Explains the use of cookies and similar technologies on Canva's websites and apps
Overall Score
Risk by Category
Canva's Cookies Policy details how cookies and similar tracking technologies are used across their platforms to provide essential functionality, performance monitoring, personalization, and targeted advertising. It categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting types. Users can manage preferences via cookie banners and browser settings. The policy discloses third-party providers like Google Analytics, Hotjar, Facebook Pixel, and others for analytics and advertising. It emphasizes compliance with laws like GDPR and CCPA, with options for consent withdrawal. Retention varies from session-based to up to 2 years for persistent cookies. Updates are notified via the site.
Shares data with numerous third parties like Google, Facebook, and Amplitude for advertising and analytics.
Uses Targeting cookies for personalized ads based on user behavior.
Some cookies enable tracking across sites via third-party providers.
Explicitly lists Strictly Necessary, Performance, Functional, and Targeting cookies with purposes.
Cookie management via banners, browser settings, and Do Not Sell My Info links.
References GDPR, CCPA, and other privacy laws with consent mechanisms.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
For authentication, security, and preferences.
Measure site usage (e.g., page views, bounce rates).
Track behavior for ad personalization.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Cookies track usage patterns to improve services (e.g., Google Analytics).
Targeting cookies serve personalized ads based on browsing history.
Cookies needed for login, security, and basic site operation.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Google Analytics, Amplitude, Hotjar.
Facebook Pixel, LinkedIn Insight Tag, Google Ads.
Cloudflare, Zendesk for functionality.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Users can accept/reject non-essential cookies via banner; withdraw consent anytime.
Instructions on using browser settings to block cookies.
Link for CCPA rights to opt-out of data sales.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Deleted when browser closes.
Up to 2 years (e.g., analytics and advertising).
Data deleted upon account deletion, but anonymized aggregates retained.
Security & Transparency
All cookies transmitted over secure connections.
Commits to notifying users of breaches per law.
Mentions security practices but no ISO or SOC2 details.
Source Text
Details four categories with examples and purposes.
Interpretation
Transparent but allows broad data collection for non-essential uses.
Source Text
Explicit list including ad networks.
Interpretation
High risk due to extensive sharing without granular opt-outs.
Source Text
Banner and browser instructions.
Interpretation
Empowers users with practical controls.
Source Text
Session to 2 years.
Interpretation
Reasonable but persistent tracking possible.
Source Text
Posted updates with notice.
Interpretation
Standard good practice.
Small text files stored on your device to remember preferences and track usage.