Because Canva operates globally, your personal data may be transferred to and processed in countries outside your home country, with Canva using Standard Contractual Clauses as the primary legal mechanism for EU data transfers.
This analysis describes what Canva's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Cross-border data transfers involving EU personal data require legally adequate safeguards under GDPR. Canva's reliance on Standard Contractual Clauses is a recognized mechanism but requires accompanying Transfer Impact Assessments under post-Schrems II obligations, and compliance with these requirements cannot be verified from policy text alone.
Interpretive note: Adequacy of Transfer Impact Assessments and currency of SCC documentation cannot be verified from policy text alone; operational compliance requires review of Canva's DPA and sub-processor documentation.
The updated privacy policy no longer explicitly discloses that Canva uses cookies to personalize ads, analyze website performance, or tailor content on partner sites. Previously, the policy stated these purposes and directed users to the cookie policy for more information and choice. The revised policy now mentions only that essential cookies are used to make Canva work. This change removes transparency about non-essential cookie uses and eliminates the cookie consent interface (Accept all cookies / Manage cookies buttons) that was previously presented in the privacy policy document itself.
View change record →The updated privacy policy no longer includes explicit language describing Canva's use of non-essential cookies for personalization, advertising tailoring, and website analytics. Previously, the policy stated that Canva would use these cookies only if users accepted. The removal of this disclosure means the policy no longer clearly explains these cookie categories or presents a consent interaction for non-essential cookies at the point where this information was previously disclosed. Depending on applicable cookie law and Canva's implementation, users may need to consult additional documentation such as a separate cookie policy to understand how non-essential cookies are managed.
View change record →The updated privacy policy no longer explicitly discloses optional cookie uses or provides cookie preference controls on the privacy policy page itself. Previously, Canva stated it would use non-essential cookies for personalization, ad targeting, and analytics only if users accepted, and offered 'Accept all cookies' and 'Manage cookies' options. The removal of this disclosure and consent mechanism may affect how users understand cookie practices and when consent is obtained. Users who previously accessed cookie preferences through the privacy policy will need to locate these controls elsewhere on the Canva platform if they remain available.
View change record →The policy states that your personal data may be transferred internationally and that Canva uses Standard Contractual Clauses for EU data. In practice this means EU users' data may flow to jurisdictions such as Australia or the United States under these contractual safeguards.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Canva has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Canva is headquartered in Australia and has operations and service providers in a number of countries. When we transfer personal information outside of the country in which it was collected, we take steps to ensure that appropriate safeguards are in place to protect your information, including the use of Standard Contractual Clauses approved by the European Commission where applicable.— Excerpt from Canva's Canva Privacy Policy
REGULATORY LANDSCAPE: This provision directly implicates GDPR Chapter V (Articles 44-49) governing transfers of personal data to third countries. The European Data Protection Board's guidance following the Schrems II ruling requires Transfer Impact Assessments (TIAs) to accompany SCC use. The UK GDPR has parallel transfer requirements using International Data Transfer Agreements (IDTAs) rather than EU SCCs. Australian Privacy Act obligations apply to outbound transfers from Australia. GOVERNANCE EXPOSURE: Medium. SCC use is a recognized and widely implemented transfer mechanism, but post-Schrems II requirements for TIAs represent an ongoing compliance obligation. The adequacy of Canva's TIA documentation for transfers to the United States and other jurisdictions cannot be assessed from the policy alone. JURISDICTION FLAGS: EU and EEA users have the most direct exposure under GDPR Chapter V. UK users require separate assessment under UK GDPR and IDTA frameworks. Enterprise customers in the EU or UK should request copies of applicable DPAs and confirm SCC or IDTA documentation is current. CONTRACT AND VENDOR IMPLICATIONS: Enterprise and business customers acting as data controllers under GDPR should ensure a current DPA is in place with Canva that specifies the applicable transfer mechanism, SCC module, and any required annexes. Outdated SCCs (pre-June 2021 European Commission standard clauses) would not satisfy current requirements. COMPLIANCE CONSIDERATIONS: Legal teams should request Canva's current DPA and verify that updated 2021 SCCs or UK IDTAs are in place for relevant transfer flows. A Transfer Impact Assessment for transfers to Australia or the United States should be documented. Organizations in regulated sectors should confirm that sub-processor locations and transfer chains are disclosed in Canva's DPA sub-processor list.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Cross-border data transfers involving EU personal data require legally adequate safeguards under GDPR. Canva's reliance on Standard Contractual Clauses is a recognized mechanism but requires accompanying Transfer Impact Assessments under post-Schrems II obligations, and compliance with these requirements cannot be verified from policy text alone.
The policy states that your personal data may be transferred internationally and that Canva uses Standard Contractual Clauses for EU data. In practice this means EU users' data may flow to jurisdictions such as Australia or the United States under these contractual safeguards.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Canva.