GDPR
Passed in 2016, the new General Data Protection Regulation (GDPR) is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The GDPR, which becomes enforceable on May 25, 2018, seeks to strengthen the security and protection of personal data in the EU and serve as a single piece of legislation for all of the EU. It will replace the EU Data Protection Directive as well as all the local laws relating to it.
We at Canopy support the privacy rights of our customers and our users and we comply with GDPR.
Who Does GDPR apply to?
The GDPR applies to all organizations operating in the EU or processing personal data in the UE or processing "personal data" of EU residents. It defines personal data as any information relating to an identified or identified natural person. “Data subjects” are the individual persons whose data we receive and process.
Canopy's Role in GDPR Compliance
It is important to note that Canopy is acting both as a Data Controller and as a Data Processor within the realm of GDPR compliance:
As a Data Controller, Canopy is responsible for implementing appropriate safeguards to ensure compliant processing of personal data provided to us by our customers and by individual consumers. This data is provided to us when customers and individual consumers interact directly with our services like canopy.is and thewatercooler.com.
As a Data Processor, Canopy is responsible for safeguarding the personal data of our customers' users as they share information using our service canopy.is.
GDPR Compliance
Data retention
We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Through this policy, we have provided specific retention periods for certain types of information.
Data retention: Location of site and data
Our products and other web properties are operated in the United States. If you are located in the European Union, UK, or elsewhere outside of the United States, please be aware that any information you provide to us will be transferred to and stored in the United States. By using our websites or Services and/or providing us with your personal information, you consent to this transfer.
Data retention: When transferring personal data from the EU
The European Data Protection Board (EDPB) has issued guidance that personal data transferred out of the EU must be treated with the same level of protection that is granted under EU privacy law. UK law provides similar safeguards for UK user data that is transferred out of the UK. Accordingly, Canopy has adopted a data processing addendum with Standard Contractual Clauses to help ensure this protection. Canopy's DPA is available at DPA.
There are also a few ad hoc cases where EU personal data may be transferred to the U.S. in connection with Canopy operations, for instance, if an EU user signs up for our newsletter or participates in one of our surveys. Such transfers are only occasional and data is transferred under the Article 49(1)(b) derogation under GDPR and the UK version of GDPR.
Policy, Terms of Services and DPA
Our Privacy Policy, as well as our Terms of Services was updated to reflect our compliance with GDPR. Our Terms of Services incorporate the Canopy Data Processing Addendum (“DPA”), when the General Data Protection regulation (“GDPR”) applies to your use of Canopy Services to process Customer Data as defined in the DPA. The DPA is effective as of August 16, 2023 and replaces and supersedes any previously agreed data processing addendum between you and Know Your Team, LLC relating to the GDPR. Regardless of whether you execute or not, we protect and secure your data to the high standards set out in the addendum.
Data Audit
We constantly review all the data we collect, where the data is collected and processed, and the reasons for why we collect it, as well as which Canopy employees have access to it. This is also known as a data map and we have it ready to share upon request.
Vendor Audit
We audit all vendors to ensure they are adhering to GDPR as well as signing all appropriate DPAs. You can see more about our sub-processors further down in this document.
Your rights as a EEA person
Under the GDPR, as an European Economic Area (EEA) person, you have the following rights:
The right to be informed
Right to be informed of when your data is being collected, how it is being used, and the identity of the data Controller. This is achieved by our privacy policy. (Section 2 Articles 13 & 14)
The right to object
We strive to only collect data that is important for us to serve you well or to improve the product. Nonetheless, you have the right to object to the use of your personal data and make a case that our organization lacks compelling and legitimate grounds for processing your data to perform our business function. (Section 4 Article 21)
The right of access
You have the right to ask if we are processing your data, how we are processing your data, where we are processing your data, and the reasons for the processing.(Section 2 Article 15). To request your personal data map to see the categories of recipients who may see your data, you can click on this link.
The right to rectification
You can correct or complete any your personal information we have by visiting your respective profile page on canopy.is or thewatercooler.com. If you have questions on how to do that please contact us. (Section 2 Article 16)
The right to be Forgotten (also known as Data Erasure)
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. (Section 2 Article 17)
To request we delete all data about you (the data subject) please click on this link. If you are a user under a customer's organization, we reserve the right to inform the customer before we proceed with the erasure. If you are the owner of the organization and you want to keep the organization's account active, we need to appoint a new organization owner before we proceed with the erasure.
After we initiate the erasure process this operation cannot be undone and deleting all your data can take up to 30 days due to our backups policy. In the event we can not delete your data due to legal or similar restrictions, we will tell you and explain the reason(s).
The right to restrict processing
We share some personal data with certain vendors for analytics purpose to help us improve the product or solve bugs but we do not sell your personal or other data in any circumstances. (Section 2 Article 18)
You have the right to request that we to stop processing your personal data if you believe it is not accurate, or if processing is not compliant, or that retention is no longer needed. To file a request to restrict the data we process please click on this link.
The right to data portability
You have the right to receive the personal data concerning you (Section 2 Article 20). Upon request, we can generate a series of CSV files with all your data, so you can transmit that data to another controller
To request we export all the data we have associated to your account, click on this link. This process can take up to 30 days and our support team will keep you informed of the progress via email.
Breach Notification
Under the GDPR, a breach notification is mandatory if a data breach is likely to result in a risk to the rights and freedoms of individuals. If this scenario occurs, you will be notified in your email within 72 hours of first we have become aware of the breach
Privacy by design
Canopy takes a holistic approach to security and privacy. All sensitive and personal information we keep is encrypted and we never sell user data.
Third Parties
Canopy uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to provide you with our services. These are also known as processors an sub-processors under GDPR. We only use partners that comply with GDPR and we have a Data Processing Agreement with every one of them.
To see our list of current vendors and changes we've made over time you can check this link
Questions about GDPR?
Please get in touch and we’ll be happy to answer any questions!