Who we are
MyCanvas is operated by Daniel Golding, an individual trading as MyCanvas, based in the United Kingdom. When this policy says "we", "us", or "our", it means Daniel Golding / MyCanvas.
Contact: support@mycanvasdesign.com
What data we collect and why
We collect only what is necessary to provide the service:
- Email address — when you choose to create an account. Used solely to send you a sign-in link and to identify your account. We never use your email for marketing.
- Design data — canvas JSON, canvas dimensions, and a thumbnail image. Stored when you explicitly save a project or share a design. You own your designs entirely.
- IP address — used transiently for rate limiting (e.g. limiting share link creation to 5 per minute). IP addresses are not stored in our database; they exist only in Cloudflare's edge memory for the duration of the rate-limit window (60 seconds).
- Session cookie — an HttpOnly, Secure JWT cookie named
mc_authis set when you sign in. It expires after 30 days. This is strictly necessary for the service to work and does not require your consent under UK PECR.
Legal basis for processing (UK GDPR)
- Contract performance — processing your email and design data to provide the cloud save and account features you have asked for.
- Legitimate interests — rate limiting by IP address to protect the service from abuse.
Who we share data with
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. We use the following sub-processors to operate the service:
| Processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, database (D1), object storage (R2), KV store, bot protection (Turnstile) | USA (EU–US Data Privacy Framework; UK data routed via London PoP) |
| Lemon Squeezy | Payment processing (if you become a Supporter). They act as merchant of record and handle all billing data — we never see your card details. | USA |
| MailChannels | Transactional email (magic sign-in links only) | USA |
All sub-processors are bound by data processing agreements and appropriate safeguards under UK GDPR.
How long we keep your data
- Account data — retained until you delete your account or request deletion.
- Projects and templates — retained until you delete them or your account is deleted.
- Anonymous shared designs — automatically deleted after 30 days.
- Session tokens — expire after 30 days or immediately on sign-out.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate personal data
- Request deletion of your personal data ("right to be forgotten")
- Restrict or object to processing
- Data portability — receive your data in a machine-readable format
To exercise any of these rights, email support@mycanvasdesign.com. We will respond within 30 days. There is no charge for reasonable requests.
Security
All data is transmitted over HTTPS. Session cookies are HttpOnly and Secure. Passwords are never stored — we use magic links only. Design data is stored in Cloudflare's infrastructure which provides encryption at rest.
Children
MyCanvas is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
Changes to this policy
We may update this policy. If the changes are material, we will notify signed-in users by email. Continued use of the service after changes constitutes acceptance.
Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk — telephone 0303 123 1113.