Privacy Policy
Privacy Policy for SimpleDraw
Last Updated: 22 December 2025
1. Introduction
Welcome to SimpleDraw. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at simpledraw.app and use our services.
Data Controller:
SimpleDraw is operated by Lexi Creative Ltd
Company Number: 16892165
Email: privacy@simpledraw.app
Website: https://simpledraw.app
We are the data controller for the personal data we collect through SimpleDraw.
Your Rights:
Under UK GDPR, you have rights regarding your personal data. These are detailed in Section 11 of this policy.
Questions or Complaints:
If you have questions about this policy or how we handle your data, please contact us at privacy@simpledraw.app.
You also have the right to complain to the Information Commissioner’s Office (ICO):
- Website: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
2. Information We Collect
2.1 Information You Provide Directly
Account Information (Registered Users Only)
When you register for a SimpleDraw account, we collect:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, authentication, service communications | Contract performance |
| Password | Account security (stored as cryptographic hash only) | Contract performance |
| Display Name (optional) | Display name for public drawings | Contract performance |
| Account creation date | Account management | Contract performance |
| Subscription tier | Service provision (free/paid tier) | Contract performance |
Drawing Data (Cloud Storage Users Only)
When you save drawings to our cloud storage, we collect:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Drawing content | Provide cloud storage service | Contract performance |
| Drawing metadata | Title, creation date, last modified | Contract performance |
| Version history | Enable version control (paid accounts) | Contract performance |
| Visibility settings | Public/private/shared status | Contract performance |
Payment Information (Paid Subscribers Only)
We use Stripe to process payments. We collect:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Subscription tier | Service provision | Contract performance |
| Payment status | Account management | Contract performance |
| Last 4 digits of card | Customer support | Contract performance |
| Billing email | Payment communications | Contract performance |
Note: We do not store full credit card details. These are securely stored by our payment processor. See Section 5 for details.
2.2 Information Collected Automatically
Analytics Data
We use GoatCounter (https://www.goatcounter.com/) for privacy-friendly analytics. GoatCounter collects:
- Page views (aggregated counts only)
- Referrer information (which site you came from)
- Browser type and version (aggregated)
- Device type (desktop/mobile/tablet - aggregated)
- Country/region (aggregated)
Important:
- GoatCounter does NOT use cookies
- GoatCounter does NOT track you across websites
- We receive ONLY aggregated statistics (e.g., “200 visitors today”)
- We CANNOT identify individual visitors
- IP addresses are hashed and not stored in plain text
Legal Basis: Legitimate interest (understanding how our service is used to improve it, while protecting your privacy)
You can view GoatCounter’s privacy policy at: https://www.goatcounter.com/help/privacy
Application Performance Monitoring
We use New Relic to monitor application performance and errors. New Relic may collect:
- Error logs and stack traces (may occasionally contain user input)
- Performance metrics (page load times, API response times)
- Browser and device information (anonymized)
- Geographic region (country-level)
Important:
- New Relic is used solely for debugging and performance optimization
- We cannot identify individual users from this data
- Data is automatically deleted after 8-30 days
Legal Basis: Legitimate interest (maintaining service reliability and fixing bugs)
You can view New Relic’s privacy policy at: https://newrelic.com/termsandconditions/privacy
Error Tracking and Monitoring
We use Sentry to track application errors and crashes. Sentry may collect:
- Error logs and stack traces (may occasionally contain user input)
- Browser and device information (anonymized)
- Geographic region (ciy / region-level)
- User actions leading to errors (breadcrumbs)
Important:
- Sentry is used solely for debugging and fixing application errors
- We cannot identify individual users from this data
- Data is stored on Sentry’s EU servers
- Data is automatically deleted within 90 days
Legal Basis: Legitimate interest (maintaining service reliability and fixing bugs)
You can view Sentry’s privacy policy at: https://sentry.io/privacy/
Server Logs
We use Cloudflare Workers for hosting and do not maintain traditional server logs. Cloudflare may temporarily log requests for security and performance purposes. See Section 5 for details about Cloudflare.
