Legal

Privacy Policy

Last updated: May 2, 2026

1. Who we are

This Privacy Policy describes how Paper Scissors SRL ("we", "us") collects, uses, and protects personal data in connection with our software products and the websites canopyapp.dev and trycanopy.app.

Paper Scissors SRL is the data controller for the personal data described in this policy.

  • Registered office: Paper Scissors SRL
    Str. Pavel Roșca nr. 4, ap. 28
    400118 Cluj-Napoca
    Romania
  • Trade Registry no.: 54508823
  • Privacy contact: support@canopyapp.dev

2. What personal data we collect

(a) Account & purchase data

  • Email address (used as your customer identifier)
  • Name (if provided at checkout)
  • License Key (issued by us)
  • Country (for tax purposes; provided to us by Paddle)
  • Order metadata (transaction ID, order date, amount; provided to us by Paddle)

(b) Payment data

We do not collect or store payment card details. Payment processing is handled exclusively by our merchant of record, Paddle, which collects and stores payment information directly under its own privacy notice.

(c) Activation & usage data

  • A machine identifier (machine_id), derived from your hardware
  • A friendly machine name (e.g. "Tom's MacBook Pro") for display in the licensing dashboard
  • The version of the Software installed
  • The version of macOS in use
  • Timestamps of license validation requests

(d) Support data

  • Information you voluntarily provide when contacting support (messages, screenshots, attached files)

(e) Website analytics

We use Umami for anonymous, privacy-respecting website analytics. No cookies are set by the analytics provider, and no personally identifying information is collected from visitors. The script loads only after you provide consent.

3. Why we collect this data and our legal basis

Under the EU General Data Protection Regulation (GDPR):

  • Account & purchase data — processed to perform our contract with you (Article 6(1)(b))
  • Activation & usage data — processed to perform our contract with you and to protect against license abuse (legitimate interests, Article 6(1)(f))
  • Support data — processed to perform our contract with you (Article 6(1)(b))
  • Website analytics — processed based on your consent (Article 6(1)(a)) where required, or our legitimate interest in understanding aggregate traffic (Article 6(1)(f)) where the analytics are fully cookieless and non-identifying

4. Who we share your data with

We share data only with the following categories of recipients, each of whom is bound by appropriate data protection terms:

  • Paddle — our merchant of record, which acts as data controller for payment data and as data processor for some order data we receive from them. See Paddle's Privacy Notice at https://www.paddle.com/legal/privacy.
  • Email service provider (Resend) — to deliver transactional email such as license keys, support replies, and refund confirmations
  • Hosting provider (Digitalocean) — for our website and licensing API
  • Accounting service (startco.ro, Romania) — for tax and accounting compliance under Romanian law
  • Government authorities — where required by law (tax filings, lawful requests)

We do not sell your personal data and we do not use it for advertising.

5. International transfers

Where personal data is transferred outside the European Economic Area, we use Standard Contractual Clauses or other safeguards approved under Article 46 GDPR.

6. How long we keep your data

  • Account & purchase data — for as long as your license is active, plus the period required by Romanian accounting and tax law (typically 5-10 years from the end of the financial year)
  • Activation & usage data — deleted within 90 days of license revocation or deactivation
  • Support data — 3 years after case closure, then deleted
  • Website analytics — aggregated indefinitely; raw visit data retained for 12 months

7. Your rights under GDPR

If you are in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data erased (subject to legal retention obligations)
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with a supervisory authority — in Romania, this is ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal), https://www.dataprotection.ro

To exercise these rights, contact support@canopyapp.dev

8. Cookies

The website uses only essential session cookies required for basic functionality (e.g. CSRF protection). If you consent to analytics, we load Umami's cookieless tracking script to measure aggregate usage. We do not set advertising cookies.

9. Children

Our software is not intended for use by children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Security

We use technical and organizational measures appropriate to the risk, including:

  • Encrypted transport (HTTPS) for all web traffic and API calls
  • Encrypted storage of license keys and authentication tokens at rest
  • Restricted, audited access to production systems
  • Regular review of dependencies and security advisories

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated by email to active customers.

12. Contact

For privacy questions or to exercise your rights:

Email: support@canopyapp.dev
Post: Paper Scissors SRL, Cluj-Napoca, Str. Pavel Roșca, nr. 4, ap. 28, cod poștal 400118, România, Romania