Privacy Policy

Last updated: March 2026

1. Data Controller

canuplan is the data controller for personal data processed through this service. We are based in the European Union and fully comply with GDPR.

2. Data We Collect

• Account data: Name, email, phone number, organization name
• Billing data: Processed by Stripe; we do not store credit card numbers
• Usage data: Shift schedules, employee names, and scheduling preferences
• Technical data: IP address, browser type, access timestamps

3. How We Use Your Data

• To provide and maintain the shift planning service
• To process payments via Stripe
• To send service-related notifications (e.g., shift updates via WhatsApp/Signal)
• To improve the Service

4. Data Storage and Security

All data is stored on servers located in the European Union (OVHcloud, Germany). We use encryption at rest and in transit. Employee names are stored using privacy-preserving UUID mapping with AES-256-GCM encryption.

5. Third-Party Processors

• Stripe: Payment processing (PCI DSS compliant)
• OVHcloud: Infrastructure hosting (EU-based)
• WhatsApp/Signal: Optional messaging for shift notifications

6. Your Rights

Under GDPR, you have the right to access, rectify, erase, restrict processing, and port your data. Contact us at hello@canuplan.com to exercise these rights.

7. Data Retention

We retain account data for the duration of your subscription plus 30 days after cancellation. Billing records are retained for 10 years as required by law.

8. Contact

For privacy-related inquiries: hello@canuplan.com