2.3 Local Storage (Browser Storage)
We store data in your browser’s local storage to:
- Save your drawing work so you can continue later (even without an account)
- Remember your preferences (e.g. dismissed help dialogs, preferred units, grid preferences)
- Provide core functionality of the drawing tool
Important:
- This data stays on your device
- It does NOT leave your browser unless you explicitly save a drawing to cloud storage
- You can clear this data at any time through your browser settings
- We do not access this data
Legal Basis: Necessary for the service you’ve requested (strictly necessary)
2.4 Feedback Submissions
When you submit feedback through our feedback form, we collect:
- Your feedback or message content
- Your email address (optional - only if you want a response)
- Timestamp of submission
How we use this:
- To respond to your feedback (if you provided an email)
- To improve SimpleDraw based on your suggestions
- To fix bugs and issues you report
- To prioritize feature development
Legal Basis:
- Consent (you’re voluntarily submitting feedback)
- Legitimate interest (improving our service)
How long we keep it:
- Active feedback: Up to 3 years
- Anonymous feedback: Indefinitely (for product improvement)
If you don’t provide an email: Your feedback is anonymous and we cannot respond to you.
To delete your feedback: Email privacy@simpledraw.app
Storage: Feedback is stored in our Supabase database (see Section 5.1)
2.5 Waitlist Signups
When you join our waitlist, we collect:
- Your email address
- Features you’re interested in
- Timestamp of signup
- Source (e.g., “waitlist-form”)
How we use this:
- To notify you when requested features become available
- To prioritize feature development based on interest
- To send updates about SimpleDraw development
Legal Basis: Consent (you’re voluntarily joining the waitlist)
How long we keep it:
- Until you’re notified of feature availability
- Until you unsubscribe
- Maximum 2 years from signup
To unsubscribe: Email privacy@simpledraw.app with subject “Remove from Waitlist”
Storage: Waitlist data is stored in our Supabase database (see Section 5.1)
3. How We Use Your Information
We use the information we collect for the following purposes:
3.1 To Provide Our Services
- Create and manage your account
- Store and retrieve your drawings
- Authenticate you when you log in
- Provide version history (paid accounts)
- Enable sharing and collaboration features
- Process payments and manage subscriptions
Legal Basis: Contract performance
3.2 To Improve Our Services
- Understand how users interact with our drawing tool
- Identify which features are most used
- Detect and fix bugs
- Develop new features and functionality
- Optimize performance
- Analyze feedback submitted through our contact forms
- Respond to feature requests and bug reports
Legal Basis: Legitimate interest (improving our service)
3.3 To Communicate With You
We may send you emails for the following purposes:
Essential Communications
- Account verification (sent automatically by our authentication system)
- Password reset requests (sent automatically by our authentication system)
- Payment confirmations and receipts (sent automatically by Stripe)
- Subscription status changes (sent automatically by Stripe)
- Critical security notifications
Legal Basis: Contract performance and legal obligation
These are sent automatically and cannot be disabled as they are necessary for the service.
Service Communications
We may occasionally email you to:
- Respond to feedback you submitted (if you provided an email)
- Respond to your support requests
- Notify you of important service changes or updates
- Request feedback to help improve SimpleDraw
Legal Basis: Legitimate interest (providing and improving our service)
To opt out of service communications: Simply reply to any service email asking to be removed from non-essential communications, or email privacy@simpledraw.app. You will still receive essential automated emails (password resets, payment receipts).
Marketing Communications
We do not currently send marketing emails. If we introduce promotional communications in the future, we will obtain your explicit consent first.
Legal Basis: Consent (if we add this in future)
3.4 To Ensure Security and Prevent Abuse
- Detect and prevent fraud
- Identify and remove prohibited content
- Enforce our Terms & Conditions
- Comply with legal obligations
Legal Basis: Legal obligation and legitimate interest (protecting our service and users)
4. How We Share Your Information
4.1 Public Drawings
When you make a drawing public:
What is shared:
- Drawing content (all lines, shapes, text, measurements)
- Drawing title
- Creation date
- Your display name (if set) or “Anonymous”
Who can access it:
- Anyone visiting our website
- Anyone with internet access (drawings appear in public gallery)
- Search engines may index public drawings
What others can do:
- View your drawing
- Copy (clone) your drawing
- Modify their copy
- Make their copy (with or without modifications) public
Important: By making a drawing public, you grant other users a licence to copy and modify it. See our Terms & Conditions for details.
