Privacy Policy

Last updated: May 2026

1. Data Controller

The data controller responsible for your personal data is:

Jonas Holtstiege
The Netherlands
Email: privacy@canopymail.eu

2. Information We Collect

We collect the following types of personal data:

Account Information

  • Email address (used for login and communication)
  • Display name
  • Profile picture URL (from Google)
  • Subscription and payment status

Email Account Connections

  • Gmail: OAuth tokens (encrypted) that allow us to access your email on your behalf
  • IMAP: Server credentials (encrypted with AES-256-GCM) for non-Gmail accounts

Important: We do not store your emails on our servers. Your emails remain with your email provider (Google, your IMAP server, etc.). We only access them in real-time when you use the application.

App Settings and Preferences

  • Theme preference (dark/light/system)
  • Account accent colors
  • Email signatures
  • Keyboard shortcut customizations

Scheduled Actions

  • Snoozed email references and scheduled return times
  • Scheduled send times (references only, not email content)
  • Pinned email references

AI Feature Data (Pro Users Only)

When you use AI features:

  • Email content is sent to your selected AI provider — Anthropic (default) or Mistral (EU-hosted) — for processing
  • AI-generated summaries may be cached (encrypted) to improve performance

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the email client service you requested
  • Legitimate Interests (Art. 6(1)(f)): For service improvement, security, and fraud prevention
  • Consent (Art. 6(1)(a)): For optional features like AI processing (you can withdraw consent at any time)
  • Legal Obligation (Art. 6(1)(c)): Where required by law (e.g., tax records for payments)

4. How We Use Your Information

We use your personal data to:

  • Provide and maintain the email client service
  • Process your subscription payments
  • Send service-related communications (e.g., security alerts, service updates)
  • Provide AI-powered features (Pro users, with your consent)
  • Improve and optimize the service
  • Comply with legal obligations

5. Data Sharing and Sub-processors

We share personal data only with the service providers (sub-processors) we need to run Canopy Mail. We do not sell your personal data, and we never share it for advertising purposes.

Sub-processors

  • Google: sign-in and access to Gmail, Google Calendar and Google Contacts when you connect a Google account — essential for core functionality (USA / global).
  • Anthropic: AI features (default provider) — receives the email content you choose to process with AI (USA).
  • Mistral: AI features (optional, EU-hosted alternative) — receives the email content you choose to process with AI, kept within the EU (EU / France).
  • Stripe: subscription payments — receives your name, email and billing/payment details (EU: Stripe Payments Europe, Ireland, and USA).
  • Sentry: error and crash diagnostics — may receive technical error data and limited account identifiers (USA).
  • Logo.dev: sender/company logos shown next to messages — receives only the domain part of a sender's address (e.g. example.com) to return a logo, never the full address or message content.
  • Creoline: cloud hosting and database — stores your encrypted data in the EU (Frankfurt, Germany).

Email Providers

We connect to your email providers (Google, or your IMAP/SMTP server) using your credentials to access your mail on your behalf. This is essential for the service to function.

6. International Data Transfers

Your data is stored within the European Union. Some of the sub-processors listed above are based outside the EU — including Anthropic, Stripe and Sentry (United States) and Google (United States / global). Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards required by GDPR Chapter V, such as the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

If you prefer to keep AI processing entirely within the EU, you can choose Mistral (EU-hosted) as your AI provider, or turn AI features off altogether.

7. Data Retention

We retain your personal data for the following periods:

  • Account data: Until you delete your account
  • Email credentials: Until you remove the email account or delete your account
  • AI summaries (cached): Until refreshed or account deletion
  • Payment records: 7 years (legal requirement for tax purposes)
  • Server logs: 30 days

When you delete your account, we immediately delete all your personal data except where retention is required by law.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption at rest using AES-256-GCM for sensitive data (credentials, tokens)
  • Encryption in transit using TLS 1.2+
  • Encryption keys stored separately from the database
  • Regular security updates and monitoring
  • Access controls and authentication

9. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Request correction of inaccurate data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): Request limitation of processing
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for consent-based processing
  • Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise any of these rights, contact us at privacy@canopymail.eu. We will respond within 30 days.

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. For the Netherlands, this is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Website: autoriteitpersoonsgegevens.nl

11. Cookies

We use essential cookies only to maintain your session and remember your preferences. We do not use tracking cookies or third-party advertising cookies.

12. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes affecting your rights, we will provide direct notification via email.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

privacy@canopymail.eu

Related Pages

Privacy by DesignTerms of Service