Privacy Policy

Canopy is built to know as little about you as possible. You sign in with a Solana wallet — we do not ask for your name, email, or password to create an account, and we never sell data or send marketing. This policy explains what we do and don't collect.

1. What we collect

• Wallet identity (hashed). When you sign in or are added as a tester, we store a one-way SHA-256 hash of your wallet address — not the address in plaintext — to identify you across the Service. Your public address is, by nature, visible on-chain.
• Analytics events.If a developer integrates the Canopy SDK, their app sends usage events keyed to the hashed wallet, plus on-chain signals the developer chooses to capture (e.g. Seeker device flag, token-tier bucket). These belong to the developer for their app's analytics.
• Beta builds. Publishers upload APK binaries, which we store privately and scan for malware. Binaries are deleted after the build expires or is revoked.
• Team-invite email (optional). The only time we handle an email address is when an organization owner invites a teammate by email. It is used solely to deliver that invitation.

2. What we do not collect

No account email or password. No plaintext wallet addresses in our database. No advertising identifiers. No marketing or behavioural-ad profiles. We do not track you across other sites.

3. Optional notifications (no contact data stored)

You may optionally enable notifications (e.g. when a build finishes scanning). These are delivered through a privacy-preserving provider that resolves your wallet to your own encrypted contact details — neither Canopy nor the provider stores your email or phone number, and you can revoke this at any time. Notifications are off unless you turn them on.

4. On-chain audit records

To deter abuse, we write fingerprint records (hashes and timestamps) to a permanent public ledger (Arweave). These records contain no personal data — no wallet addresses, no emails, no build contents — only one-way hashes. Because the ledger is immutable, these records cannot be deleted.

5. Service providers

We rely on infrastructure providers to operate the Service, including a managed database and authentication host, object storage for APK binaries, a Solana RPC/data provider, a malware-scanning service, a permanent-storage network for audit records, and (if you enable it) a notifications provider. Each receives only the data needed for its function.

6. Data retention

Analytics data is retained according to your plan (30 to 365 days). APK binaries are deleted after build expiry or revocation. Hashed identifiers and records needed for security and audit are retained as long as necessary. Immutable on-chain audit hashes are permanent by design.

7. Your choices

You can disconnect your wallet at any time, decline to integrate the SDK, and leave notifications off. To request deletion of data we hold about you where we are able to do so (on-chain hashes excepted), contact us via the channel on our site.

8. Security

Wallet download links are signed, wallet-bound, and short-lived; build storage is private; and access is gated by wallet signatures. No system is perfectly secure, but we design to minimise the data at risk.

9. Children

The Service is intended for developers and is not directed at children.

10. Changes & contact

We may update this policy; the "Last updated" date reflects the latest version. Questions? Reach the Canopy team via the contact channel on our site. Canopy is an independent product and is not affiliated with Solana Mobile or any wallet provider.