4.2 Shared Drawings
When you share a drawing via link:
Who can access it:
- Anyone with the specific URL
- People you share the link with can share it further
What they can do:
- View the drawing
- Copy (clone) the drawing
- Modify their copy
- Make their copy (with or without modifications) public
Important: Once someone clones your drawing, their copy is independent. You cannot control what they do with their copy, including whether they make it public.
To stop sharing: Change the drawing’s visibility to “private” or delete it. This only affects the original - cloned copies remain with those who made them.
4.3 Private Drawings
Private drawings are accessible only to:
- You (the creator)
- Our staff in limited circumstances (see Section 4.5)
4.4 Third-Party Service Providers
We share data with trusted third-party service providers who help us operate our service:
| Service Provider | Purpose | Data Shared | Location | Privacy Policy |
|---|---|---|---|---|
| Cloudflare | Hosting, CDN, storage (R2) | Drawing data, account data | Europe (EU) | Cloudflare Privacy |
| Supabase | Database and Authentication | Email, password hash, account data, drawing metadata | United Kingdom | Supabase Privacy |
| Stripe | Payment processing | Payment information, email | USA | Stripe Privacy |
| GoatCounter | Privacy-friendly analytics | Aggregated usage data only | Netherlands (EU) | GoatCounter Privacy |
| Resend | Transactional emails | Email address, name | USA | Resend Privacy |
| New Relic | Application monitoring, error tracking | Error logs (may contain user input), performance metrics, browser metadata | EU | New Relic Privacy |
| Sentry | Error tracking and monitoring | Error logs (may contain user input), browser metadata, geographic region | EU | Sentry Privacy |
Data Processing Agreements: We have data processing agreements with all service providers that handle personal data, ensuring they comply with UK GDPR.
International Transfers: Some service providers are located outside the UK/EEA. See Section 9 for details on safeguards.
4.5 When We May Access Private and Shared Drawings
We will only access your private and shared drawings in the following limited circumstances:
- Security incidents: If we detect suspicious activity or potential abuse
- Legal obligations: When required by court order or law enforcement
- Technical support: Only with your explicit permission and request (or when you explicitly share a URL with us)
- Suspected prohibited content: If flagged by automated detection systems or if we receive a credible report of illegal content
We will NEVER:
- View private or shared drawings to train AI models or for any other purpose
- Share private or shared drawings with third parties (except as legally required)
Automated content detection:
We may use automated tools to detect prohibited content (such as illegal material
or malware). These systems analyze drawing content but do not involve human review
unless content is flagged as potentially problematic.
Aggregate analytics:
We may analyze aggregate statistics across all drawings for service improvement,
such as:
- performance optimization
- feature usage patterns,
- storage requirements,
- technical metrics.
This analysis processes only technical metadata and does
not involve viewing individual drawing content.
4.6 Legal Requirements
We may disclose your information if required to:
- Comply with legal obligations (court orders, subpoenas)
- Respond to law enforcement requests
- Protect our rights, property, or safety
- Protect the rights, property, or safety of our users or the public
- Detect, prevent, or address fraud or security issues
4.7 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you via email and/or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.
5. Third-Party Services
5.1 Supabase
We use Supabase for:
- User authentication and account management
- Database storage
- Real-time data synchronization
Data processed by Supabase:
- Email addresses and password hashes
- Account information and user preferences
- User feedback submissions
- Waitlist signups
- Drawing metadata (titles, dates, visibility settings)
- Note: Drawing content is stored in Cloudflare R2, not Supabase
Supabase’s Privacy Policy: https://supabase.com/privacy
Data Location: United Kingdom, via Amazon Web Services (AWS) eu-west-2
Safeguards: Supabase Data Processing Addendum and Standard Contractual Clauses for international data transfers.
