Where is my CanAI data stored?

All active data on servers in Frankfurt (Hetzner, EU jurisdiction). Backups in Helsinki (also EU). No transfer to the US. AES-256 encryption at rest, TLS 1.3 in transit.

Does CanAI sell my data?

No, never to any third party. We earn revenue through premium subscriptions. Advertising appears only as clearly labelled partnerships (e.g. insurance comparison), never via data sale.

Can I fully delete my CanAI account?

Yes. Account section → "Permanently delete account". Content disappears immediately; backups within 30 days. A confirmation email documents the deletion. Payment data is retained by Stripe for 7 years per PCI-DSS (legally required).

Is my chat history used to train AI models?

No. We use Anthropic and OpenAI with explicit no-training opt-out and a signed DPA. Your data does not leave the EU legal jurisdiction for training purposes.

GDPR and your dog: how CanAI protects your data (UK)

Why does a dog app need GDPR seriously?

You might wonder: what really sensitive data does a dog app handle? More than you'd think. CanAI stores health records, photos, walking-location patterns, behavioural observations — and indirectly personal data about you (email, payment, address). That data deserves the same protection as your banking app.

What CanAI actually processes

About your dog

Breed, age, weight, sex, neuter status.
Vaccination and treatment history (preventatives, vet visits).
Uploaded photos (symptoms, profile).
Behavioural notes and training progress.
Food and activity data.

About you

Email address (account login).
Location data (only when you grant it — for local rescues or dog beaches).
Payment data (processed via Stripe — we never store card numbers).
AI chat conversation history (encrypted).

Where the data lives

All active data sits on servers in Frankfurt (Hetzner). That means: EU legal jurisdiction, GDPR / UK GDPR oversight, no transfer to the US. Backups run encrypted to a secondary EU data centre in Helsinki.

How it's encrypted

In transit: TLS 1.3 for every connection between app and server.
At rest: AES-256 encryption of database contents.
Images: stored in a separate encrypted object store with server-side encryption.
Chat content: anonymised before being sent to the language model — the provider sees the encrypted request text, never your name or identifier.

What we don't do

No data sale — ever, to any third party.
No tracking cookies beyond what's strictly necessary. Cookie banner is transparent, only functional cookies enabled by default.
No external AI model training on your data. OpenAI, Anthropic and others receive aggregated, anonymised queries — never your dog's specific records.
No advertising sale of your data — adverts only appear as clearly labelled partnerships (insurance, vet booking), never via data syndication.

Your UK GDPR rights — how to use them

Right	How to exercise	Response time
Subject access (Art. 15)	Account → Privacy → "Show all my data"	Instant
Rectification (Art. 16)	Edit profile or contact support	Within 24h
Erasure (Art. 17)	Account → "Permanently delete account"	Immediate + backups within 30 days
Data portability (Art. 20)	Account → Privacy → "Export my data" (JSON)	Instant
Object to processing (Art. 21)	support@canai.app	Within 72h

Sub-processors (as of 2026)

CanAI uses these external providers — all UK GDPR compliant with signed DPAs:

Hetzner (Frankfurt) — server hosting.
Supabase EU (Frankfurt) — database infrastructure.
Stripe (Dublin) — payment processing. PCI-DSS certified.
Anthropic / OpenAI — AI language models with DPA and no-training opt-out.
Postmark (EU servers) — transactional email.

What really happens when you delete

Click "Delete account": immediate disconnection of your profile from all content.
Content (dog profile, images, chat) removed from the active database within 24 hours.
Backups: overwritten within 30 days.
Payment data: retained by Stripe for 7 years per PCI-DSS legal requirement.
Confirmation email with the final deletion date.

Security incidents

If, despite our safeguards, a personal-data breach occurs, we notify the Information Commissioner's Office (ICO) and any affected users within 72 hours per Article 33-34. As of May 2026: no incidents recorded.

Your own role in security

Use a strong password (at least 12 characters).
Enable 2FA in the account section.
Check active login devices regularly and sign out unknown sessions.
Avoid discussing sensitive personal info via open chat features in third-party apps.

Questions?

Data protection enquiries to privacy@canai.app. The account section contains all data tools for self-service. Our designated Data Protection Officer is registered with the ICO and reachable on request.