Privacy Policy

Version 2.0 · Last updated: April 2026 · Applies to canvos.eu and app.canvos.eu

Summary: Canvos fully respects your privacy. We never sell your data. We do not share your data with third parties for commercial purposes. All data is stored on European servers and processed in accordance with the GDPR. You have full control over your own data.

1. Who are we?

Canvos is a European technology company offering a sovereign digital workspace for European SMEs and organisations. We are active throughout Europe and committed to privacy by design and data minimisation.

Data controller contact details:
Canvos
Email: privacy@canvos.eu
Website: canvos.eu

2. Applicable law

This privacy policy has been drawn up in accordance with:

GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
ePrivacy Directive — Directive 2002/58/EC (revised by 2009/136/EC), concerning privacy in electronic communications.
National implementation legislation in EU Member States where we are active.

Canvos targets the entire European market. Customers in Belgium, the Netherlands, Germany, France, Spain, Italy and all other EU Member States enjoy the same high standard of protection.

3. What personal data do we process?

3.1 Data you provide yourself

Name and first name
Email address and phone number
Company name and job title
Messages via the contact form or demo request
Payment details (processed via our payment provider — not stored by Canvos)

3.2 Data collected automatically

IP address (anonymised after processing)
Browser and device type (for technical compatibility)
Pages visited and time of visit (via functional server logs)
Browser language setting

We do not use tracking pixels, Google Analytics, Facebook Pixel or any other third-party tracking services.

3.3 Data from platform users (customers)

When you use the Canvos platform (app.canvos.eu), we process the data you enter as part of our service delivery: emails, files, calendar items and contacts. We act as processor (GDPR Art. 4(8)) — you as a customer are the data controller for your end users' data. A Data Processing Agreement (DPA) is available on request via privacy@canvos.eu.

4. Purposes and legal bases

Purpose	Legal basis (GDPR Art. 6)	Retention period
Responding to demo requests and contact forms	Legitimate interest (Art. 6.1.f)	2 years
Performance of the agreement (subscription, billing)	Contractual necessity (Art. 6.1.b)	Duration of contract + 7 years (legal retention obligation)
Technical logging and security monitoring	Legitimate interest (Art. 6.1.f)	90 days
Functional emails (confirmations, system notifications)	Contractual necessity (Art. 6.1.b)	Duration of contract
Newsletter and commercial communication	Consent (Art. 6.1.a)	Until withdrawal of consent
Legal obligations (accounting, tax)	Legal obligation (Art. 6.1.c)	7 years

5. Sharing data with third parties

Canvos never sells your personal data. We only share data in the following limited cases:

Hosting provider: Our servers are hosted by a European hosting provider. A DPA is in force pursuant to GDPR Art. 28.
Payment processor: Payment transactions are processed by a certified PCI-DSS payment provider based in the EU. We do not receive full card details.
Legal obligation: If a competent European or national authority requests data on legal grounds, we only provide what is strictly legally required.

Transfer outside the EU/EEA: Canvos does not transfer personal data to countries outside the European Economic Area. All sub-processors are established in the EU.

6. Your rights as a data subject

Under the GDPR, you have the following rights, which you can exercise free of charge by writing to privacy@canvos.eu:

Right of access (Art. 15): Request which personal data we process about you and receive a copy.
Right to rectification (Art. 16): Have inaccurate or incomplete data corrected.
Right to erasure — "right to be forgotten" (Art. 17): Deletion of your data, unless legal retention obligations apply.
Right to restriction of processing (Art. 18): Temporary halt on the processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON/CSV) to transfer to another provider.
Right to object (Art. 21): Object to processing based on legitimate interest or for direct marketing purposes.
Right to withdraw consent (Art. 7.3): Withdraw previously given consent at any time without consequences for previous processing.

We respond to requests within 30 days (GDPR Art. 12).

7. Security of personal data

Canvos takes appropriate technical and organisational measures to protect your personal data (GDPR Art. 32):

All connections are encrypted via TLS 1.2 or higher (HTTPS)
Personal data is stored encrypted (AES-256)
Access to production environments is limited to authorised personnel via multi-factor verification (MFA)
Regular security audits and vulnerability scanning
Full separation of customer data per tenant
Daily encrypted backups at a geographically separate location
Access logging and anomaly detection

8. Data breaches

In the event of a data breach that poses a risk to your rights and freedoms, we inform the competent supervisory authority within 72 hours (GDPR Art. 33). If the breach poses a high risk to data subjects, we also inform you directly (GDPR Art. 34).

9. Cookies

We only use functional cookies that are strictly necessary for the operation of the website. We do not place tracking cookies, advertising cookies or third-party cookies. See our cookie policy for a complete overview.

10. Minors

Canvos is not aimed at persons under 18 years of age. We do not knowingly collect personal data from minors.

11. Complaints with the supervisory authority

If you believe we are not processing your personal data correctly, you can file a complaint with the competent national supervisory authority in your country:

Belgium: Data Protection Authority (GBA) — gegevensbeschermingsautoriteit.be
Netherlands: Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
France: CNIL — cnil.fr
Other EU Member States: See the full member list at edpb.europa.eu

12. Changes to this policy

We reserve the right to amend this privacy policy. Material changes are communicated proactively via email to active customers at least 30 days before taking effect.

13. Contact

For questions, requests or comments regarding the processing of your personal data:

privacy@canvos.eu
canvos.eu