Privacy Policy
Effective Date: 2026-05-07
Introduction
Canero ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our anonymous employee feedback platform.
Information We Collect
Information You Provide
- Account Information: Email address used for authentication
- Feedback Content: Anonymous feedback you submit through conversations
- Organization Data: Company name and settings (for administrators)
Automatically Collected Information
- Usage Data: How you interact with our platform
- Device Information: Browser type, operating system
- Log Data: IP addresses, access times, pages viewed
How We Protect Your Anonymity
- Identity Separation: Your feedback is never linked to your identity
- Fresh Conversations: Each session starts clean with no history
- Privacy Thresholds: Reports only generate with sufficient participation
- No Tracking: We don't use tracking cookies or analytics that could identify you
How We Use Your Information
- Provide and maintain our service
- Generate aggregated, anonymous reports for organizations
- Improve our platform and user experience
- Communicate service updates and changes
AI and Data Processing
We use artificial intelligence to assist in analyzing feedback and generating reports. Our AI integrations include the following protections:
- No Training on Your Data: Your feedback data is never used to train third-party AI models. We have explicit agreements with our AI providers that prohibit the use of your data for model training or improvement.
- Zero Data Retention: We enforce zero data retention (ZDR) agreements with our AI providers. Your data is immediately and permanently deleted from AI provider systems after each request is processed.
- PII Protection: All messages are automatically scrubbed for personally identifiable information before being stored or sent to AI systems. Our scrubbing pipeline detects and redacts structured identifiers including email addresses, phone numbers, IP addresses, payment card numbers, names, locations, government identifiers (including US Social Security Numbers and passport numbers), international bank account numbers (IBAN), medical record numbers (MRN), medication and dosage patterns, ICD-10 diagnostic codes, and other structured identifiers. Users should avoid entering detailed clinical prose, as NLP-based scrubbing covers structured identifiers rather than free-form clinical descriptions.
- Wellbeing Classification: Messages are evaluated by OpenAI's Moderation API to detect content that may indicate safety concerns. This classification uses zero-data-retention APIs; no message content is retained by OpenAI for this purpose.
- Provider Compliance: Our AI providers (including OpenAI and Anthropic) maintain SOC 2 compliance and enterprise-grade security standards.
Data Sharing
We do not sell your personal information. We may share data:
- With your organization (aggregated reports only)
- With service providers who assist our operations (see Subprocessors section)
- When required by law or to protect rights
Subprocessors
The following third parties process data on our behalf to operate the platform. Each subprocessor is bound by data processing agreements that prohibit use of your data for their own purposes.
| Subprocessor | Purpose | Data processed |
|---|---|---|
| Vercel | Application hosting and edge functions | All platform traffic |
| Neon | PostgreSQL database | All stored data |
| Inngest | Background job processing | Job metadata (no message content in transit) |
| Clerk | Authentication and identity | Account credentials, session tokens |
| Stripe | Payment processing | Billing information (administrator accounts only) |
| Arcjet | Rate limiting and structured PII pre-redaction | Message text (processed in-process, not transmitted) |
| OpenAI (via Vercel AI Gateway) | AI feedback analysis and report generation | Scrubbed message content; zero data retention |
| Anthropic (via Vercel AI Gateway) | AI feedback analysis (fallback) | Scrubbed message content; zero data retention |
| Vercel AI Gateway | AI provider routing | Scrubbed message content; zero data retention |
| OpenAI Moderations API | Wellbeing classification | Message text; zero data retention; free endpoint |
| Microsoft Presidio (self-hosted on Fly.io) | NLP-grade PII detection and anonymization | Message text; processed in our infrastructure; not transmitted to third parties |
| Sentry | Error tracking and performance monitoring | Error logs, stack traces (PII-redacted before transmission) |
| Fly.io | ML sidecar infrastructure (Presidio + injection detection) | Message text; processed in our infrastructure |
This subprocessor list is updated when we add or remove data processors. Customers with enterprise DPA requirements may request notification of subprocessor changes.
Data Retention
- Feedback Data: Retained for analysis period, then anonymized
- Account Data: Retained while account is active
- Aggregated Reports: Retained per organization settings
Your Rights
You have the right to:
- Access your personal information
- Request deletion of your data
- Opt-out of certain data uses
- Data portability
Security
We implement industry-standard security measures including encryption, access controls, and regular security audits.
Contact Us
For privacy concerns or questions:
- Email: [email protected]
Changes to This Policy
We may update this policy periodically. We will notify you of material changes via email or platform notification.