Last updated May 22, 2024
Overall Score
Risk by Category
Canva's Privacy Policy outlines how Canva Pty Ltd (Canva) collects, uses, shares, and protects personal information from users of its services. It covers data collection including account details, user content, usage data, device information, and cookies. Data is used to provide and improve services, personalize experiences, ensure security, and comply with legal obligations. Information is shared with service providers, affiliates, in business transfers, and for legal reasons. Users have rights to access, correct, delete data, and opt-out of certain processing, with specifics varying by region (e.g., GDPR, CCPA). Retention is as needed for purposes or legal requirements. Security measures are in place, but no system is fully secure. The policy emphasizes transparency and user control.
Data shared with service providers, affiliates, and for advertising purposes without granular opt-outs.
Precise location collected with consent, but used for features and analytics.
Extensive use of cookies and tracking technologies for personalization and ads.
Users retain ownership of uploaded content; Canva gets limited license for service provision.
Supports GDPR, CCPA, and other laws with specific rights like deletion and data portability.
Detailed sections on collection, use, sharing, and security measures.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Name, email, payment info when signing up.
Designs, images, text uploaded by users.
IP address, browser type, usage patterns.
Precise location if permitted.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Used to operate, maintain, and provide Canva features.
To personalize experience and train AI models.
For targeted advertising and communications.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Cloud hosting (AWS), analytics (Google), payment processors.
Shared for personalized ads.
Shared within Canva group companies.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Right to access and correct personal data via account settings or requests.
Right to delete account/data and export data where applicable.
Opt-out from marketing, cookies, and certain processing.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Data retained while account is active.
Most data deleted within 30 days of deletion request, backups up to 90 days.
Retained as required by law (e.g., billing records).
Security & Transparency
Data encrypted in transit (TLS) and at rest.
Notify users and regulators as required by law.
Access controls, regular audits, employee training.
Source Text
Canva collects a wide range of personal information including content.
Interpretation
Broad collection increases privacy risk but necessary for service.
Source Text
Shares with providers, advertisers, and in mergers.
Interpretation
Significant sharing risk, limited user control.
Source Text
Details rights to access, delete, object.
Interpretation
Strong user protections aligned with global standards.
Source Text
Retains data for business/legal purposes.
Interpretation
Vague durations pose some uncertainty.
Account info, user content, device data, usage analytics, and location if consented.