Privacy Policy
Last updated: 14 May 2026
1. Introduction
Canopiya (“we”, “us”, or “our”) is committed to protecting the personal data of our users. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over your data.
This policy applies to all users of the Canopiya website and Service, including users located in Singapore (covered by the Personal Data Protection Act 2012 (“PDPA”)) and in the European Economic Area or United Kingdom (covered by the General Data Protection Regulation (“GDPR”) and UK GDPR respectively).
The data controller is Canopiya Pte. Ltd. (UEN: 202614326H), registered at 60 Paya Lebar Road, #06-28 Paya Lebar Square, Singapore 409051.
2. Data Protection Officer (DPO)
Our designated Data Protection Officer (DPO) is Don Low(Founder & CEO). The DPO is responsible for overseeing data protection strategy and compliance with Singapore PDPA and GDPR.
For data protection enquiries, please contact: privacy@canopiya.com. We will respond to access and correction requests within 30 business days (PDPA) or 1 calendar month (GDPR), as applicable.
3. Personal Data We Collect
We collect the following categories of personal data:
Account Data
Email address (collected at registration via magic link or Google OAuth).
Profile Data
Display name (optional, set by you).
Family Tree Data
Names, sex, birth dates, death dates, biographical notes, photographs, and social media profile links (LinkedIn, Facebook, Instagram, TikTok) that you enter for yourself and other family members. You are responsible for ensuring you have a lawful basis to enter data about third parties (see Section 5).
Payment Data
If you subscribe to a paid plan, payment details (card number, billing address) are processed directly by Stripe, Inc. We receive only a subscription status and plan tier — we do not store your card details.
Usage Data
Server logs including IP address, browser type, pages visited, and timestamps. This data is used for security, debugging, and service operation. No third-party analytics or tracking tools are used.
4. How We Use Your Personal Data
We use your personal data to:
- Create and manage your account and authenticate you;
- Provide and improve the Canopiya Service;
- Send transactional emails (e.g., magic link sign-in, collaboration invites) via Resend;
- Process subscription payments via Stripe;
- Respond to support requests;
- Detect and prevent fraud, abuse, and security incidents;
- Comply with legal obligations;
- Send product updates and newsletters, if you have given separate consent (you may withdraw this at any time).
5. Lawful Basis for Processing
GDPR (EU / UK users)
We rely on the following lawful bases under Article 6 GDPR:
- Contract (Art. 6(1)(b)): Processing your account data and family tree data is necessary to provide the Service you signed up for.
- Consent (Art. 6(1)(a)): Marketing emails — you gave explicit consent at sign-up and may withdraw it at any time.
- Legitimate Interests (Art. 6(1)(f)): Security logging and fraud prevention. A Legitimate Interests Assessment (LIA) has been documented internally.
PDPA (Singapore users)
Under Singapore PDPA, we collect, use, and disclose your personal data on the basis of your consent given at sign-up, and for purposes you would reasonably expect (providing the Service you requested). You may withdraw consent at any time by deleting your account or contacting us; however, withdrawal may mean we can no longer provide the Service.
6. Third-Party Sub-Processors
We share your personal data only with the following trusted sub-processors, each bound by data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | Japan (AWS ap-northeast-1, Tokyo) |
| Resend, Inc. | Transactional email delivery | United States |
| Stripe, Inc. | Payment processing | United States |
| Vercel, Inc. | Application hosting & CDN | United States (AWS us-east-1, Washington D.C.) / Global edge CDN |
Data Processing Agreements (DPAs) are in place with all sub-processors listed above.
7. International Data Transfers
Some of our sub-processors are located outside Singapore and the European Economic Area. The table below shows where each processor is located and the transfer mechanism in place.
GDPR Users (EU / UK)
- Supabase (Japan): Japan holds an EU adequacy decision (European Commission, January 2019), meaning transfers to Supabase require no additional safeguards under GDPR.
- Resend, Stripe, Vercel (United States): Transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms under UK GDPR. SCCs and Transfer Impact Assessments (TIAs) are in place with all US-based sub-processors in accordance with post-Schrems II requirements.
PDPA Users (Singapore)
Under the PDPA, international transfers require the recipient to provide a comparable standard of protection. Japan’s data protection framework (APPI) is recognised as providing comparable protection. For US-based sub-processors (Resend, Stripe, Vercel), we rely on contractual clauses in line with PDPC transfer obligation requirements.
8. Data Retention
We retain your personal data for as long as your account is active. When you delete your account, your personal data (including all family tree data, persons, and relationships) is deleted from our systems immediately upon account deletion request.
We retain the following data for the periods below:
- Server and infrastructure logs (IP address, browser type, pages visited, timestamps): retained for 1 year for security and incident investigation purposes, then automatically purged.
- Application audit logs (account actions, consent records, data access events): retained for 7 years to meet legal hold obligations under Singapore law and GDPR, then automatically purged.
- Payment records: Stripe retains these in accordance with their own retention policy and applicable financial regulations.
9. Your Rights
Depending on your location, you have the following rights regarding your personal data:
All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your account and personal data (available via Account Settings → Delete Account).
EU / UK Users (GDPR)
- Portability (Art. 20): Receive your data in a structured, machine-readable format. You may export your family tree data as a GEDCOM file (via the Trees page) or download a full account data export via Account Settings.
- Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw Consent: Withdraw marketing consent at any time without affecting prior processing.
- Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., for EU users, the data protection authority in your Member State; for UK users, the ICO at ico.org.uk).
Singapore Users (PDPA)
- Access (s.21 PDPA): Request access to personal data we hold about you and information about how it has been used within the past year.
- Correction (s.22 PDPA): Request correction of personal data that is inaccurate or incomplete.
- Withdraw Consent: Withdraw consent at any time, subject to legal or contractual restrictions; note that withdrawal may affect our ability to provide the Service.
To exercise any of these rights, contact us at privacy@canopiya.com. We will respond within the timeframes required by applicable law.
10. Cookies
Canopiya uses only strictly necessary cookies required for authentication and session management. These cookies are set by Supabase and are essential for the Service to function. No tracking, advertising, or analytics cookies are currently used.
Because we use only strictly necessary cookies, we do not require a cookie consent banner under most interpretations of GDPR and the ePrivacy Directive. However, you may disable cookies in your browser settings, which will prevent you from signing in to the Service.
If analytics or advertising scripts are added in future, a cookie consent banner will be required under GDPR/ePrivacy and Singapore PDPA.
11. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child, please contact us at privacy@canopiya.com and we will delete it promptly.
Note that family tree data may include biographical information about minors (e.g., children or grandchildren added to a tree). This data is entered by the account holder (an adult) and is subject to their responsibility and the purposes described in this policy.
12. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), access controls, and regular security reviews.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law (within 72 hours under GDPR; within 3 calendar days under Singapore PDPA Advisory Guidelines).
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or a prominent notice within the Service at least fourteen (14) days before they take effect. We will also update the “Last updated” date at the top of this page.
If changes require a fresh consent (e.g., new purposes or new categories of data), we will ask you to re-consent before processing continues.
14. Contact Us
For any questions, data subject requests, or complaints about this Privacy Policy or our data practices:
- Email: privacy@canopiya.com
- General contact: hello@canopiya.com
- Registered address: Canopiya Pte. Ltd., 60 Paya Lebar Road, #06-28 Paya Lebar Square, Singapore 409051