Canopy

Privacy Policy

Last updated: February 2026

The Short Version

We do not collect personal data. We do not track what you read. We do not use analytics. We do not set tracking cookies. We do not share any data with third parties for advertising or profiling. Your account is a random code — we do not know who you are.

What We Store

  • Your account code (hashed, not reversible)
  • Your feed subscriptions (encrypted at rest)
  • Your read/unread state (encrypted at rest)
  • Cached feed content (temporarily, for performance)

We cannot associate any of this data with a real person because we never collect identifying information.

What We Do NOT Store

  • Email addresses (we never ask for one)
  • IP addresses (we do not log them)
  • Reading habits or analytics
  • Browser fingerprints
  • Third-party tracking data

Newsletter Addresses

When you create a newsletter inbox address, incoming emails are processed to extract content, then the email is deleted. Tracking pixels and external images are stripped before delivery. We do not store the original emails.

Payment — What We Control, What We Don't

We want to be completely honest about what happens when you pay with a card. Card payments are not anonymous. Stripe, our payment processor, receives your card details directly from your browser. We never see your card number, expiry, or CVC — but Stripe does, because that's how card payments work.

What Stripe sees

  • Your card number, expiry, and CVC (standard card processing)
  • Your IP address at time of payment
  • A random payment token (e.g. pay_a1b2c3d4e5f6...)
  • The amount and description (“Canopy Reader — 3 months access”)

Stripe does not see your account code, your feeds, what you read, or anything about how you use Canopy. We do not create Stripe customer accounts, we do not pass your name or email (we don't have them), and we do not use Stripe's marketing or analytics features.

What we see

When Stripe confirms a payment, we receive a webhook containing the random payment token. We look up that token in our database to find which account to credit. Here's exactly what the payment record looks like in our database:

// Payment record at time of payment
{
  token:      "pay_a1b2c3d4e5f6...",  // random, meaningless
  account_id: "clx9k2m...",           // links token → account
  months:     3,
  credited:   true,
  created_at: "2026-02-19"
}

After 20 days: the link is destroyed

A daily cleanup job permanently deletes credited payment tokens after 20 days. After deletion, the connection between your payment and your account no longer exists — anywhere. Stripe has a token that maps to nothing. We have an account with time on it but no record of how it got there.

// After 20 days — token record deleted
// Stripe side:  pay_a1b2c3d4e5f6... → (nothing)
// Our side:     account clx9k2m...  → paid_until: 2026-05-19
//               (no record of which payment extended it)

If you want true anonymity

Card payments go through the banking system. Stripe is required to comply with financial regulations, which means card payments are inherently identifiable. We minimize what we send to Stripe (no name, no email, no account ID), but we can't change how cards work. If you need true payment anonymity, we plan to offer cryptocurrency payments in the future.

Third-Party Processors

We use a minimal set of infrastructure providers to operate the service. Each processes data only as necessary to provide their service:

  • Stripe (payment processing) — receives your card details, IP address, and a random payment token. We do not create Stripe customer accounts, and we do not pass your name, email, or account ID. See “Payment” above for the full breakdown.
  • Neon (database hosting, EU — Netherlands) — stores encrypted account data. Neon does not have access to decryption keys.
  • Vercel (application hosting) — serves the web application. Access logs are not retained by us. Vercel's infrastructure may temporarily process request metadata as part of normal HTTP serving.

We do not use any analytics, advertising, or tracking services.

Data Location

All data is stored in the European Union (Netherlands). EU data protection law (GDPR) applies.

Data Retention

Account data is stored for as long as your account exists. Cached feed content is refreshed periodically and older articles may be pruned. Rate limiting data is ephemeral and auto-expires within minutes. When you delete your account, all associated data (feeds, articles, read states, playback positions, newsletter addresses) is permanently deleted immediately.

Your Rights Under GDPR

Because we do not collect personal data, most GDPR data subject requests do not apply in the traditional sense. However:

  • Access & portability: You can export all your data (OPML, read states) at any time from within the app.
  • Erasure: You can delete your account and all associated data instantly from the app settings. Deletion is immediate and irreversible.
  • Rectification: You can modify your feed subscriptions and data at any time.
  • Restriction & objection: Since we do not process personal data for profiling, marketing, or any purpose beyond providing the service, these rights are satisfied by design.

Because accounts are anonymous (identified only by a random code), we cannot process data requests based on name or email. You manage your own data through your account code.

Law Enforcement

If compelled by valid legal process, we can only provide what we have: hashed account codes, encrypted feed subscriptions, and encrypted read states. We cannot identify account holders because we never collect identifying information. We will notify affected users where legally permitted to do so.

Contact

Questions about this policy? Email privacy@canopyreader.com