5.2 Cloudflare
We use Cloudflare for:
- Website hosting (Cloudflare Workers)
- Content delivery network (CDN)
- Cloud storage (Cloudflare R2)
- DDoS protection and security
Data processed by Cloudflare:
- Drawing data stored in R2
- Account information
- Request metadata (IP addresses, user agents - temporarily)
Cloudflare’s Privacy Policy: https://www.cloudflare.com/privacypolicy/
Data Location: Western Europe (WEUR)
Safeguards: Cloudflare uses Standard Contractual Clauses for international data transfers.
5.3 Stripe (Payment Processing)
We use Stripe to process payments securely.
Data collected by Stripe:
- Full payment card details
- Billing address
- Email address
- Transaction history
Important: We do NOT store your full credit card details. These are stored securely by Stripe.
Stripe’s Privacy Policy: https://stripe.com/privacy
Data Location: United States (Stripe’s production data is hosted in US data centers)
Safeguards: Stripe uses Standard Contractual Clauses for international data transfers and maintains compliance with:
- PCI DSS Level 1 (Payment Card Industry Data Security Standard)
- Multiple ISO standards
- EU-US Data Privacy Framework (where applicable)
Stripe’s Data Processing Agreement: Available at https://stripe.com/legal/dpa
5.4 GoatCounter Analytics
We use GoatCounter for privacy-friendly website analytics.
What GoatCounter does:
- Counts page views and visits
- Provides aggregated statistics
- Does NOT use cookies
- Does NOT track across websites
- Hashes IP addresses (not stored in plain text)
What we receive:
- Aggregated counts only (e.g., “200 visitors today”)
- No individual visitor data
- No ability to identify specific users
GoatCounter’s Privacy Policy: https://www.goatcounter.com/help/privacy
Data Location: EU (Netherlands)
5.5 Resend (Email Service Provider)
We use Resend to send transactional emails.
Emails we send:
- Account verification
- Password reset links
- Payment confirmations
- Important service updates
Data shared:
- Email address
- Name (if provided)
- Email content
Resend’s Privacy Policy: https://resend.com/legal/privacy-policy
Data Location: United States
Safeguards: Resend uses Standard Contractual Clauses for international data transfers and maintains compliance with industry-standard security practices for email delivery.
Resend’s Data Processing Agreement: https://resend.com/legal/dpa
5.6 New Relic (Application Performance Monitoring)
We use New Relic to monitor application performance and track errors.
Data processed by New Relic:
- Application performance metrics
- Error logs and stack traces (may occasionally contain user input or email addresses)
- Browser and device metadata
New Relic’s Privacy Policy: https://newrelic.com/termsandconditions/privacy
Data Location: EU
Safeguards:
- New Relic Data Processing Addendum
- Standard Contractual Clauses for international data transfers
- ISO 27001, SOC 2 Type II certified
- GDPR compliant
New Relic’s Data Processing Agreement: https://newrelic.com/termsandconditions/data-protection-addendum
Data Retention: Error logs are retained for 30 days, performance metrics for 8 days (depending on data type).
5.7 Sentry (Error Tracking)
We use Sentry to track and monitor application errors.
Data processed by Sentry:
- Error logs and stack traces (may occasionally contain user input or email addresses)
- Browser and device metadata
- User actions leading to errors (breadcrumbs)
- Geographic region (city/region-level)
Sentry’s Privacy Policy: https://sentry.io/privacy/
Data Location: EU
Safeguards:
- Sentry Data Processing Agreement
- Standard Contractual Clauses for international data transfers
- ISO 27001, SOC 2 Type II certified
- GDPR compliant
Sentry’s Data Processing Agreement: https://sentry.io/legal/dpa/
Data Retention: Error data is retained for up to 90 days.
6. Data Security
6.1 Security Measures We Implement
We take the security of your data seriously and implement the following measures:
Technical Measures:
- HTTPS encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL
- Encryption at rest: Drawing data and database records are encrypted at rest
- Password hashing: Passwords are stored using industry-standard cryptographic hashing and are never stored in plain text
- Access controls: Strict access controls on cloud storage and databases
- Regular updates: We keep our software and dependencies up to date with security patches
- Secure authentication: Industry-standard authentication mechanisms
In the event of a security incident:
- We will investigate promptly
- We will notify affected users and the ICO as required by law
- We will take steps to prevent recurrence
6.2 Data Encryption at Rest
All data stored by SimpleDraw is encrypted at rest:
- Drawing content: Stored in Cloudflare R2 with automatic encryption
- Account data and metadata: Stored in Supabase with automatic encryption
- Passwords: Stored as cryptographic hashes (never in plain text)
Encryption and decryption are automatic and managed by our service providers.
