Canva, headquartered in Australia, transfers personal data from EU, UK, and Swiss users to other countries that may not have equivalent privacy protections, relying primarily on Standard Contractual Clauses approved by the European Commission to justify these transfers.
This analysis describes what Canva's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the procedural framework governing cross-border data transfers under GDPR and equivalent data protection regimes. The use of standard contractual clauses creates a documented legal mechanism intended to maintain data protection standards during international transfers, which is operationally significant for regulatory compliance and data subject protections.
The updated privacy policy no longer explicitly discloses that Canva uses cookies to personalize ads, analyze website performance, or tailor content on partner sites. Previously, the policy stated these purposes and directed users to the cookie policy for more information and choice. The revised policy now mentions only that essential cookies are used to make Canva work. This change removes transparency about non-essential cookie uses and eliminates the cookie consent interface (Accept all cookies / Manage cookies buttons) that was previously presented in the privacy policy document itself.
View change record →The updated privacy policy no longer includes explicit language describing Canva's use of non-essential cookies for personalization, advertising tailoring, and website analytics. Previously, the policy stated that Canva would use these cookies only if users accepted. The removal of this disclosure means the policy no longer clearly explains these cookie categories or presents a consent interaction for non-essential cookies at the point where this information was previously disclosed. Depending on applicable cookie law and Canva's implementation, users may need to consult additional documentation such as a separate cookie policy to understand how non-essential cookies are managed.
View change record →The updated privacy policy no longer explicitly discloses optional cookie uses or provides cookie preference controls on the privacy policy page itself. Previously, Canva stated it would use non-essential cookies for personalization, ad targeting, and analytics only if users accepted, and offered 'Accept all cookies' and 'Manage cookies' options. The removal of this disclosure and consent mechanism may affect how users understand cookie practices and when consent is obtained. Users who previously accessed cookie preferences through the privacy policy will need to locate these controls elsewhere on the Canva platform if they remain available.
View change record →If you are an EU, UK, or Swiss user, your personal data is transferred to Canva's servers and service providers outside your jurisdiction, including to Australia and potentially the United States, under Standard Contractual Clauses that are contractual rather than regulatory guarantees. The practical enforceability of these protections from a consumer perspective depends on Canva's compliance with the clause obligations and the availability of remedies in the destination country.
How other platforms handle this
When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to other countries that have not been found to provide an adequate level of data protection, we use legal mechanisms such as Standard Contractual Clauses approved by the European Commission to h...
Your personal information may be transferred to, processed and stored in countries other than the country in which you are resident, including the United States, Australia, Canada, the European Union and the UK. We take appropriate safeguards to protect your personal information in accordance with t...
Your personal information may be transferred to and processed in countries outside your country of residence, including the United States and Israel, which may have data protection laws that differ from those in your country. We rely on appropriate safeguards, such as standard contractual clauses ap...
Monitoring
Canva has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We transfer personal information from the EEA, the UK, and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do, we use a variety of legal mechanisms, including contracts, such as the standard contractual clauses published by the European Commission, to help ensure your rights and protections travel with your data.— Excerpt from Canva's Canva Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (restrictions on international data transfers), which requires either an adequacy decision, appropriate safeguards such as Standard Contractual Clauses, or derogations. The EU-US Data Privacy Framework provides an adequacy pathway for US transfers if Canva's US service providers are certified, but Australia does not currently have an EU adequacy decision, making SCCs the operative transfer mechanism for Australia-bound flows. The UK has its own parallel regime under the UK GDPR and the International Data Transfer Agreement. Enforcement authorities include EU supervisory authorities and the UK ICO. GOVERNANCE EXPOSURE: Medium. SCCs are a recognized and widely used transfer mechanism, but post-Schrems II they must be accompanied by transfer impact assessments evaluating whether the legal environment in the destination country undermines the protections the SCCs provide. The absence of an EU adequacy decision for Australia creates ongoing compliance overhead. JURISDICTION FLAGS: EU and EEA users have the highest exposure given that GDPR Chapter V requires documented transfer mechanisms and transfer impact assessments. UK users are subject to the UK GDPR and require International Data Transfer Agreements or UK-approved addenda. Swiss users are subject to the revised Federal Act on Data Protection. Organizations in regulated sectors such as financial services or healthcare should assess whether sector-specific data localization requirements apply. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request confirmation from Canva that transfer impact assessments have been completed for all jurisdictions to which EU and UK data is transferred. Procurement teams should verify that Canva's data processing agreements incorporate the current EU SCCs module appropriate to the controller-processor relationship. Organizations subject to strict data residency requirements should assess whether Canva's international transfer practices are compatible with their obligations. COMPLIANCE CONSIDERATIONS: Legal teams should confirm that Canva has executed the 2021 EU Standard Contractual Clauses and has completed documented transfer impact assessments for transfers to Australia and any US-based sub-processors. UK compliance teams should confirm whether Canva has adopted the UK International Data Transfer Agreement or the EU SCCs with UK addendum. Annual reviews of transfer mechanisms are recommended given the evolving regulatory landscape.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the procedural framework governing cross-border data transfers under GDPR and equivalent data protection regimes. The use of standard contractual clauses creates a documented legal mechanism intended to maintain data protection standards during international transfers, which is operationally significant for regulatory compliance and data subject protections.
If you are an EU, UK, or Swiss user, your personal data is transferred to Canva's servers and service providers outside your jurisdiction, including to Australia and potentially the United States, under Standard Contractual Clauses that are contractual rather than regulatory guarantees. The practical enforceability of these protections from a consumer perspective depends on Canva's compliance with the clause obligations …
ConductAtlas has identified this type of provision across 11 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Canva.