Note: The following privacy policy applies to the use of the Canva app “Phrasery”.
This English version is a translation of the German privacy policy. In the event of any discrepancies, the German version shall prevail.
Privacy Policy for the Canva App “Phrasery”
(Last updated: December 2025)
A.Introduction
This privacy policy informs you about how the Canva app Phrasery processes personal data.
Phrasery is an application integrated into the Canva platform that allows users to create, store, and use text snippets in designs.
The controller responsible for processing your personal data is:
Kreavisia – Michaela Moreels
Kieselstr. 47
66125 Saarbrücken
Germany
Email: contact@kreavisia.com
The use of Phrasery takes place within the Canva platform. The processing of data by Canva itself is governed exclusively by Canva’s privacy policy:
https://www.canva.com/policies/privacy-policy/
B.Definitions
This policy uses terms as defined in Art. 4 GDPR (e.g. “personal data”, “processing”, “controller”). As a rule, Phrasery only processes data that is technically necessary or that arises directly from your use of the app.
C.Data processing when using Phrasery
1. Processing of personal data when using the app
a) Technical data (server log files)
When our backend is accessed, the following information is processed automatically:
Date and time of the server request
Browser type / version (depending on the Canva frontend)
IP address (truncated and used only for technical purposes)
Error logs to ensure operation
Purpose: stability, security, detection of abuse
Legal basis: Art. 6(1)(f) GDPR (legitimate interests)
b) Canva app data (scopes)
Phrasery only uses the permissions (“scopes”) provided by Canva.
These include in particular:
canva:design:content
→ read and write text boxes in designs
canva:user:profile (if used)
→ access to the Canva user ID in order to store personal phrases
no media access rights, unless implemented at a later point in time
Canva does not provide the app with real names, email addresses, or contact information.
c) Usage data within Phrasery
We only process data that you actively enter or generate:
stored text snippets (“phrases”)
categories or tags (optional)
user settings within the app
features you select (e.g. export/import)
This data is stored in our database so that you can use it across different designs.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract – provision of the app)
d) Payment data (when upgrading to Plus/Pro/Premium)
If you purchase a paid upgrade, payment processing is carried out via Stripe Payments Europe Ltd.
In this context, we receive:
your Stripe customer ID
information on which subscription is active
invoice status (“paid”, “canceled”, etc.)
We do not receive credit card details or bank account numbers.
Stripe Privacy Policy: https://stripe.com/privacy
Legal basis: Art. 6(1)(b) GDPR
2. No processing of the following data
Phrasery does not process:
location data (GPS)
device identifiers
contacts, calendar entries, photos
cookies (Phrasery does not use its own cookies)
personal profile data such as name, email address, or postal address (these are not provided to us by Canva)
3. Storage of your data
Data generated through Phrasery is stored exclusively on the servers of our hosting provider:
Scalingo SAS
Server location: France (EU)
Databases: MongoDB (EU zone)
We store your data:
for as long as you actively use the app
until you delete your content
or until you request that your data be deleted
Logs are retained for security purposes for a maximum of 30 days.
4. Data security
We protect your data by:
TLS encryption for all data transmissions
encryption of the database (Scalingo / MongoDB)
role-based access controls
regular security audits
daily automated backups of the backend and database
Data is only disclosed if we are legally obliged to do so.
5. Disclosure to processors
We use the following service providers as processors in accordance with Art. 28 GDPR:
a) Scalingo SAS (hosting & database)
15 Avenue du Rhin, 67100 Strasbourg, France
Processes: all app data, log files
b) MongoDB (via Scalingo)
EU region
Processes: stored phrases and user data
c) Stripe Payments Europe
1 Grand Canal Street Lower, Dublin, Ireland
Processes: payment transactions
We have GDPR-compliant data processing agreements in place with all service providers and rely on EU-wide security standards.
6. Transfer to third countries (Canva)
The use of Phrasery takes place within the platform of Canva Pty Ltd, Australia.
Canva may transfer technical data to third countries and relies on standard contractual clauses in accordance with Art. 46 GDPR.
This transfer takes place independently of our own data processing.
Further information can be found in Canva’s privacy policy.
7. No automated decision-making
No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.
8. Your rights (Art. 15–21 GDPR)
You have the following rights at any time:
right of access
right to rectification
right to erasure (“right to be forgotten”)
right to restriction of processing
right to data portability
right to object to certain processing operations
Please address your request to:
contact@kreavisia.com
9. Withdrawal of consent
If you have given us consent for specific features (e.g. beta features), you may withdraw this consent at any time without formal requirements.
10. Changes to this privacy policy
We will update this privacy policy where necessary, for example when new features are introduced or legal requirements change.
The current version can be found on our website or in the Canva app listing.
11. eRecht24 Revocation Button
We have integrated a revocation button on our website to comply with the legal requirements of consumer law. The revocation button is provided by eRecht24 GmbH & Co. KG, Lietzenburger Straße 93-95, 10719 Berlin, Germany (hereinafter referred to as “eRecht24”). eRecht24 processes incoming cancellations exclusively on our behalf and does not use the data for its own purposes. A data processing agreement (DPA) has been concluded with eRecht24.
As a subcontractor, eRecht24 uses the cybersecurity service Friendly Captcha GmbH, Am Anger 3–5, 82237 Wörthsee, Germany, to secure the withdrawal form, as well as the mailing service provider MailPace Ltd., Unit G32, 111 Power Rd, Chiswick, London W4 5PY, United Kingdom, for sending confirmation emails.
The service providers were carefully selected with data protection considerations in mind. eRecht24 has entered into a data processing agreement with both service providers. Data processing in connection with the cancellation button is based on Art. 6(1)(c) GDPR (compliance with a legal obligation) and Art. 6(1)(b) GDPR (contract).