Privacy Policy | AI Helpdesk

1. Introduction

Hello Canopy Ltd ("Hello Canopy", "we", "our", "us") operates the AI Helpdesk service ("the Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including through our Slack application.

We are committed to protecting your privacy and handling your data in an open and transparent manner in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Data Controller

Hello Canopy Ltd is the data controller responsible for your personal data. Our contact details are:

Hello Canopy Ltd
Data Protection Officer
Email: privacy@hellocanopy.io
Website: hellocanopy.io

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

Email address
Password (stored in encrypted form)
Organisation name
Account creation and login timestamps

3.2 Document Content

When you upload HR policy documents, we store:

Document files (PDF, DOCX, TXT formats)
Extracted text content from documents
Document metadata (filename, upload date, file size, MIME type)

3.3 Slack Workspace Data

When you connect your Slack workspace to the Service, we collect and store:

Slack workspace/team ID
Bot OAuth access token (securely stored)
Workspace name

Important: We only access direct messages (DMs) sent specifically to our bot. We do not access or read any other messages, channels, or content in your Slack workspace.

3.4 Question and Answer Data

When employees interact with the bot via Slack, we collect:

Questions submitted to the bot
AI-generated answers provided
Slack user IDs (pseudonymised identifiers, not names or email addresses)
Timestamps of interactions
Feedback responses (thumbs up/down)

3.5 Technical Data

We automatically collect certain technical information:

IP addresses
Browser type and version
Device information
Error logs and diagnostic data

4. How We Use Your Information

We use the collected information for the following purposes:

Service Delivery: To process questions, generate AI answers from your uploaded documents, and deliver responses via Slack
Account Management: To create and manage your account, authenticate users, and provide customer support
Service Improvement: To analyse usage patterns, improve answer quality, and enhance the user experience
Analytics: To provide you with dashboard metrics such as questions answered, time saved, and feedback statistics
Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
Communications: To send service updates, security alerts, and support messages
Legal Compliance: To comply with applicable laws, regulations, and legal processes

5. Third-Party Service Providers

We share data with the following third-party service providers who assist us in operating the Service. Each provider is contractually obligated to protect your data and process it only for specified purposes.

5.1 Slack Technologies LLC

Purpose: Workplace messaging integration

Data Shared:

Bot messages and responses sent to users
Workspace connection tokens

Data Processing Location: United States

Privacy Policy: slack.com/trust/privacy

Slack is a Salesforce company and maintains comprehensive security certifications including SOC 2, ISO 27001, and GDPR compliance.

5.2 OpenAI, LLC

Purpose: AI-powered answer generation

Data Shared:

Question text submitted by employees
Relevant document content for context

Data Processing Location: United States

Privacy Policy: openai.com/policies/privacy-policy

We use OpenAI's API services. Per OpenAI's API data usage policy, data submitted via the API is not used to train their models. OpenAI retains API data for up to 30 days for abuse monitoring, after which it is deleted.

5.3 Supabase, Inc.

Purpose: Database hosting, user authentication, and file storage

Data Shared:

Account information and credentials
Organisation data
Uploaded documents and extracted content
Question and answer logs

Data Processing Location: European Union (AWS eu-west-2)

Privacy Policy: supabase.com/privacy

Supabase provides SOC 2 Type II certified infrastructure and implements encryption at rest and in transit.

5.4 Vercel Inc.

Purpose: Application hosting and content delivery

Data Shared:

HTTP request logs (IP addresses, user agents)
Application runtime data

Data Processing Location: Global CDN (edge locations worldwide)

Privacy Policy: vercel.com/legal/privacy-policy

Vercel is SOC 2 Type II compliant and implements enterprise-grade security measures.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
Adequacy decisions where applicable
Binding corporate rules of our service providers

You can request a copy of the safeguards we use for international transfers by contacting us.

7. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data is transmitted over HTTPS/TLS
Encryption at Rest: Sensitive data including passwords and API tokens are encrypted
Access Controls: Row-Level Security (RLS) ensures strict data isolation between organisations
Secure Authentication: Passwords are hashed using industry-standard algorithms
Webhook Verification: Slack webhooks are verified using HMAC signatures
Regular Updates: We apply security patches and updates promptly

Despite our efforts, no method of transmission or storage is completely secure. We cannot guarantee absolute security but will notify affected users promptly in the event of a data breach.

8. Data Retention

We retain your information for the following periods:

Account Data: Retained while your account is active, plus 30 days after deletion request
Documents: Retained until you delete them or close your account
Questions and Answers: Retained for the lifetime of your account for analytics and audit purposes
Slack Tokens: Retained until you disconnect Slack or uninstall the app
Technical Logs: Retained for 90 days for security and debugging purposes

Upon account deletion or when you uninstall our Slack app, we will delete your data within 30 days, except where retention is required by law.

9. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

Right of Access: Request a copy of the personal data we hold about you
Right to Rectification: Request correction of inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data ("right to be forgotten")
Right to Restrict Processing: Request limitation of how we process your data
Right to Data Portability: Receive your data in a machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, please contact us at privacy@hellocanopy.io. We will respond to your request within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated: ico.org.uk

10. Legal Basis for Processing

We process your personal data under the following legal bases:

Contract: Processing necessary to provide the Service you have subscribed to
Legitimate Interests: Processing necessary for our legitimate business interests (e.g., improving the Service, ensuring security), where those interests are not overridden by your rights
Consent: Where you have given explicit consent for specific processing activities
Legal Obligation: Processing necessary to comply with legal requirements

11. Slack Integration

This section provides additional information specific to our Slack application, as required by Slack's App Directory guidelines.

11.1 Data We Access

When you install our Slack app, we request the following permissions:

chat:write – To send AI-generated answers to users
im:read – To receive direct messages sent to our bot
im:write – To initiate direct message conversations

11.2 Data We Do NOT Access

We do not access, read, or store:

Messages in public or private channels
Messages between users (only DMs to our bot)
User profiles, names, or email addresses from Slack
Files shared in Slack
Your Slack workspace's message history

11.3 Disconnecting Slack

You can disconnect our Slack app at any time from your Slack workspace settings or from the AI Helpdesk dashboard. Upon disconnection, we will delete your Slack bot token and cease all communication with your workspace.

12. Cookies and Tracking

We use essential cookies to maintain your session and authentication state. These cookies are strictly necessary for the Service to function and cannot be disabled.

We do not use tracking cookies, advertising cookies, or third-party analytics that track you across websites.

13. Children's Privacy

The Service is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately at privacy@hellocanopy.io.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service at least 30 days before the changes take effect.

The "Last Updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices:

Hello Canopy Ltd
Data Protection Officer
Email: privacy@hellocanopy.io
Website: hellocanopy.io