/Privacy
Privacy Policy
Last updated: 2026-06-21. This policy describes how AI Canvas processes personal data, in line with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Bundesdatenschutzgesetz (BDSG).
1. Controller
The controller responsible for the processing of personal data on this site is the Creator, reachable at contact@aicanvas.me.
1b. Payments and the install token
Payments via Paddle (independent controller)
Premium purchases are processed by Paddle (Paddle.com Market Ltd, and Paddle, Inc.) as our reseller and Merchant of Record. For your purchase, Paddle is the seller of record and acts as an independent data controller for the personal data it collects and holds, such as your card and billing details. We and Paddle each act as independent controllers for the data each of us holds: Paddle controls the payment and billing data you enter at its checkout under its own privacy policy, and we control the limited subscription metadata Paddle sends back to us (Section 2). Because Paddle is in the UK and the USA, your data may be processed outside the EU under Paddle's own safeguards.
Per-user install token
When you have an account we issue a per-user install token (a key that begins with aic_). The CLI and the AI Canvas MCP send this token when you install a component so we can recognise your account and unlock any Premium content you are entitled to. The token is tied to your identity, so we treat it as personal data. We process it to authenticate your installs and to keep installs secure against abuse. The lawful basis is Art. 6 (1)(b) GDPR (performance of the contract for your account and any Premium subscription) and Art. 6 (1)(f) GDPR (our legitimate interest in securing installs and preventing token abuse). We retain the token while your account is active and delete or invalidate it when you delete your account or when the token is revoked or regenerated.
2. What we collect
Account data
When you create an account we store your email address and a salted, bcrypt-hashed version of your password. If you sign in with Google we store the Google account identifier and email returned by Google's OAuth flow instead of a password. We never see or store your Google password. Account data lives in our authentication database operated by Supabase (see Section 5).
Usage data tied to your account
While signed in, we record which components you save (saved components), which CLI install commands you copy (install history, including the package manager you used), and your interface preferences (preferred package manager, preferred AI platform). This data is private to you, protected by row-level security, and only used to power features such as your saved list, your install history tab, and pre-selected defaults in the install drawer.
Subscription & billing data
When you take out a Premium subscription, payment is handled by our payment provider and Merchant of Record, Paddle (Section 5). You enter your card and billing details at Paddle's checkout; those details are held by Paddle under its own privacy policy, and we never receive or store your card number. From Paddle's notifications we store a small amount of subscription metadata on your account: your subscription status, the plan (monthly or yearly), the current renewal date, and the customer and subscription identifiers Paddle assigns. We use it to unlock your Premium access, show your current plan, and let you cancel. If you cancel through the cancellation form, we also process the details you submit there in order to end your subscription.
Contact form
When you write to us through the contact form we receive the name, email address, subject, and message you submit. We use them solely to read and answer your enquiry. The message is delivered to our inbox by Resend (see Section 5) with your email set as the reply-to address.
Technical data (everyone)
Our hosting provider Vercel records standard server logs containing IP address, user-agent string, and timestamp for each request. These logs are short-lived and used to detect abuse and operate the service. Vercel Web Analytics produces aggregated, cookieless traffic statistics. Visitors are identified only by a per-day hash of the request and the hash is discarded after 24 hours. No personal identifier is created and no cross-site tracking is possible.
Anonymous registry hits
Requests to the public component registry endpoints (paths under /r/) are made by the shadcn CLI and the AI Canvas MCP. If you are signed in, the command you copied carries your account API token so the pull unlocks any premium content you are entitled to. We do not count or log per-install activity for anonymous requests. Abuse is handled at signup instead, through email confirmation and a Cloudflare Turnstile challenge, so these registry paths read no account cookies and keep no per-install counters.
Marketing communications preference
We store a boolean opt-in flag on your account (default: enabled on sign-up, per the notice on the sign-up form) plus the timestamp of your last change. We send marketing emails only to accounts with the flag enabled. Toggling it off in /account/settings takes effect immediately. Transactional emails (sign-up confirmation, magic links, password reset) are not affected by this flag. They are necessary to provide the account service.
Children
AI Canvas is a developer tool aimed at adults. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account or otherwise provided personal data to AI Canvas, email contact@aicanvas.me and we will delete the account and the data.
3. Legal basis
- Account & usage data: Art. 6 (1)(b) GDPR. Processing is necessary to provide the AI Canvas account service you signed up for.
- Server logs & aggregate analytics: Art. 6 (1)(f) GDPR. Legitimate interest in operating, securing, and understanding usage of the service. We balance this against your interests by using only cookieless, aggregate analytics with no cross-site tracking.
- Anonymous registry hits: Art. 6 (1)(f) GDPR. Legitimate interest in operating the service. We do not count or log per-install activity for anonymous requests, and keep no per-install counter. Signed-in pulls are tied to your account.
- Contact form: Art. 6 (1)(f) GDPR — legitimate interest in answering an enquiry you chose to send us. We process only the name, email, subject, and message you provide, and keep them no longer than needed to deal with the matter.
