CanUp logoCanUp

Privacy policy

Last updated: 2026-05-23

This page explains what CanUp collects when you visit the marketing site, when you create an account, and when your apps run on top of our infrastructure. The plain-English version: we collect the minimum we need to run the product, we do not sell data, and we give you tools to see and delete what we have on you.

Who we are

CanUp is operated by SparkNCraft. You can reach us at [email protected] for any privacy question, data subject request, or to report a concern. We are the data controller for the information described below.

What we collect

Account information. When you sign up, we store your email address, display name, and a hashed password (or the OAuth identifier returned by GitHub / Google / GitLab if you use social sign-in). We never see your social-provider password.

App and billing data. Anything you create inside CanUp — apps, action source code, plans, secrets (encrypted at rest with AWS KMS), API keys (stored hashed) — is stored in our database so the product can function. Stripe customer IDs and subscription metadata are stored so we can map your account to a Stripe customer; the actual card details never touch our servers.

Analytics. If you accept analytics from the banner, we record pageviews, clicks, browser / OS / device, screen size, approximate location derived from IP (country, region, city), referrer and UTM parameters, performance metrics, and uncaught client errors. We also record DOM-level session replays so we can debug UI issues. Passwords, billing fields, and anything tagged with .ph-no-capture are masked. If you decline analytics, none of this is collected.

Operational logs. Our servers keep request logs (IP, user agent, route, status, latency) for a short retention window for security, abuse prevention, and debugging.

Why we collect it (legal basis)

Account, app, and billing data are processed under contract performance (GDPR Art. 6(1)(b)) — we need them to deliver the service you signed up for. Analytics and session replay are processed under your consent (Art. 6(1)(a)), revocable at any time. Security logs, fraud prevention, and error tracking are processed under our legitimate interest in keeping the service available and safe (Art. 6(1)(f)).

Who we share data with

We use a small number of trusted sub-processors to operate the service. We do not sell data to anyone, and we do not share it for advertising purposes.

  • PostHog — product analytics, session replay, and error tracking. Our PostHog project lives on PostHog Cloud (US region).
  • Stripe — payment processing for subscriptions. Card data is collected and stored directly by Stripe under PCI-DSS.
  • Amazon Web Services — hosting, compute (Lambda), storage, and the encryption key service (KMS) we use to protect secrets at rest.
  • Neon — managed Postgres for the main application database.
  • Resend — transactional email (sign-up verification, password reset, billing notifications).
  • Cloudflare Turnstile — bot protection on the sign-up and login forms.
  • Canva — when an end-user opens a CanUp-powered app inside Canva, Canva passes us a brand identifier and a Canva user identifier so we can attribute usage. Canva does not see your CanUp account.

Cookies and similar technologies

We set a session cookie ( __Host-canup_session, HttpOnly, Secure, SameSite=Lax) when you sign in. It identifies your authenticated session and nothing else. If you accept analytics, PostHog stores an anonymous identifier in localStorage and a cookie scoped to the canup.link domain.

How long we keep data

Account, app, and billing data are kept while your account is active and deleted shortly after you close it, except for records we are required to retain by law (tax invoices in particular). Analytics events are retained for 365 days; session recordings for 30 days. Operational logs are retained for 90 days.

Your rights

You can access, correct, export, or delete your data at any time from the account settings page, or by emailing [email protected]. EU/UK users additionally have the right to object to processing, restrict processing, and lodge a complaint with their supervisory authority. We will not retaliate against you for exercising any of these rights.

International transfers

Several of our sub-processors are based in the United States. Transfers of personal data outside the EEA / UK rely on the Standard Contractual Clauses adopted by the European Commission, along with the additional safeguards the relevant sub-processor provides under their own data processing agreements.

Children

CanUp is built for adult software developers and is not directed at children under 16. We do not knowingly collect personal data from anyone in that age range. If you believe a child has provided us with data, please contact us and we will delete it.

Changes to this policy

When we make material changes we will update the "Last updated" date above and, for material changes that affect you, notify you by email or in-product. Continued use of CanUp after a change takes effect means you accept the revised policy.

Update your analytics consent

You can change your mind about analytics at any time. The button below clears your stored choice and shows the consent banner again on the next page load.