GDPR Compliance

Our Commitment to GDPR

Kanvas is committed to complying with the General Data Protection Regulation (GDPR) and protecting the personal data of all users, including those in the European Economic Area (EEA), United Kingdom, and Switzerland. This page explains how we meet our obligations under GDPR and how you can exercise your rights.

Lawful Basis for Processing

We process personal data under the following lawful bases as defined by GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — including account management, workspace functionality, task management, chat, and document collaboration.
• Legitimate interest (Art. 6(1)(f)): Processing for fraud prevention, platform security, service improvement, and analytics, where our interest does not override your rights.
• Consent (Art. 6(1)(a)): Where required, such as for optional analytics cookies and marketing communications. Consent can be withdrawn at any time.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, and other legal requirements.

Your Rights Under GDPR

As a data subject, you have the following rights. We will respond to all requests within 30 days (extendable by 60 days for complex requests, with notice):

• Right of access (Art. 15): You can request a copy of all personal data we hold about you. We will provide this in a commonly used electronic format.
• Right to rectification (Art. 16): You can request correction of inaccurate personal data. Most profile information can be updated directly in your account settings.
• Right to erasure (Art. 17): You can request deletion of your personal data. When you delete your account, all personal data is removed within 30 days, except where we are legally required to retain it. Workspace content is handled according to workspace administrator settings.
• Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format (JSON or CSV). This includes your profile data, tasks, messages, and documents.
• Right to restrict processing (Art. 18): You can request that we limit how we process your data while a complaint or rectification request is being resolved.
• Right to object (Art. 21): You can object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe your data is being processed unlawfully.

To exercise any of these rights, contact us at privacy@getkanvas.ai. We may ask you to verify your identity before processing your request.

Data Processing and Sub-Processors

Kanvas acts as a data processor on behalf of workspace administrators (data controllers). We use the following categories of sub-processors:

• Cloud infrastructure: Hosting and database services (Vercel, Supabase/AWS) — United States.
• AI providers: Anthropic and OpenAI for AI assistant features — United States. Data is processed in real-time and not retained for model training.
• Payment processing: Stripe for billing and subscription management — United States.
• Email delivery: Resend for transactional emails — United States.
• Video conferencing: Daily.co for video calls and recordings — United States.
• Analytics: Privacy-focused analytics for platform usage — data is aggregated and anonymized.

We maintain Data Processing Agreements (DPAs) with all sub-processors. A full list of sub-processors with specific entities is available upon request.

International Data Transfers

As our infrastructure is primarily based in the United States, personal data from EEA, UK, and Swiss users may be transferred internationally. We ensure lawful transfers through:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all sub-processors processing EEA personal data.
• UK International Data Transfer Agreement: For UK personal data transfers.
• Supplementary measures: Including encryption in transit and at rest, access controls, and contractual obligations that prevent government access beyond what is legally required.
• Transfer Impact Assessments: We conduct assessments of the legal framework in recipient countries to ensure adequate protection.

Data Protection by Design and Default

In accordance with GDPR Article 25, we implement data protection principles into our product development:

• Data minimization: We collect only the data necessary to provide the Service. AI features use the minimum context needed for each request.
• Purpose limitation: Data is collected for specific, explicit purposes and not processed in ways incompatible with those purposes.
• Storage limitation: We retain data only for as long as necessary. Defined retention periods apply to all data categories.
• Privacy by default: New features are designed with the most privacy-protective settings as the default.
• Pseudonymization: Where possible, we use pseudonymized or anonymized data for analytics and service improvement.

Data Processing Agreement (DPA)

For organizations that require a Data Processing Agreement, we offer a standard DPA that covers:

• Nature and purpose of data processing.
• Types of personal data processed and categories of data subjects.
• Obligations and rights of the data controller.
• Sub-processor management and notification procedures.
• Data breach notification obligations.
• Data deletion and return procedures upon termination.
• Audit rights.

To request a DPA, contact legal@getkanvas.ai.

Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to rights and freedoms (Art. 33).
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
• Notify workspace administrators (data controllers) within 48 hours so they can fulfill their own notification obligations.
• Document all breaches, including facts, effects, and remedial actions taken.

Data Protection Officer

For all GDPR-related inquiries, data subject requests, or concerns about our data processing practices, please contact our data protection team:

• Email: privacy@getkanvas.ai
• For DPA or legal inquiries: legal@getkanvas.ai