Note: The following privacy policy applies to the use of the Canva app “Phrasery”.

This English version is a translation of the German privacy policy. In the event of any discrepancies, the German version shall prevail.

View the German version (legally binding)

Privacy Policy for the Canva App “Phrasery”

(Last updated: December 2025)

A.Introduction

This privacy policy informs you about how the Canva app Phrasery processes personal data.

Phrasery is an application integrated into the Canva platform that allows users to create, store, and use text snippets in designs.

The controller responsible for processing your personal data is:

Kreavisia – Michaela Moreels
Kieselstr. 47
66125 Saarbrücken
Germany
Email: contact@kreavisia.com

The use of Phrasery takes place within the Canva platform. The processing of data by Canva itself is governed exclusively by Canva’s privacy policy:
https://www.canva.com/policies/privacy-policy/

B.Definitions

This policy uses terms as defined in Art. 4 GDPR (e.g. “personal data”, “processing”, “controller”). As a rule, Phrasery only processes data that is technically necessary or that arises directly from your use of the app.

C.Data processing when using Phrasery

1. Processing of personal data when using the app

a) Technical data (server log files)

When our backend is accessed, the following information is processed automatically:

Date and time of the server request

Browser type / version (depending on the Canva frontend)

IP address (truncated and used only for technical purposes)

Error logs to ensure operation

Purpose: stability, security, detection of abuse
Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

b) Canva app data (scopes)

Phrasery only uses the permissions (“scopes”) provided by Canva.
These include in particular:

canva:design:content
→ read and write text boxes in designs

canva:user:profile (if used)
→ access to the Canva user ID in order to store personal phrases

no media access rights, unless implemented at a later point in time

Canva does not provide the app with real names, email addresses, or contact information.

c) Usage data within Phrasery

We only process data that you actively enter or generate:

stored text snippets (“phrases”)

categories or tags (optional)

user settings within the app

features you select (e.g. export/import)

This data is stored in our database so that you can use it across different designs.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract – provision of the app)

d) Payment data (when upgrading to Plus/Pro/Premium)

If you purchase a paid upgrade, payment processing is carried out via Stripe Payments Europe Ltd.

In this context, we receive:

your Stripe customer ID

information on which subscription is active

invoice status (“paid”, “canceled”, etc.)

We do not receive credit card details or bank account numbers.

Stripe Privacy Policy: https://stripe.com/privacy

Legal basis: Art. 6(1)(b) GDPR

2. No processing of the following data

Phrasery does not process:

location data (GPS)

device identifiers

contacts, calendar entries, photos

cookies (Phrasery does not use its own cookies)

personal profile data such as name, email address, or postal address (these are not provided to us by Canva)

3. Storage of your data

Data generated through Phrasery is stored exclusively on the servers of our hosting provider:

Scalingo SAS
Server location: France (EU)
Databases: MongoDB (EU zone)

We store your data:

for as long as you actively use the app

until you delete your content

or until you request that your data be deleted

Logs are retained for security purposes for a maximum of 30 days.

4. Data security

We protect your data by:

TLS encryption for all data transmissions

encryption of the database (Scalingo / MongoDB)

role-based access controls

regular security audits

daily automated backups of the backend and database

Data is only disclosed if we are legally obliged to do so.

5. Disclosure to processors

We use the following service providers as processors in accordance with Art. 28 GDPR:

a) Scalingo SAS (hosting & database)

15 Avenue du Rhin, 67100 Strasbourg, France
Processes: all app data, log files

b) MongoDB (via Scalingo)

EU region
Processes: stored phrases and user data

c) Stripe Payments Europe

1 Grand Canal Street Lower, Dublin, Ireland
Processes: payment transactions

We have GDPR-compliant data processing agreements in place with all service providers and rely on EU-wide security standards.

6. Transfer to third countries (Canva)

The use of Phrasery takes place within the platform of Canva Pty Ltd, Australia.
Canva may transfer technical data to third countries and relies on standard contractual clauses in accordance with Art. 46 GDPR.

This transfer takes place independently of our own data processing.
Further information can be found in Canva’s privacy policy.

7. No automated decision-making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

8. Your rights (Art. 15–21 GDPR)

You have the following rights at any time:

right of access

right to rectification

right to erasure (“right to be forgotten”)

right to restriction of processing

right to data portability

right to object to certain processing operations

Please address your request to:
contact@kreavisia.com

9. Withdrawal of consent

If you have given us consent for specific features (e.g. beta features), you may withdraw this consent at any time without formal requirements.

10. Changes to this privacy policy

We will update this privacy policy where necessary, for example when new features are introduced or legal requirements change.
The current version can be found on our website or in the Canva app listing.

11. eRecht24 Revocation Button

We have integrated a revocation button on our website to comply with the legal requirements of consumer law. The revocation button is provided by eRecht24 GmbH & Co. KG, Lietzenburger Straße 93-95, 10719 Berlin, Germany (hereinafter referred to as “eRecht24”). eRecht24 processes incoming cancellations exclusively on our behalf and does not use the data for its own purposes. A data processing agreement (DPA) has been concluded with eRecht24.

As a subcontractor, eRecht24 uses the cybersecurity service Friendly Captcha GmbH, Am Anger 3–5, 82237 Wörthsee, Germany, to secure the withdrawal form, as well as the mailing service provider MailPace Ltd., Unit G32, 111 Power Rd, Chiswick, London W4 5PY, United Kingdom, for sending confirmation emails.

The service providers were carefully selected with data protection considerations in mind. eRecht24 has entered into a data processing agreement with both service providers. Data processing in connection with the cancellation button is based on Art. 6(1)(c) GDPR (compliance with a legal obligation) and Art. 6(1)(b) GDPR (contract).