Canva states it keeps your personal data for as long as needed to operate its service, meet legal obligations, resolve disputes, and enforce its agreements, after which it will delete or anonymize the data.
This analysis describes what Canva's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy does not specify defined retention periods for particular data categories, which is relevant to GDPR's data minimization and storage limitation principles and may be a point of inquiry for compliance teams or data subject rights requests.
Interpretive note: Specific retention periods for particular data categories are not disclosed in the policy text reviewed; whether this satisfies GDPR and CPRA retention disclosure requirements depends on whether supplemental documentation such as a DPA or retention schedule is provided.
The updated privacy policy no longer explicitly discloses that Canva uses cookies to personalize ads, analyze website performance, or tailor content on partner sites. Previously, the policy stated these purposes and directed users to the cookie policy for more information and choice. The revised policy now mentions only that essential cookies are used to make Canva work. This change removes transparency about non-essential cookie uses and eliminates the cookie consent interface (Accept all cookies / Manage cookies buttons) that was previously presented in the privacy policy document itself.
View change record →The updated privacy policy no longer includes explicit language describing Canva's use of non-essential cookies for personalization, advertising tailoring, and website analytics. Previously, the policy stated that Canva would use these cookies only if users accepted. The removal of this disclosure means the policy no longer clearly explains these cookie categories or presents a consent interaction for non-essential cookies at the point where this information was previously disclosed. Depending on applicable cookie law and Canva's implementation, users may need to consult additional documentation such as a separate cookie policy to understand how non-essential cookies are managed.
View change record →The updated privacy policy no longer explicitly discloses optional cookie uses or provides cookie preference controls on the privacy policy page itself. Previously, Canva stated it would use non-essential cookies for personalization, ad targeting, and analytics only if users accepted, and offered 'Accept all cookies' and 'Manage cookies' options. The removal of this disclosure and consent mechanism may affect how users understand cookie practices and when consent is obtained. Users who previously accessed cookie preferences through the privacy policy will need to locate these controls elsewhere on the Canva platform if they remain available.
View change record →Canva does not specify in this policy how long particular types of personal data are retained. Users who delete their account should note that some data may be retained for legal, dispute resolution, or enforcement purposes for an unspecified period after account closure.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Canva has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide you with the Service, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. When we no longer need to use your personal information, we will take steps to remove it from our systems or anonymise it.— Excerpt from Canva's Canva Privacy Policy
REGULATORY LANDSCAPE: This provision implicates GDPR Article 5(1)(e) (storage limitation principle), which requires personal data to be kept for no longer than necessary for its stated purpose. CCPA and CPRA require disclosure of retention periods or the criteria used to determine them. The Australian Privacy Act also requires reasonable retention practices. The absence of defined retention periods in the policy text may require evaluation against applicable regulatory guidance. GOVERNANCE EXPOSURE: Medium. Open-ended retention language is common but may require supplementation with a records retention schedule to satisfy GDPR and CPRA disclosure obligations. The reference to dispute resolution and enforcement as retention justifications is legally recognized but can be broadly applied in practice. JURISDICTION FLAGS: GDPR's storage limitation principle applies to EU users and requires specific retention periods or criteria to be disclosed. CPRA requires disclosure of retention periods for each category of personal information collected. California-based organizations using Canva should confirm that Canva's DPA includes retention period disclosures for processor-held data. CONTRACT AND VENDOR IMPLICATIONS: Enterprise DPAs should specify retention periods for data processed by Canva as a processor on behalf of the customer-controller, particularly for deleted user accounts and exported data. Procurement teams should request Canva's data retention schedule as part of vendor due diligence. COMPLIANCE CONSIDERATIONS: Compliance teams should request Canva's detailed data retention schedule to verify alignment with GDPR and CPRA disclosure requirements. For account deletion workflows, confirm what data categories are retained post-deletion and for what periods. This information is typically found in a DPA or supplemental retention policy rather than the general privacy policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy does not specify defined retention periods for particular data categories, which is relevant to GDPR's data minimization and storage limitation principles and may be a point of inquiry for compliance teams or data subject rights requests.
Canva does not specify in this policy how long particular types of personal data are retained. Users who delete their account should note that some data may be retained for legal, dispute resolution, or enforcement purposes for an unspecified period after account closure.
ConductAtlas has identified this type of provision across 135 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Canva.