Back/Privacy Policy

Privacy Policy

Last updated: 2026-04-22

1. Controller

The data controller for NovaCanva is kingoy (the “Operator”). For any privacy-related question or GDPR request, contact: hello@novacanva.com NovaCanva is in free public beta.

2. What we collect

Account data (only if you sign up): email address, hashed password (or federated identity provider ID), and authentication metadata managed by Supabase (our processor). Optional profile: display name you enter during sign-up. Technical logs: IP address, browser type, OS, referrer, crash traces — kept for up to 30 days for security and debugging. Analytics (only with your explicit consent): anonymous page views and feature usage. No cross-site tracking, no ads, no fingerprinting. Your creations: projects, uploaded images, stickers, text layers live in your browser's IndexedDB on your device. They are never uploaded unless you explicitly enable Cloud Sync (planned post-beta).

3. Legal bases (GDPR Art. 6)

• Contract: processing needed to provide the Service you signed up for. • Consent: analytics cookies (you can withdraw anytime in cookie settings). • Legitimate interest: security logs, abuse prevention, product improvement. • Legal obligation: responding to valid legal requests.

4. How long we keep it

• Active account data: for the life of your account. • Deleted account: purged within 30 days (may remain in encrypted backups up to 90 days). • Technical logs: 30 days rolling. • Analytics: aggregated, no personal identifiers after 12 months.

5. Sub-processors

We rely on the following third parties to operate NovaCanva. Each has its own GDPR-compliant Data Processing Agreement: • Supabase (supabase.com) — authentication & database. Location: EU (Frankfurt). • Google Fonts — loads the 6 fonts used in the Text layer. IP addresses may be logged by Google during font delivery. • Cloudflare — CDN, DNS, and (planned) email routing. • Resend (planned) — transactional emails (sign-up confirmation, password reset). • Google Cloud Run — hosting. Region: europe-west1. We do NOT use: Google Analytics, Meta/Facebook Pixel, advertising networks, or cross-site trackers.

6. Your AI-training stance

We will never use your uploaded images, projects, or generated visuals to train AI or machine-learning models. This commitment is permanent.

7. Your rights (EU/UK)

Under the GDPR you have the right to: access your data, correct inaccuracies, delete your data, restrict processing, export your data (portability), object to processing, and lodge a complaint with your local supervisory authority (in France: CNIL). Send requests to hello@novacanva.com — we respond within 30 days.

8. Deleting your account

Go to Account → Settings → Delete account. Deletion is permanent after 30 days — we cannot restore deleted accounts after that window.

9. International transfers

Data primarily lives on EU servers. Where third-party processors transfer data outside the EU (e.g., Cloudflare edge cache, some Google services), we rely on Standard Contractual Clauses or equivalent safeguards.

10. Children

NovaCanva is not directed at children under the local digital-consent age (16 in most EU countries, 13 in the US, 15 in France). If we learn that a child created an account without parental consent, we will delete it.

11. Changes

Material changes to this policy are announced in-app or by email at least 7 days before taking effect.

12. Contact

Privacy / GDPR requests: hello@novacanva.com

Questions about this page? hello@novacanva.com