Privacy Policy

Last updated: January 2026

1. Data Controller

The data controller responsible for your personal data is:

Jonas Holtstiege
The Netherlands
Email: privacy@canopymail.eu

2. Information We Collect

We collect the following types of personal data:

Account Information

  • Email address (used for login and communication)
  • Display name
  • Profile picture URL (from Google)
  • Subscription and payment status

Email Account Connections

  • Gmail: OAuth tokens (encrypted) that allow us to access your email on your behalf
  • IMAP: Server credentials (encrypted with AES-256-GCM) for non-Gmail accounts

Important: We do not store your emails on our servers. Your emails remain with your email provider (Google, your IMAP server, etc.). We only access them in real-time when you use the application.

App Settings and Preferences

  • Theme preference (dark/light/system)
  • Account accent colors
  • Email signatures
  • Keyboard shortcut customizations

Scheduled Actions

  • Snoozed email references and scheduled return times
  • Scheduled send times (references only, not email content)
  • Pinned email references

AI Feature Data (Pro Users Only)

When you use AI features:

  • Email content is sent to our AI provider (Anthropic) for processing
  • AI-generated summaries may be cached (encrypted) to improve performance

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the email client service you requested
  • Legitimate Interests (Art. 6(1)(f)): For service improvement, security, and fraud prevention
  • Consent (Art. 6(1)(a)): For optional features like AI processing (you can withdraw consent at any time)
  • Legal Obligation (Art. 6(1)(c)): Where required by law (e.g., tax records for payments)

4. How We Use Your Information

We use your personal data to:

  • Provide and maintain the email client service
  • Process your subscription payments
  • Send service-related communications (e.g., security alerts, service updates)
  • Provide AI-powered features (Pro users, with your consent)
  • Improve and optimize the service
  • Comply with legal obligations

5. Data Sharing and Third Parties

We share your data with the following categories of recipients:

Service Providers

  • Stripe: Payment processing (processes your payment information)
  • Anthropic: AI features (processes email content when you use AI features)
  • Hetzner: Cloud hosting (stores encrypted data in the EU)

Email Providers

We connect to your email providers (Google, IMAP servers) using your credentials to access your email on your behalf. This is essential for the service to function.

We do not sell your personal data to third parties. We do not share your data for advertising purposes.

6. International Data Transfers

Your data is primarily stored within the European Union (EU). However, some of our service providers are located outside the EU:

  • Stripe: US-based, certified under EU-US Data Privacy Framework
  • Anthropic: US-based, data processing agreement with Standard Contractual Clauses

For transfers outside the EU, we ensure appropriate safeguards are in place as required by GDPR Chapter V.

7. Data Retention

We retain your personal data for the following periods:

  • Account data: Until you delete your account
  • Email credentials: Until you remove the email account or delete your account
  • AI summaries (cached): Until refreshed or account deletion
  • Payment records: 7 years (legal requirement for tax purposes)
  • Server logs: 30 days

When you delete your account, we immediately delete all your personal data except where retention is required by law.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption at rest using AES-256-GCM for sensitive data (credentials, tokens)
  • Encryption in transit using TLS 1.2+
  • Encryption keys stored separately from the database
  • Regular security updates and monitoring
  • Access controls and authentication

9. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Request correction of inaccurate data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): Request limitation of processing
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for consent-based processing
  • Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise any of these rights, contact us at privacy@canopymail.eu. We will respond within 30 days.

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. For the Netherlands, this is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Website: autoriteitpersoonsgegevens.nl

11. Cookies

We use essential cookies only to maintain your session and remember your preferences. We do not use tracking cookies or third-party advertising cookies.

12. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes affecting your rights, we will provide direct notification via email.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

privacy@canopymail.eu

Related Pages

Privacy by DesignTerms of Service