Canopy

Privacy Policy

Last updated: May 2, 2026

This Privacy Policy explains how Dusk Labs, Inc., doing business as Canopy (“Canopy”, “we”, “us”), collects, uses, shares, and protects information when you use our website at trycanopy.ai, our dashboard, our hosted MCP server, our software development kits, and related services (collectively, the “Service”).

1. Who we are and how to contact us

Canopy is operated by Dusk Labs, Inc. For privacy questions or to exercise your rights, contact us at privacy@trycanopy.ai.

2. Scope

This Policy covers information we process about people who interact with the Service. Canopy is a business-to-business product. We do not knowingly collect personal information from individuals under 18, and the Service is not intended for personal, family, or household use. If you provide information about employees, teammates, or other individuals when configuring your account, you are responsible for ensuring you have the necessary basis to do so.

3. Information we collect

Account information you provide. When you sign up or configure your workspace, we collect your work email address, name, profile image (if you provide one), and organization details such as the workspace name. If you subscribe to a paid plan, billing information is collected and processed by our payments provider on our behalf; we receive limited details such as plan, status, and the last few digits of your payment method, not full card numbers.

Service usage. We collect data you generate while using the Service, including the policies you configure, the agents you create, your API keys (stored as cryptographic hashes, not in plaintext), and a record of each transaction your agents attempt. Transaction records include the recipient address or service, the amount, the policy decision (allowed, pending approval, or denied) and reason, the requesting agent, the chain identifier, the on-chain transaction hash where applicable, timestamps, and metadata about the calling environment (such as the SDK identifier and an approximate country derived from the network address).

Technical data. Like most online services, we receive log data when you interact with the Service, including IP address, browser and device information, pages and features used, and timestamps.

Cookies and similar technologies. We use cookies and similar technologies for authentication, to remember your preferences, and to measure how the Service is used. We do not use advertising cookies and we do not allow third parties to use the Service to build advertising profiles about you.

4. How we use information

We use the information we collect to:

  • Provide, operate, and secure the Service.
  • Evaluate your policies and execute payments your agents have authorized.
  • Authenticate users and protect against fraud and abuse.
  • Bill you (if and when fees apply).
  • Provide support and respond to your requests.
  • Monitor, troubleshoot, and improve the Service, including by analyzing aggregated and anonymized usage trends.
  • Communicate with you about service updates and security issues.
  • Comply with our legal obligations and enforce our Terms.

We do not sell your personal information, and we do not use your data, your agents’ data, or your customers’ data to train AI or machine-learning models.

5. Legal bases (where required)

For users where data-protection law requires us to identify a legal basis, we rely on: (a) performance of our contract with you; (b) legitimate interests in operating, securing, and improving the Service; (c) compliance with legal obligations; and (d) your consent where applicable. The Service is operated from the United States and is not currently directed to users in the European Economic Area or the United Kingdom; if we expand to those regions, we will update this Policy accordingly.

6. How we share information

We share information only as follows:

  • Service providers acting on our behalf. We use third-party providers to operate the Service. These categories include cloud hosting and database providers, identity and authentication providers, wallet infrastructure providers that custody treasury keys and sign transactions, payments and billing providers, product analytics providers, customer-communications providers, blockchain RPC providers, and on/off-ramp providers. Each of these providers is contractually required to use your information only to provide their services to us.
  • Legal requirements. We may share information when required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Canopy, our customers, or the public.
  • Business transactions. If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to continued protection consistent with this Policy.
  • With your direction. We share information at your request or with your consent, for example when you connect your account to a third-party host or integration.

7. On-chain data

Transactions your agents initiate are written to public blockchains. On-chain data is permanent, public, and outside our control. The treasury address associated with your organization is identifiable as belonging to your organization on Canopy. Be thoughtful about what you and your agents send on-chain.

8. Data retention

We retain account and configuration data for as long as your account is active and for a reasonable period afterwards for backup, accounting, legal, and audit purposes. Transaction logs are retained as part of our books and records for the life of the account and afterwards as required by law. Aggregated or anonymized data may be retained for longer to help us understand and improve the Service. On-chain data is permanent and cannot be deleted by us.

9. Security

We use industry-standard safeguards to protect information, including encryption in transit and at rest, row-level access controls, least-privilege handling of secrets, and storage of API keys as cryptographic hashes rather than in plaintext. No system is perfectly secure, however, and we cannot guarantee the security of information transmitted to or stored on the Service. If you believe you have discovered a security issue, please contact security@trycanopy.ai.

10. Your rights and choices

You can access, correct, or export much of your account data from the dashboard, including by revoking API keys, pausing or archiving agents, and deleting your workspace. You can also email privacy@trycanopy.ai to request access to, correction of, or deletion of personal information we hold about you. We will respond consistent with applicable law. Note that deletion does not remove records that have already been written to a public blockchain, and we may retain information when needed to comply with our legal obligations or to resolve disputes.

11. International transfers

The Service is operated from the United States. By using the Service, you understand that your information will be processed in the United States, which may have data-protection rules different from those in your country.

12. Children

The Service is for businesses and is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us so we can remove it.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy on this page and update the “Last updated” date. If a change is material, we will provide additional notice in the product or by email.

14. Contact

For any questions about this Policy or about how we handle your information, please email privacy@trycanopy.ai.