Privacy & Security

Privacy is foundational, not bolted on

Canero was designed with privacy as a first-class property - not a checkbox. Every architectural decision is made to ensure employees can share honestly without risk.

Privacy Model Security

90days

Automatic conversation purge

10+conversations

Before any report generates

5checks

Evaluated per report

0raw messages

Ever visible to leaders

Layers of protection

Privacy in Canero is a system of independent layers - each one a barrier, together they're comprehensive.

Identity Isolation

Your identity is architecturally separated from your feedback - never joined back.

PII Scrubbing

Names, emails, and identifiers are removed before storage and before AI processing.

Privacy Screening

Reports are withheld when participation is too low or patterns could identify individuals.

Aggregated Output Only

Leaders see scores, themes, and trends - never individual conversations.

Explore the details

Each aspect of Canero's privacy design has its own deep-dive page.

Privacy Model

How identity isolation, k-anonymity, and threshold screening work together.

Data Flow & Isolation

The architectural path from conversation to analytics - with identity never crossing.

Security Architecture

Encryption, access control, audit logging, and infrastructure security.

AI & data handling

How Canero uses AI responsibly - with privacy controls at every step.

PII scrubbing before AI

Conversation content passes through PII detection before being sent for AI analysis. Names, emails, phone numbers, and identifiers are removed. The pipeline is fail-closed - if scrubbing is unavailable, analysis stops.

Zero data retention with AI providers

Canero operates under zero-data-retention agreements with all AI providers. Your conversations are processed for analysis only - they are never stored by the AI provider or used to train models.

Fail-closed behavior

If any component in the privacy pipeline becomes unavailable, the system fails closed - no data flows through rather than failing open. Privacy degradation is never acceptable.

Data retention & purging

Canero applies a strict data lifecycle - raw conversations don't persist indefinitely.

90-day automatic purge

Raw conversation data is automatically purged after 90 days. Aggregated analytics derived from those conversations may be retained longer, but the source material that could identify patterns is gone.

GDPR erasure support

Canero supports right-to-erasure requests. Employees can request full deletion of their data, including conversations that haven't yet been purged automatically.

Pre-submission deletion

Employees can delete an open conversation at any point before closing it. Until submitted, nothing is retained. There is no draft that persists without consent.

Clear data lifecycle

Raw conversations are automatically purged after 90 days. Organizations retain full control over their data within this lifecycle.

Have specific privacy questions?

Our trust FAQ addresses common enterprise privacy questions. Or book a demo to discuss your specific requirements.

Trust FAQ Book a Demo