- Marketing communications: § 7 (3) UWG (existing-customer exception under German competition law, as interpreted by the ECJ in Case C-654/23). Marketing is limited to AI Canvas's own products and services. You can object at any time at no cost via account settings or the unsubscribe link in any email; an objection ends this processing immediately.
- Subscription & billing: Art. 6 (1)(b) GDPR. Processing your subscription metadata is necessary to perform the Premium contract you entered into. Keeping billing and accounting records for the statutory period rests on Art. 6 (1)(c) GDPR (compliance with our retention duties under German commercial and tax law).
- Bot protection on the cancellation form: Art. 6 (1)(f) GDPR. Legitimate interest in protecting the login-free cancellation form from automated abuse. The check (Cloudflare Turnstile, Section 5) is cookieless and runs only on that page.
4. Required data and automated decisions
Providing your email and password (or a Google account, if you sign in with Google) is necessary to create and use an AI Canvas account. If you do not provide them, you cannot create an account, but the public site (component browsing, copying source, downloading registry items via the CLI) remains fully usable without signing in. There is no statutory obligation to provide any data.
We do not use automated decision-making, including profiling, in the sense of Art. 22 GDPR. No decisions affecting you are made automatically based on your data.
5. Processors
We use the following service providers to operate AI Canvas. Each is bound by a Data Processing Agreement (DPA) and processes data only on our instructions. Where data leaves the EU, transfers are protected by the EU Standard Contractual Clauses.
- Vercel Inc. (USA): hosting, request logs, cookieless Web Analytics. Edge serving from Frankfurt where possible.
- Supabase Inc. (USA) — authentication and account database. It also generates the account emails (sign-up confirmation, magic links, password reset), which are delivered via Resend (below). EU-region project where available.
- Resend (Resend, Inc.) (USA) — delivers our outbound email: the account emails above and any message you send through the contact form. Mail is sent via Amazon SES in the EU region (Ireland) and authenticated with SPF/DKIM; we use no open- or click-tracking.
- Google Ireland Ltd. (EU) / Google LLC (USA): only if you choose “Sign in with Google.” Google authenticates you and returns your email and profile identifier to us. Google's own privacy policy applies to their processing.
- ImageKit (Raw Engineering Inc.): delivers component preview screenshots. No user data is sent; ImageKit only serves public image URLs.
- Paddle.com Market Ltd (UK) / Paddle, Inc. (USA): our payment provider and Merchant of Record for Premium subscriptions. Paddle handles checkout, payment processing, billing, sales tax and VAT, and refunds, and processes the billing and payment details you enter at checkout under its own privacy policy. Legal basis: Art. 6(1)(b) GDPR (performance of the contract).
- Cloudflare, Inc.(USA): provides the cookieless bot-protection check (Turnstile) on the login-free cancellation form. To assess whether a request is automated, Cloudflare receives the visitor's IP address and browser interaction signals for that form. It sets no cookies on our site. Legal basis: Art. 6 (1)(f) GDPR.
6. Retention
- Account data is kept for as long as your account exists. When you delete your account, your account row, saved components, install history, and preferences are removed via cascade.
- Contact messages are kept only as long as needed to handle your enquiry and any follow-up, then deleted.
- Server logsare kept for the period set by Vercel's default log retention (typically a few weeks).
- Aggregate analytics are not tied to your identity and are kept indefinitely as aggregates.
- Billing and accounting records that we must keep under German commercial and tax law (HGB § 257, AO § 147) are retained for the statutory period, generally six to ten years depending on the record type, even after you delete your account. During that period we restrict their processing to what the law requires. As Merchant of Record, Paddle issues and retains the invoices for your purchases under its own obligations.
7. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15)
- Request correction of inaccurate data (Art. 16)
- Request deletion of your data (Art. 17, “right to be forgotten”)
- Restrict or object to processing (Art. 18, 21)
- Receive your data in a portable, machine-readable format (Art. 20)
- Withdraw consent at any time, where processing is based on consent
To exercise any of these rights, email contact@aicanvas.me. We respond within 30 days. Before acting on a rights request we may ask for reasonable proof that you are the person the data belongs to. This is to protect you from someone else requesting your data under false pretences.
8. Cookies and local storage
AI Canvas sets only strictly necessary cookies on its own site. We use no tracking or advertising cookies and set nothing on your device that requires consent under § 25 (2) TDDDG, so there is no cookie banner.
- Authentication session cookie (set by Supabase): keeps you signed in. Removed on sign-out or expiry.
- Theme preference (localStorage): stores your light/dark theme choice on your device. Never sent to our servers.
Both are exempt from the consent requirement of § 25 (2) TDDDG / TTDSG because they are strictly necessary to deliver the functionality you actively requested.
Two third-party features deliberately avoid setting cookies on our site: the bot-protection check on the cancellation form (Cloudflare Turnstile) is cookieless, and the Premium checkout opens only when you click to upgrade. That checkout runs inside Paddle's payment overlay, and any cookies there are set by Paddle under its own cookie and privacy policy, not by us.
9. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. For the Creator, that's the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).
10. Changes
We update this policy when our processing changes. The “Last updated” date at the top of this page reflects the most recent revision. For significant changes affecting signed-in users we will notify you by email.