Privacy Policy
Last updated: [DATE]
This Privacy Policy explains how [LEGAL ENTITY NAME] (“Canvas Approvals”) handles personal data when you use canvasapprovals.com and the Service. For personal data contained in a customer’s workspace (“Customer Data”), the customer organization is the data controller and we act as its processor; for account and marketing data we are the controller.
1. Data we collect
- Account data: name, work email, password hash, role, and optional profile fields (job title, department, phone, location, avatar).
- Workspace/Customer Data: the approvals, forms, uploaded data tables, variables, comments, attachments, and audit logs your organization creates.
- Usage and device data: IP address, user-agent, session activity, and log timestamps, used for security and to operate the Service.
- Communications: emails we send (verification, notifications, and — if you opt in — marketing) and support messages.
2. How we use data
- To provide, secure, and support the Service (including authentication, tenant isolation, and audit logging).
- To send transactional email such as email verification and approval notifications.
- To send marketing email only where permitted, always with a working unsubscribe link.
- To detect, prevent, and investigate abuse, fraud, and security incidents.
- To comply with legal obligations.
3. Legal bases (GDPR/where applicable)
We rely on: performance of a contract (providing the Service); legitimate interests (security, product improvement, and non-intrusive marketing to existing customers); consent (marketing where required, and browser notifications); and legal obligation. You may withdraw consent at any time.
4. Sub-processors and sharing
We share data only with vetted providers that help us run the Service:
- Cloud hosting / CDN and DNS: [Cloudflare, and the app-hosting provider].
- Database hosting: [Supabase for testing; AWS (e.g. RDS/Aurora) for production].
- Transactional & marketing email: [Resend].
- Payments (paid plans): [payment processor].
- Error monitoring / logging: [e.g. Sentry], if enabled.
We do not sell personal data. A current list of sub-processors is available on request at [privacy@canvasapprovals.com].
5. International transfers
Where data is transferred across borders (for example, to a US-based provider), we rely on appropriate safeguards such as Standard Contractual Clauses. [Confirm the actual hosting regions and update.]
6. Security
We use industry-standard measures including encrypted transport (HTTPS), hashed passwords and session tokens, per-workspace isolation, ownership checks on every protected request, and audit logging. No system is perfectly secure; we work to reduce risk and will notify affected parties of qualifying breaches as required by law.
7. Retention
We keep personal data for as long as needed to provide the Service and for the periods described in our Data Retention Policy, then delete or anonymize it.
8. Your rights
Subject to your jurisdiction, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. For Customer Data, contact your workspace administrator (the controller); for account/marketing data, contact us at [privacy@canvasapprovals.com]. You may also lodge a complaint with your local supervisory authority.
9. Cookies
We use a strictly necessary session cookie for authentication and a small preference cookie (for example, sidebar state). We do not use advertising cookies. [Add a cookie banner/notice if you introduce non-essential analytics or marketing cookies.]
10. Children
The Service is for business use and is not directed at children under [16/18]. We do not knowingly collect their data.
11. Changes and contact
We will post updates here and notify you of material changes. Contact: [privacy@canvasapprovals.com] · [LEGAL ENTITY NAME], [REGISTERED ADDRESS] · [Data Protection Officer / EU representative, if applicable].