6.3 Your Responsibilities
You are responsible for:
- Keeping your password secure and confidential
- Not sharing your account credentials
- Using a strong, unique password
- Logging out of shared devices
- Notifying us immediately if you suspect unauthorized access
6.4 No Absolute Security
Important: No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
By using our service, you acknowledge and accept this inherent risk.
6.5 Data Breach Notification
In the event of a data breach that affects your personal data:
Our obligations:
- Notify the ICO within 72 hours (as required by UK GDPR)
- Notify affected users without undue delay
- Provide information about what data was affected
- Explain the likely consequences
- Describe measures we’re taking to address the breach
How we’ll notify you:
- Email to your registered email address
- Notice on our website
What you should do:
- Change your password immediately
- Monitor your account for suspicious activity
- Be alert for phishing attempts
- Contact us if you have concerns
7. Data Retention
7.1 How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of your account | Provide service |
| Deleted account data | 30 days after deletion | Allow account recovery (at user’s request) |
| Permanently deleted accounts | Removed from active systems | Compliance |
| Backups | Up to 90 days | Disaster recovery |
| Active drawings | Until you delete them | Provide service |
| Deleted drawings | Immediately deleted | User request |
| Permanently deleted drawings | Removed from active systems | Compliance |
| Public drawings | See Section 7.2 | User choice |
| Payment records | 7 years | Legal obligation (tax law) |
| Support communications | 3 years | Customer service |
| Analytics data | Aggregated indefinitely | Service improvement |
7.2 Public Drawings After Account Deletion
When you delete your account, all your drawings are deleted, including public drawings.
What happens:
- All drawings (public, private, shared) are immediately deleted
- Drawings are removed from the public gallery
- Deletion is permanent and cannot be undone
Important: If others have cloned your public drawings, their copies remain unaffected. You only control your original drawings, not copies others have made.
Before deleting your account:
- Download copies of any drawings you want to keep
- Consider that public drawings will be removed from the gallery
- Remember that deletion is permanent
7.3 Legal Obligations
We may retain certain data longer if required by law, such as:
- Payment records (7 years for tax purposes)
- Records related to legal disputes
- Data subject to legal hold
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
8.1 Right of Access (Subject Access Request)
What it means: You can request a copy of all personal data we hold about you.
How to exercise: Email privacy@simpledraw.app with subject line “Subject Access Request”
What we’ll provide:
- Copy of your account information
- List of your drawings (metadata)
- Payment history
- Any other personal data we hold
Timeframe: Within 30 days (may be extended to 60 days for complex requests)
Cost: Free (unless request is manifestly unfounded or excessive)
8.2 Right to Rectification
What it means: You can ask us to correct inaccurate personal data.
How to exercise:
- Update your email address in account settings
- Email privacy@simpledraw.app for other corrections
Timeframe: Within 30 days
8.3 Right to Erasure (“Right to be Forgotten”)
What it means: You can request deletion of your personal data.
How to exercise:
- Use “Delete Account” button in account settings
What happens:
- Account is immediately deactivated (you cannot log in)
- 30-day recovery period (you can contact support@simpledraw.app to recover)
- After 30 days, permanently deleted from active systems
- May remain in backups for up to 90 days
- Public drawings: see Section 7.2
Limitations: We may retain data if required by law (e.g., payment records for tax purposes)
Timeframe:
- Account deactivation: Immediate
- Permanent deletion: 30 days
- Complete removal from backups: Up to 90 days
8.4 Right to Restrict Processing
What it means: You can ask us to limit how we use your data while we investigate a complaint or dispute.
How to exercise: Email privacy@simpledraw.app
Effect: We will store the data but not use it (except with your consent or for legal claims)
Timeframe: Within 30 days
8.5 Right to Data Portability
What it means: You can request your data in a machine-readable format to transfer to another service.
