Last updated: January 14, 2026
This Privacy Policy explains how we collect, use, and protect your information when you use our services.
We do not store complete payment card details. Payment processing is handled by our payment processor, Lemon Squeezy, which adheres to PCI-DSS standards. We only store encrypted card brand and last 4 digits for your reference.
| Purpose | Legal Basis |
|---|---|
| Providing our service | Contract performance |
| Processing payments | Contract performance |
| Account communications | Contract performance |
| Security and fraud prevention | Legitimate interest |
| Service improvement analytics | Legitimate interest |
| Marketing communications | Consent |
We implement industry-standard security measures to protect your data:
Your canvas content (cards, edges, highlights, etc.) is encrypted in your browser before being sent to our servers using XSalsa20-Poly1305 authenticated encryption.
All data stored in our database is protected by AWS AES-256 at-rest encryption, providing multiple layers of protection for your data.
We do not sell your personal data. We share data only with trusted service providers necessary to operate our service:
| Service | Data Shared |
|---|---|
| Database & Authentication | Encrypted content, email |
| Hosting | Request metadata |
| Payment Processing | Email, payment info |
| AI Features | Prompts (user-initiated) |
| Transactional Email | Email address |
All providers are GDPR-compliant and bound by data processing agreements.
Under the General Data Protection Regulation (GDPR) and similar data protection laws, you have the following rights:
Right to Access
Request a copy of your personal data
Right to Rectification
Correct inaccurate personal data
Right to Erasure
Delete your account and all data
Right to Data Portability
Export your data in JSON format
Right to Object
Object to certain data processing
Right to Restriction
Limit how we process your data
Exercise Your Rights: Delete your account and export your data from your Profile page. For other requests, visit our Support page
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Canvas content | Until account deletion |
| Payment records (ours) | Until account deletion |
| Payment records (Lemon Squeezy) | Per their retention policy |
| Server logs (Vercel) | 30 days |
Our servers and service providers are located in the United States. If you are accessing our service from outside the US, your data will be transferred internationally.
For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure appropriate safeguards.
When you use AI features, your prompts are sent to OpenAI via their API.
We do not use your content to train any AI models. According to OpenAI's policy, API data is not used for training by default. OpenAI may retain data for up to 30 days for safety monitoring.
What is sent: Only the specific text you choose to process.
What is NOT sent: Your entire canvas, account information, or any data you haven't explicitly included.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a notice on our website before the changes take effect.
If you have any questions about this Privacy Policy, please visit our Support page.