Privacy Policy

Version 2026-05-26 — replaces all prior versions.

1. Who is the data controller?

During the private beta the data controller is the founder, an individual based in Luxembourg, reachable at hello@canuplan.com. Once Canuplan is incorporated as a Luxembourg SARL-S, the SARL-S will become the data controller and this notice will be updated.

2. What we collect

  • Account data: name, email, organisation name, phone number, optional WhatsApp number — captured at signup.
  • Subscription metadata: Stripe customer ID, subscription status, invoice amounts. Stripe (not us) processes card data; we never see or store it. During the beta no card is collected because invoices are €0.
  • Roster data: shift schedules, roles, departments, and the people you put in them — typically first name + last initial + role. You decide what level of detail to enter.
  • Conversation data: the text of messages you and your team send to the Canuplan bot over Signal or WhatsApp, plus any voice notes you transcribe through us.
  • Operational data: IP address, user-agent, and timestamps for security and rate-limiting.

3. What we don't collect

  • We do not collect payment cards.
  • We do not collect data we don't need. If you can avoid putting personal data into the roster (e.g., use initials), please do — it's better for everyone.
  • We do not sell data to third parties. Ever.
  • We do not use your data to train third-party AI models on your behalf (see §6).

4. Why we process it (legal basis)

  • Performance of contract (GDPR Art. 6(1)(b)) — operating the scheduling service you subscribed to.
  • Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, abuse detection, debugging.
  • Legal obligation (Art. 6(1)(c)) — keeping billing records as required by Luxembourg tax law.

5. Where it lives

All Canuplan-managed data is hosted on OVHcloud servers in Strasbourg, France (European Union). Backups stay in the same jurisdiction. The dashboard, API, and per-tenant database are all in the EU.

6. AI processing & pseudonymisation

Canuplan uses large language models from Anthropic to help interpret messages and draft schedules. Before any roster data leaves Canuplan's servers and reaches the AI provider, it is pseudonymised: real names, phone numbers, and other direct identifiers are replaced with opaque codes that are meaningful only inside your tenant. The AI provider sees only the codes; we re-hydrate the real values locally before showing the answer back to you.

Anthropic is contractually bound (under their commercial terms) not to use the data we send them to train their models.

7. Sub-processors

  • OVHcloud SAS (France) — infrastructure hosting (EU).
  • Anthropic PBC (USA) — language-model inference, on pseudonymised data only. Standard Contractual Clauses cover the transfer.
  • Stripe Payments Europe Ltd. (Ireland) — payment infrastructure (zero charges during beta, but the account exists).
  • Brevo (Sendinblue SA) (France) — transactional email (setup links, password resets, founder notifications).
  • Signal Messenger LLC (USA) — messaging transport when you choose Signal as the channel. The Signal client is end-to-end-encrypted; Canuplan operates one Signal account that you send messages to.

8. Retention

  • Account + roster data: retained while your subscription is active, plus up to 30 days after cancellation so you can change your mind.
  • Conversation transcripts: retained for the same period as account data.
  • Audit/security logs: retained up to 90 days.
  • Billing records (invoices, even €0 ones): retained for 10 years as required by Luxembourg law.

9. Your rights

Under GDPR you can ask us to: confirm what we hold on you, give you a copy, correct errors, delete data, restrict or object to processing, and port the data to another provider. Email hello@canuplan.com; we'll reply within 30 days. You also have the right to lodge a complaint with the Luxembourg supervisory authority (CNPD).

10. Security

Data is encrypted in transit (TLS) and at rest. Per-tenant Anthropic API keys are encrypted with AES-256-GCM at the platform level. Each tenant runs in its own container with its own database. We are honest about beta-grade limits: we have not been independently audited and won't claim certifications we don't hold.

11. Changes

If we change this notice in a way that materially affects your rights, we'll email you. The current version date is at the top.

12. Contact

Privacy-related questions: hello@canuplan.com.