How to exercise: Email privacy@simpledraw.app with subject line “Data Export Request”
What we’ll provide:
- All your drawings in JSON format
- Account information in JSON format
- Drawing metadata
Format: JSON (machine-readable, structured format)
Timeframe: Within 30 days of request
8.6 Right to Object
What it means: You can object to processing based on legitimate interests.
How to exercise: Email privacy@simpledraw.app
Effect: We will stop processing unless we have compelling legitimate grounds that override your interests
Specific objections:
- Service communications (feedback requests, feature updates)
- Marketing communications (if we add these in future)
Note on analytics: We use GoatCounter for privacy-friendly analytics. GoatCounter:
- Does not collect personal data
- Does not use cookies
- Provides only aggregated statistics
- Cannot identify individual users
Because GoatCounter does not process personal data and we cannot identify individuals in the analytics, there is no personal data to exclude. If you have concerns about analytics, please contact us at privacy@simpledraw.app.
8.7 Right to Withdraw Consent
What it means: Where we rely on consent, you can withdraw it at any time.
How to exercise:
- Unsubscribe from marketing emails (if we add these)
- Email privacy@simpledraw.app
Effect: We will stop processing based on that consent (doesn’t affect processing that occurred before withdrawal)
Timeframe: Immediate
8.8 Right to Lodge a Complaint
What it means: You can complain to the supervisory authority if you’re unhappy with how we handle your data.
UK Supervisory Authority:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Timeframe: You can complain at any time
Note: We encourage you to contact us first (privacy@simpledraw.app) so we can try to resolve your concern.
9. International Data Transfers
9.1 Where Your Data is Stored
Your data may be stored and processed in the following locations:
| Data Type | Service | Location | Safeguards |
|---|---|---|---|
| Account data, authentication | Supabase | UK (London via AWS eu-west-2) | Supabase Data Processing Agreement, Standard Contractual Clauses |
| Drawing content | Cloudflare R2 | Western Europe (WEUR) | Cloudflare Data Processing Agreement, Standard Contractual Clauses |
| Drawing metadata | Supabase | UK (London via AWS eu-west-2) | Supabase Data Processing Agreement, Standard Contractual Clauses |
| Payment data | Stripe | United States | Stripe Data Processing Agreement, Standard Contractual Clauses, PCI DSS Level 1 |
| Email delivery | Resend | United States | Resend Data Processing Agreement, Standard Contractual Clauses |
| Analytics | GoatCounter | EU (Netherlands) | Within EEA (no transfer) |
| Error logs and monitoring data | New Relic | EU | Within EEA (no transfer) |
| Error logs and monitoring data | Sentry | EU | Within EEA (no transfer) |
9.2 Transfers Outside UK/EEA
Some of your data is transferred to the United States (payment processing via
Stripe, email delivery via Resend). We ensure adequate protection through:
Standard Contractual Clauses (SCCs):
- Approved by the EU Commission
- Legally binding contracts with service providers
- Ensure GDPR-level protection
Additional Safeguards:
- Stripe: PCI DSS Level 1 certified, multiple ISO standards
- Resend: Industry-standard security practices for email delivery
EU-US Data Privacy Framework:
Some service providers may be certified under the EU-US Data Privacy Framework,
which provides an adequacy mechanism for data transfers to participating US companies.
9.3 Your Rights
You can request:
- Copies of the Standard Contractual Clauses we use
- More information about data transfer safeguards
- Details about specific service providers
Email: privacy@simpledraw.app
10. Children’s Privacy
10.1 Age Restriction
To create an account and use cloud storage features, you must be at least 13 years old.
Children under 13 may use the basic drawing tool without creating an account, as
it does not collect personal information.
We do not knowingly collect personal data from children under 13.
10.2 Parental Consent
If you are between 13 and 18 years old:
- You may use SimpleDraw’s free drawing tool without an account
- To create an account and use cloud storage, you should have parental consent
- We do not verify parental consent (you are responsible for obtaining it)
10.3 If We Discover Child Data
If we become aware that we have collected personal data from a child under 13 without parental consent:
- We will delete the account
- We will delete all associated data
- We will take steps to prevent future collection
10.4 Parents/Guardians
If you believe your child under 13 has created an account, please contact us immediately:
- Email: privacy@simpledraw.app
- Subject: “Child Privacy Concern”
- We will delete the account promptly
Note: Children under 13 may use the basic drawing tool without an account,
as it does not collect personal information. Parents can clear browser data
through browser settings if desired.
