (ICO) as required under UK data protection law.
2. What data we collect
We collect the following categories of personal data:
Account data
Email address, password (stored as a one-way hash), display name, and two-factor authentication status.
Contact and notification data
Phone number (optional, used for SMS notifications), push notification token (optional, used for in-app alerts), and additional email addresses you register for FamilyFeed.
Family and children’s data
Children’s names, dates of birth, and parenting schedule. This may include information about children under 18, entered by a parent or guardian.
Special category data (medical information)
Where you choose to use the Medical section of the Info Bank, we store health information including GP and dentist details, blood type, allergies, and medications. This is special category data under UK GDPR and is processed only with your explicit consent.
Content you create
Calendar events, notice board posts, direct messages, shared expenses, Info Bank entries (school, personal, contact, and account details), and uploaded documents.
FamilyFeed email content
When you forward emails to familyfeed@canopy-app.app, the content of those emails is processed by AI to extract calendar events and notices. See section 7 for full details.
Technical data
Authentication session tokens and error logs used to operate and maintain the service. We do not use analytics trackers or advertising identifiers.
Consent records
Records of when you gave explicit consent for special category data processing and FamilyFeed AI processing, including timestamp.
3. Lawful basis for processing
| Processing activity | Lawful basis |
|---|---|
| Core app features (calendar, notice board, messaging, schedule) | Performance of contract |
| Account authentication and security | Performance of contract / Legitimate interests |
| Push notifications and SMS alerts | Legitimate interests (you can opt out at any time) |
| Medical information (Info Bank — Medical section) | Explicit consent (UK GDPR Art. 9(2)(a)) |
| FamilyFeed AI email processing | Explicit consent |
| Subscription management | Performance of contract |
| Compliance with legal obligations | Legal obligation |
4. How we use your data
- To provide and operate the Canopy service, including syncing family data between accounts
- To send push notifications and SMS alerts you have enabled
- To process emails forwarded to FamilyFeed and extract calendar events using AI
- To generate exports you request (data download, court-ready PDF records)
- To manage your subscription via the App Store or Google Play
- To investigate and resolve technical issues
We do not sell your data. We do not use your data for advertising. We do not profile you for marketing purposes.
5. Who we share data with
We share data only with the following service providers, and only as strictly necessary to operate the service. All are engaged as data processors under appropriate agreements.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | USA (EU region available) |
| Anthropic | AI processing of FamilyFeed emails (event extraction only) | USA |
| Telnyx | SMS notifications | USA |
| Resend | Transactional email (invite emails, 2FA codes) | USA |
| Railway | Application hosting | USA |
| Cloudflare | DNS, email routing, and edge processing | USA / Global |
| RevenueCat | Subscription management (Apple IAP / Google Play) | USA |
| Apple / Google | In-app purchase processing and app distribution | USA / Global |
6. International data transfers
Several of our service providers are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR, including Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) where applicable.
FamilyFeed email content sent to Anthropic for AI processing is used solely for the purpose of extracting events and is not retained by Anthropic beyond the processing window, in accordance with their API data processing terms.
7. FamilyFeed — AI email processing
FamilyFeed allows you to forward emails (such as school newsletters) to familyfeed@canopy-app.app. When an email is received from a registered address, its content is sent to Anthropic’s Claude AI to extract calendar events, dates, and notices.
Before you can use this feature, we ask for your explicit consent to this AI processing. You can withdraw consent at any time by removing your forwarding addresses in Settings — this will prevent further emails from being processed. It does not affect events already created.
Email content is processed in real time and is not used to train AI models. Only emails from addresses you have registered are processed; all others are silently discarded.
8. Children’s data
Canopy is designed for use by adults (18+) to manage information about their children. Children do not create accounts. All children’s personal data is entered by a parent or guardian and is accessible only to verified members of that family.
Medical information about children (GP details, allergies, medications) is special category data. We obtain explicit consent from the parent entering this data before it is stored.
9. Data retention
- Active accounts: data is retained for as long as your account is active.
- Account deletion: when you delete your account, your personal data and all associated family data (if you are the last parent) is deleted immediately and permanently. This includes all files stored in the document vault.
- If the other parent remains: your membership is removed but family data (calendar, notices, etc.) created collaboratively remains accessible to the remaining parent.
- Backups: deleted data may persist in encrypted database backups for up to 30 days before being permanently purged.
10. Your rights
Under UK GDPR you have the following rights:
Right of access
Request a copy of all personal data we hold about you. Use the “Download my data” button in Settings → Account, or email us.
Right to rectification
Correct inaccurate data directly in the app, or contact us if you need our assistance.
Right to erasure
Delete your account and all associated data using “Delete my account” in Settings → Account. Deletion is immediate and permanent.
Right to data portability
Export all your data in a structured format using “Download my data” in Settings → Account.
Right to withdraw consent
Where processing is based on your consent (medical data, FamilyFeed AI), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to object
Object to processing based on legitimate interests by contacting us at hello@canopy-app.app.
Right to lodge a complaint
If you believe we have not handled your data correctly, you may complain to the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
11. Security
We implement appropriate technical and organisational security measures including:
- Passwords stored as one-way hashes (never in plain text)
- Optional two-factor authentication (email-based)
- Row-level security ensuring each family can only access their own data
- Encrypted storage for documents and files
- HTTPS for all data in transit
- Child account passwords stored using Supabase Vault encryption
No system is completely secure. If you become aware of any security issue, please contact us immediately at hello@canopy-app.app.
12. Cookies
The Canopy app uses session cookies for authentication only — these are essential to keep you logged in and cannot be disabled. We do not use advertising cookies, tracking pixels, or third-party analytics.
This marketing website (mycanopymail.com) does not use any tracking or advertising cookies.
13. Changes to this policy
We will notify active subscribers of any material changes to this policy by email at least 14 days before they take effect. The current version is always available at this URL. Continued use of the service after changes take effect constitutes acceptance.
14. Contact us
For any questions about this policy or to exercise your rights:
Email: hello@canopy-app.app
We aim to respond to all requests within 14 days and will always respond within the statutory 30-day period.