EU, EEA, UK, and Swiss users have legal rights under GDPR and equivalent laws to access, fix, delete, export, or object to the processing of their personal data, and can complain to their national privacy regulator if Canva does not respond appropriately.
This analysis describes what Canva's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause operationalizes statutory obligations under GDPR and equivalent data protection frameworks by identifying the rights holders are entitled to invoke and establishing the procedural mechanism (email contact) through which Canva processes such requests. The provision ensures the terms acknowledge and facilitate compliance with regional data protection law requirements.
The updated privacy policy no longer explicitly discloses that Canva uses cookies to personalize ads, analyze website performance, or tailor content on partner sites. Previously, the policy stated these purposes and directed users to the cookie policy for more information and choice. The revised policy now mentions only that essential cookies are used to make Canva work. This change removes transparency about non-essential cookie uses and eliminates the cookie consent interface (Accept all cookies / Manage cookies buttons) that was previously presented in the privacy policy document itself.
View change record →The updated privacy policy no longer includes explicit language describing Canva's use of non-essential cookies for personalization, advertising tailoring, and website analytics. Previously, the policy stated that Canva would use these cookies only if users accepted. The removal of this disclosure means the policy no longer clearly explains these cookie categories or presents a consent interaction for non-essential cookies at the point where this information was previously disclosed. Depending on applicable cookie law and Canva's implementation, users may need to consult additional documentation such as a separate cookie policy to understand how non-essential cookies are managed.
View change record →The updated privacy policy no longer explicitly discloses optional cookie uses or provides cookie preference controls on the privacy policy page itself. Previously, Canva stated it would use non-essential cookies for personalization, ad targeting, and analytics only if users accepted, and offered 'Accept all cookies' and 'Manage cookies' options. The removal of this disclosure and consent mechanism may affect how users understand cookie practices and when consent is obtained. Users who previously accessed cookie preferences through the privacy policy will need to locate these controls elsewhere on the Canva platform if they remain available.
View change record →If you are in the EU, EEA, UK, or Switzerland, you have legally enforceable rights over your personal data held by Canva, including rights to access, correct, delete, or export it, and to object to processing for marketing or legitimate interest purposes. If Canva does not respond to your request within the statutory timeframe, you can escalate to your national data protection authority.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
Canva has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have certain rights under applicable data protection law, including the right to access, correct, and delete your personal information, to object to or restrict certain processing, to data portability, and to lodge a complaint with your local supervisory authority. To exercise these rights, please contact us at privacy@canva.com.— Excerpt from Canva's Canva Privacy Policy
REGULATORY LANDSCAPE: This provision directly reflects obligations under GDPR Articles 15-22 (data subject rights) and equivalent UK GDPR provisions. Applicable rights include the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), objection (Article 21), and rights related to automated decision-making (Article 22). Enforcement authorities include national supervisory authorities across EU member states, the UK ICO, and the Swiss Federal Data Protection and Information Commissioner. Canva, as a non-EEA controller, may be required to designate an EU representative under GDPR Article 27. GOVERNANCE EXPOSURE: Medium. The provision reflects appropriate GDPR transparency, but operational compliance depends on the adequacy of Canva's internal processes for responding to data subject access requests within the one-month statutory period, handling complex requests involving third-party data, and maintaining records of processing activities as required by GDPR Article 30. JURISDICTION FLAGS: EU and UK users have the highest protection levels. The right to data portability applies specifically to processing based on consent or contract, and in a machine-readable format, which may require specific technical implementation for design content. The right to object to processing based on legitimate interests is particularly relevant given Canva's broad invocation of legitimate interests as a processing basis. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers acting as data controllers who use Canva as a processor should ensure their data processing agreements address how data subject rights requests received by Canva are escalated to the controller, and vice versa. Business customers should assess whether they have independent obligations to fulfill data subject requests for personal data processed through Canva on their behalf. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Canva's data subject request handling process is operationally robust, including identity verification procedures, response time tracking, and escalation paths for complex requests. Organizations with large numbers of EU and UK users should confirm that Canva has designated an EU representative as required for non-EEA controllers under GDPR Article 27. The right to lodge a complaint with a supervisory authority should be prominently disclosed and easy to locate within the policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause operationalizes statutory obligations under GDPR and equivalent data protection frameworks by identifying the rights holders are entitled to invoke and establishing the procedural mechanism (email contact) through which Canva processes such requests. The provision ensures the terms acknowledge and facilitate compliance with regional data protection law requirements.
If you are in the EU, EEA, UK, or Switzerland, you have legally enforceable rights over your personal data held by Canva, including rights to access, correct, delete, or export it, and to object to processing for marketing or legitimate interest purposes. If Canva does not respond to your request within the statutory timeframe, you can escalate to your national …
ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Canva.