11. Cookies and Tracking Technologies
11.1 We Do Not Use Cookies
SimpleDraw does NOT use cookies for:
- Analytics
- Advertising
- Tracking
- Session management
11.2 Local Storage
We use browser local storage (not cookies) for:
- Saving your drawing work
- Storing UI preferences
- Providing core functionality
Difference from cookies:
- Local storage data never leaves your browser (unless you save to cloud)
- Not sent to our servers automatically
- You control this data through browser settings
11.3 Third-Party Cookies
Our third-party service providers do NOT set cookies:
- GoatCounter: No cookies
- Cloudflare: May use cookies for security (DDoS protection)
Cloudflare Security Cookies:
- Used only for security purposes (bot detection, DDoS protection)
- Strictly necessary for service operation
- No consent required under PECR
11.4 How to Manage Local Storage
You can clear local storage at any time:
Chrome: Settings > Privacy and Security > Clear browsing data > Cookies and other site data
Firefox: Settings > Privacy & Security > Cookies and Site Data > Clear Data
Safari: Preferences > Privacy > Manage Website Data > Remove
Note: Clearing local storage will delete unsaved drawing work.
12. Changes to This Privacy Policy
12.1 How We Update This Policy
We may update this Privacy Policy from time to time to reflect:
- Changes in our practices
- Changes in applicable laws
- New features or services
- User feedback
12.2 How We Notify You of Changes
We may update this Privacy Policy from time to time.
How we notify you:
- Updated “Last Updated” date at top of this policy
- Notice on our website
- Email notification to registered users (for material changes)
Effective date:
- Changes are effective immediately upon posting, unless we specify a later date
- For material changes that significantly affect your rights, we will provide reasonable advance notice (typically 7-14 days)
Your acceptance:
- Continued use of SimpleDraw after changes are posted constitutes acceptance
- If you don’t agree with changes, you may delete your account
- For significant changes, we may require you to explicitly accept updated terms
We recommend: Check this Privacy Policy periodically for updates.
12.3 Your Acceptance
Continued use of SimpleDraw after changes take effect constitutes acceptance of the updated Privacy Policy.
If you do not agree with changes:
- Stop using the service
- Delete your account
- Contact us with concerns
12.4 Version History
We maintain previous versions of this Privacy Policy:
- Available upon request
- Email: privacy@simpledraw.app
13. Contact Us
For privacy and data protection enquiries:
Email: privacy@simpledraw.app
For general support:
Email: support@simpledraw.app
For security issues:
Email: privacy@simpledraw.app (mark subject line “SECURITY”)
Data controller:
Lexi Creative Ltd
Company Number: 16892165
Registered in England and Wales
Response times:
- General enquiries: Within 5 business days
- Data protection requests: Within 30 days
- Security reports: Prioritized and responded to as quickly as possible
For security issues: Mark subject line “SECURITY” for priority handling.
To complain to the ICO:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
14. Legal Basis Summary
For transparency, here’s a summary of our legal bases for processing:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Contract performance | Art. 6(1)(b) |
| Cloud storage of drawings | Contract performance | Art. 6(1)(b) |
| Payment processing | Contract performance | Art. 6(1)(b) |
| Transactional emails | Contract performance | Art. 6(1)(b) |
| Analytics (GoatCounter) | Legitimate interest | Art. 6(1)(f) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Legal compliance (tax records) | Legal obligation | Art. 6(1)(c) |
| Marketing emails (if added) | Consent | Art. 6(1)(a) |
| Application monitoring (New Relic, Sentry) | Legitimate interest | Art. 6(1)(f) |
| Waitlist signup | Consent | Art. 6(1)(a) |
Legitimate Interest Assessment:
Where we rely on legitimate interest, we have assessed that:
- We have a legitimate reason for processing
- The processing is necessary for that purpose
- Your rights and interests do not override our legitimate interest
You can request a copy of our legitimate interest assessments by emailing privacy@simpledraw.app.