Privacy Policy

1. Controller

The controller responsible for the processing of personal data on this site is the Creator, reachable at aicanvas.me@gmail.com.

2. What we collect

Account data

When you create an account we store your email address and a salted, bcrypt-hashed version of your password. If you sign in with Google we store the Google account identifier and email returned by Google's OAuth flow instead of a password. We never see or store your Google password. Account data lives in our authentication database operated by Supabase (see Section 5).

Usage data tied to your account

While signed in, we record which components you save (saved components), which CLI install commands you copy (install history, including the package manager you used), and your interface preferences (preferred package manager, preferred AI platform). This data is private to you, protected by row-level security, and only used to power features such as your saved list, your install history tab, and pre-selected defaults in the install drawer.

Technical data (everyone)

Our hosting provider Vercel records standard server logs containing IP address, user-agent string, and timestamp for each request. These logs are short-lived and used to detect abuse and operate the service. Vercel Web Analytics produces aggregated, cookieless traffic statistics — visitors are identified only by a per-day hash of the request and the hash is discarded after 24 hours. No personal identifier is created and no cross-site tracking is possible.

Anonymous registry hits

Requests to the public component registry endpoints (paths under /r/) are made by the shadcn CLI and the AI Canvas MCP without any user session. These hits are aggregated anonymously so we can see which components are being installed. No personal data is processed on these paths and no account cookies are read.

Marketing communications preference

We store a boolean opt-in flag on your account (default: enabled on sign-up, per the notice on the sign-up form) plus the timestamp of your last change. We send marketing emails only to accounts with the flag enabled. Toggling it off in /account/settings takes effect immediately. Transactional emails (sign-up confirmation, magic links, password reset) are not affected by this flag — they are necessary to provide the account service.

Children

AI Canvas is a developer tool aimed at adults. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account or otherwise provided personal data to AI Canvas, email aicanvas.me@gmail.com and we will delete the account and the data.

3. Legal basis

• Account & usage data: Art. 6 (1)(b) GDPR — processing is necessary to provide the AI Canvas account service you signed up for.
• Server logs & aggregate analytics: Art. 6 (1)(f) GDPR — legitimate interest in operating, securing, and understanding usage of the service. We balance this against your interests by using only cookieless, aggregate analytics with no cross-site tracking.
• Anonymous registry hits: the data is not personal under GDPR (no identifier links to a person). Logged for product analytics under Art. 6 (1)(f).
• Marketing communications: § 7 (3) UWG (existing-customer exception under German competition law, as interpreted by the ECJ in Case C-654/23). Marketing is limited to AI Canvas's own products and services. You can object at any time at no cost via account settings or the unsubscribe link in any email; an objection ends this processing immediately.

4. Required data and automated decisions

Providing your email and password (or a Google account, if you sign in with Google) is necessary to create and use an AI Canvas account. If you do not provide them, you cannot create an account, but the public site — component browsing, copying source, downloading registry items via the CLI — remains fully usable without signing in. There is no statutory obligation to provide any data.

We do not use automated decision-making, including profiling, in the sense of Art. 22 GDPR. No decisions affecting you are made automatically based on your data.

5. Processors

We use the following service providers to operate AI Canvas. Each is bound by a Data Processing Agreement (DPA) and processes data only on our instructions. Where data leaves the EU, transfers are protected by the EU Standard Contractual Clauses.

• Vercel Inc. (USA) — hosting, request logs, cookieless Web Analytics. Edge serving from Frankfurt where possible.
• Supabase Inc. (USA) — authentication, account database, transactional emails (sign-up confirmation, magic links, password reset). EU-region project where available.
• Google Ireland Ltd. (EU) / Google LLC (USA) — only if you choose “Sign in with Google.” Google authenticates you and returns your email and profile identifier to us. Google's own privacy policy applies to their processing.
• ImageKit (Raw Engineering Inc.) — delivers component preview screenshots. No user data is sent; ImageKit only serves public image URLs.

6. Retention

• Account data is kept for as long as your account exists. When you delete your account, your account row, saved components, install history, and preferences are removed via cascade.
• Server logsare kept for the period set by Vercel's default log retention (typically a few weeks).
• Aggregate analytics are not tied to your identity and are kept indefinitely as aggregates.

7. Your rights

Under GDPR you have the right to:

• Access the personal data we hold about you (Art. 15)
• Request correction of inaccurate data (Art. 16)
• Request deletion of your data (Art. 17 — “right to be forgotten”)
• Restrict or object to processing (Art. 18, 21)
• Receive your data in a portable, machine-readable format (Art. 20)
• Withdraw consent at any time, where processing is based on consent

To exercise any of these rights, email aicanvas.me@gmail.com. We respond within 30 days. Before acting on a rights request we may ask for reasonable proof that you are the person the data belongs to — this is to protect you from someone else requesting your data under false pretences.

8. Cookies and local storage

AI Canvas uses only strictly necessary storage. No tracking, advertising, or third-party cookies are set, and there is therefore no cookie banner.

• Authentication session cookie (set by Supabase): keeps you signed in. Removed on sign-out or expiry.
• Theme preference (localStorage): stores your light/dark theme choice on your device. Never sent to our servers.

Both are exempt from the consent requirement of § 25 (2) TDDDG / TTDSG because they are strictly necessary to deliver the functionality you actively requested.

9. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. For the Creator, that's the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

10. Changes

We update this policy when our processing changes. The “Last updated” date at the top of this page reflects the most recent revision. For significant changes affecting signed-in users we will notify you by email.