/ PrivacyPrivacy Policy
Last updated: 04.10.2025This Privacy Policy describes how Berta Mas (Sole Trader), established under the laws of Spain ("Canvasana," "we," or "us"), processes your personal information when you access or use our websites (Canvasana.com, app.canvasana.com) and associated services (collectively, the "Services").
We are committed to protecting your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Spanish data protection laws.
1. Controller
For the purposes of the GDPR, the Data Controller for the processing described in this Privacy Policy is:
Berta Mas Bistuer (Sole Trader)
Address: Comte D'Urgell, 7, 08011 Barcelona, Spain
Contact Email: hello@canvasana.com
2. Personal Data We Process
We collect and process the following categories of personal information:
| Category | Examples |
|---|---|
| Identification Data | Name, email address, user ID, profile information. |
| Account Data | Login credentials, subscription status, plan details. |
| Content Data | Any content, data, or files you create, upload, or generate using the Services. |
| Usage Data | IP address, browser type, operating system, access times, pages viewed, features used (collected via Google Analytics). |
| Transaction Data | Subscription details and payment status via our payment processor (Polar.sh). |
| Communication Data | Customer support inquiries sent to hello@canvasana.com. |
3. Purposes and Legal Bases
We process your data for the following purposes and rely on the following legal bases under Art. 6 GDPR:
| Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|
| Provide, operate, and secure our Services | Performance of contract (Art. 6(1)(b)) |
| Process paid subscriptions and payments | Performance of contract (Art. 6(1)(b)) |
| Analyze usage for Service improvement | Legitimate interest (Art. 6(1)(f)) |
| Respond to support inquiries (email) | Performance of contract (Art. 6(1)(b)) / Legitimate interest |
| Send transactional and in-app emails | Performance of contract (Art. 6(1)(b)) / Legitimate interest |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Recipients and Sub-Processors
We share personal data with trusted third-party processors who support us in providing the Services. We ensure that any transfers outside the European Economic Area (EEA) are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.
| Recipient | Purpose | Location |
|---|---|---|
| Vercel | Website and application hosting/infrastructure. | EU / US |
| Google Analytics | Website and product usage analysis. | EU / US |
| Supabase | Hosting database, user authentication, and account management. | EU |
| Polar.sh | Payment and subscription management for paid users. | US (Payments and primary processing). Transfers are secured by the Standard Contractual Clauses (SCCs) or the provider's participation in the EU-U.S. Data Privacy Framework. |
| Resend | Sending transactional and in-app emails (e.g., password resets). | EU |
| Loop.so | Sending marketing/newsletter emails. | US |
5. Your GDPR Rights
As a data subject in the EEA, you have the following rights: the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise these rights, please contact us at hello@canvasana.com. You also have the right to lodge a complaint with a supervisory authority in Spain or your Member State of residence.
6. Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined above. Account data is generally deleted within 30 days following account closure, unless a longer retention period is required by law.