Privacy Policy
Last updated: 26 June 2026
This Privacy Policy explains what 8starlabs ("Canopy", "we", "us") collects when you use canopy.8starlabs.com, why we collect it, and the choices you have. For the security controls behind this, see the Security docs.
1. What we collect
Account. Your email address, display name (optional), and avatar URL. If you sign in via a provider (e.g. GitHub through Supabase Auth), we receive what that provider shares - typically your email and display name. We never store your password; authentication is handled by Supabase.
Workspace and maps. The workspaces, maps, nodes, edges, spend figures, operational metadata, and other content you create or import ("Your Content"), plus workspace settings, member roles, and seat counts.
Billing. Your Stripe customer ID, subscription ID, subscription status, and seat count. We do not store card details - those are handled by Stripe under PCI-DSS.
Marketplace. If you sell templates, your Stripe Connect account ID and payout status are stored (Stripe handles the actual identity/KYC and bank details). If you buy a template, we record the purchase - a licence row linking your account to the source map - and a unique watermark is embedded in any clones to trace unauthorised redistribution.
GitHub import. When you authorise the GitHub App, we transiently read specific files from your repository (dependency manifests, lock files) to generate a map. We do not store your source code, commit history, or GitHub tokens after the import completes.
Canopy AI. When you use Canopy AI, your prompts and map context are sent to our AI provider. We log the request (prompt, output, timestamp, account ID) for rate-limiting and abuse prevention. AI request logs are deleted after 90 days.
Usage and diagnostics. Information about features used, pages visited, API requests, and error events. Used to understand what is working and to improve the service.
Communications. If you email us or submit in-app feedback, we retain those communications and your contact details to respond and improve the product. Feedback submitted via the in-app tool is also posted as a summary to a private internal Slack channel for triage.
2. How we use it
- To create and manage your account, workspaces, and sessions.
- To render maps, run Canopy AI generation, process payments, and deliver invite and transactional emails.
- To manage your subscription - detecting seat changes, syncing billing with Stripe, enforcing plan limits and rate limits.
- To send transactional emails: account creation, magic links, workspace invitations, payment receipts, failed-payment notices, and dormancy warning and suspension notices.
- To send product announcements and updates. You may opt out of non-transactional emails at any time.
- To investigate and resolve disputes, enforce our Terms, and comply with legal obligations.
- To improve and develop the service using aggregated, de-identified usage data.
We do not sell your personal data or Your Content.
3. Who we share it with
We share data only with the processors needed to run Canopy, each under appropriate data-processing agreements. Here is exactly what each provider receives:
We may also disclose data if required by law, court order, or governmental authority, or to protect the safety of our users or the public.
Public content. If you publish a map as public or list a template for sale, the map's metadata (name, description, node graph, author workspace) is visible to all visitors. You can make any map private at any time.
Business transfers. If 8starlabs is acquired or merges with another company, your information may transfer as part of that transaction, and the successor's privacy practices may differ from this policy. We are not obliged to give you advance notice of such a transfer.
4. How it's protected
Every row in the database is isolated by workspace using Postgres Row-Level Security - you can only read and write your own data. All traffic is encrypted in transit (TLS) and at rest. Stripe handles PCI-DSS compliance for card data. API keys and secrets are stored as encrypted environment variables, never in code.
Despite these measures, no system is fully secure. If you discover a vulnerability, please disclose it responsibly to hello@8starlabs.com before publishing.
5. Cookies and local storage
We use session cookies (set by Supabase Auth) to keep you logged in. These expire when your session ends or at token refresh intervals. We store display currency preferences and active workspace selection in your browser's localStorage - this data stays on your device and is not sent to our servers. We do not use third-party advertising or cross-site tracking cookies.
6. Data retention
When a map with active buyer entitlements is deleted, it is archived (not destroyed) - buyers retain read access to the frozen version. See the Terms for details.
7. Your rights
Depending on your jurisdiction, you may have the right to:
- Access - request a copy of the personal data we hold about you.
- Rectification - correct inaccurate data.
- Erasure - delete your account from account settings ("Delete account"); this immediately and permanently deletes your account, owned workspaces, and maps, with no grace period and no way to recover them (maps others have purchased from you are archived so buyers keep access). For specific data removal short of full deletion, email us.
- Portability - export your maps as JSON, Markdown, PNG, CLAUDE.md, or AGENTS.md at any time from the editor.
- Objection or restriction - object to certain processing or request we limit how we use your data.
- Withdraw consent - for any processing based on consent (e.g. marketing emails), withdraw at any time.
To exercise any of these rights, email hello@8starlabs.com. We will respond within 30 days.
8. International data transfers
Our infrastructure operates across Supabase's EU and US regions and Cloudflare's global network. By using Canopy, you acknowledge your data may be processed outside your country. Where required by law (e.g. EEA transfers), we rely on appropriate safeguards such as Standard Contractual Clauses.
9. Children's privacy
Canopy is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided data, contact hello@8starlabs.com and we will delete it promptly.
10. Changes to this policy
We may update this policy at any time, at our sole discretion. Changes take effect immediately when we post the revised policy - the Last updated date at the top reflects the most recent version, and no advance notice is required. We may, but are not obliged to, additionally notify you of material changes by email or in-app notice. Your continued use of Canopy after an update constitutes acceptance; please review this page periodically.
11. Contact
Privacy questions or rights requests? Email hello@8starlabs.com or visit support.