Privacy Policy

This Privacy Policy applies to Canny Technologies("we", "us", "our"), a software development company incorporated in India, operating globally. Our services include AI automation, custom software development, SaaS product development, and related consulting.

This policy applies to all personal data processed through our website at cannytechnology.com, our client portals, and any other services we provide. By using our website or services, you acknowledge you have read and understood this policy.

We act as a Data Controller for personal data collected via our website and marketing activities. For data processed on behalf of clients while delivering software services, we act as a Data Processor.

We use collected data to:

• Respond to your enquiries and provide quotations
• Deliver software development and consulting services
• Send project updates, invoices, and service communications
• Improve our website, services, and marketing (with your consent)
• Send occasional newsletters or case studies (opt-in only)
• Comply with legal and regulatory obligations
• Prevent fraud and ensure website security (legitimate interest)
• Conduct client satisfaction surveys (legitimate interest)

We do not sell, rent, or trade your personal data to third parties for commercial purposes.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our legal basis for processing your personal data is as follows:

We use cookies and similar technologies to operate our website and understand how visitors use it. For full details, please read our Cookie Policy.

You can manage or withdraw your cookie consent at any time via our cookie preference centre, or by adjusting your browser settings.

We share data with the following categories of third parties, each under appropriate data processing agreements:

• Google Analytics 4: Website analytics. Data anonymised and processed in the EU where possible.
• Resend / Postmark: Transactional email delivery.
• Notion / Linear: Project management (client project data only, under NDA).
• AWS / Google Cloud / Azure: Cloud infrastructure for hosted client solutions.
• Stripe / Razorpay: Payment processing. We do not store card details.
• LinkedIn:Professional network and advertising. Governed by LinkedIn's own privacy policy.

We require all third-party processors to maintain appropriate security measures and to process data only on our documented instructions.

As an India-based company serving global clients, your data may be transferred to and processed in countries outside your own. Where transfers occur from the EEA or UK to countries without an adequacy decision, we implement appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreements (IDTAs)
• Binding Corporate Rules where applicable with sub-processors

You may request a copy of the safeguards we have in place by contacting us at [email protected].

We retain personal data only for as long as necessary for the purposes outlined in this policy or as required by law:

After retention periods expire, data is securely deleted or anonymised.

If you are in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may need to verify your identity before processing certain requests.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: Request deletion of personal information, subject to certain exceptions.
• Right to Opt-Out: We do not sell personal information. If this changes, you will be notified and given a clear opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights.
• Right to Correct: Request correction of inaccurate personal information.

To submit a verifiable consumer request, email [email protected] with the subject line "CCPA Request".

Our website and services are not directed to children under 16 years of age, and we do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected] and we will delete it promptly.

We implement appropriate technical and organisational security measures to protect your personal data, including:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption for data at rest
• Access controls — data accessible only to authorised personnel on a need-to-know basis
• Regular security audits and penetration testing
• Staff data protection training
• Incident response plan — we will notify affected individuals and relevant supervisory authorities within 72 hours of a confirmed breach where required by law

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated by:

• Updating the "Last updated" date at the top
• Displaying a notice on our website for 30 days after significant changes
• Email notification to subscribers where changes materially affect their rights

Continued use of our website after changes are posted constitutes acceptance of the revised policy. We recommend reviewing this page periodically.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

If you are unhappy with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, please contact your national supervisory authority.