Legal
Privacy Policy
We respect your privacy and are committed to protecting your personal data.
Legal
We respect your privacy and are committed to protecting your personal data.
Last updated: 22 June 2026
This Privacy Policy describes how Rhizo ("we", "us", "our") collects, uses, and protects personal data in connection with:
This policy is written to comply with the Australian Privacy Act 1988 (Privacy Act) and, for individuals in the European Economic Area (EEA) and United Kingdom, with the General Data Protection Regulation (GDPR).
Questions or requests regarding your personal data should be directed to: [email protected]
When you create an account on rhizo-tech.org, Clerk (our authentication provider) collects your email address, display name, and — if you use a social sign-in — the identifier from that provider. We receive a Clerk user ID and your email address from Clerk to associate your account with the Canopy instance we provision for you.
When you provision a Canopy instance we record your Clerk user ID, owner email address, your chosen instance slug (subdomain), the region you selected, and timestamps for provisioning events.
When you submit the contact form on the Company page, we collect your name, email address, organisation name, and the message you write. This information is sent to us via Resend (our email delivery service) so that we can respond to your enquiry.
The content you create inside your Canopy instance — cards, diagrams, comments, stakeholder assignments, risk entries, and so on — is your data. We treat it as confidential. We do not mine it for marketing purposes or share it with third parties. We may access it only when necessary to provide technical support or to comply with a legal obligation, and only with your prior knowledge except where legally prohibited from informing you.
If your EA data contains personal information about your employees or other individuals (for example, stakeholder assignments), you are the data controller for that information under applicable privacy laws, and we act as a data processor on your behalf.
We use one session cookie set by Clerk (__client_uat) to indicate whether you have an active session. We do not use analytics, advertising, or tracking cookies. See our Cookie Policy for full details.
Our hosting providers (Google Cloud Platform and Cloudflare) automatically generate server logs that may include your IP address, browser type, the pages you request, and timestamps. These logs are used for security monitoring and operational purposes.
The table below sets out each purpose, the data used, and — for EEA/UK individuals — the lawful basis under GDPR Article 6.
| Purpose | Data used | Lawful basis (GDPR) |
|---|---|---|
| Provision and operate your Canopy instance | Account data, provisioning data | Performance of a contract (Art. 6(1)(b)) |
| Send transactional emails (e.g. password reset, provisioning confirmations) | Email address | Performance of a contract (Art. 6(1)(b)) |
| Respond to contact form enquiries | Name, email, organisation, message | Legitimate interests (Art. 6(1)(f)) — responding to requests directed to us |
| Maintain security, prevent fraud, and investigate abuse | Account data, server logs | Legitimate interests (Art. 6(1)(f)) — protecting the service and users |
| Improve and troubleshoot the service | Server logs, aggregated usage patterns | Legitimate interests (Art. 6(1)(f)) — improving the service for all users |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
We share personal data with the following trusted third-party service providers who process data on our behalf. Each is bound by data processing agreements and appropriate safeguards.
| Provider | Role | Location | Privacy information |
|---|---|---|---|
| Clerk | Authentication and account management | United States | clerk.com/legal/privacy |
| Google Cloud Platform | Hosting, database, secrets management | Global (GCP infrastructure) | GCP Data Processing Addendum |
| Cloudflare | DNS, traffic routing, CDN | United States | cloudflare.com/privacypolicy |
| Resend | Transactional email delivery | United States | resend.com/legal/privacy-policy |
| Google Fonts | Web font delivery | United States | Google Fonts privacy FAQ |
We do not sell your personal data to any third party, and we do not permit our sub-processors to use your data for their own purposes beyond what is necessary to provide their services to us.
Australia does not currently hold an EU adequacy decision, which means that transfers of personal data from the EEA or UK to Australia require an appropriate safeguard. We rely on Standard Contractual Clauses (SCCs) — where applicable, via our sub-processors' own data processing agreements — to legitimise any transfer of EEA/UK personal data to countries outside the EEA.
If you require more detail on the transfer mechanisms in place for a specific sub-processor, please contact us at [email protected].
We retain personal data only for as long as necessary to fulfil the purposes set out in this policy, unless a longer period is required by law.
Under the Australian Privacy Act, you have the right to:
If you are located in the EEA or UK, you additionally have the right to:
To exercise any of the above rights, please email [email protected] with a clear description of your request. We will respond within 30 days (Australian Privacy Act) or one month (GDPR), whichever applies. We may ask you to verify your identity before processing your request.
We will not charge you for making a request, and we will not discriminate against you for exercising your rights.
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authority as required by the Notifiable Data Breaches scheme (Australian Privacy Act Part IIIC) and, where applicable, GDPR Articles 33–34.
Despite our efforts, no internet-based system is completely secure. You use the Service at your own risk and are responsible for maintaining appropriate security practices at your end.
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it promptly.
We use only one essential session cookie, set by Clerk, to manage your authenticated session on rhizo-tech.org. We do not use tracking, analytics, or advertising cookies. See our Cookie Policy for full details.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or by a prominent notice on this page at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:
If you are not satisfied with our response, you may escalate to: