Privacy Policy

Last updated May 13, 2026

Back

This describes what personal information KinCanvas collects, how we use it, and who else processes it on our behalf. It applies to the service at kincanvas.app.

1. Who we are

KinCanvas is operated by the developer of kincanvas.app (“we”, “us”). You can reach us at hello@kincanvas.app.

2. What we collect

We collect only what we need to operate the service:

  • Your email address — used to sign you in via magic link or one-time code.
  • Tree content you create — names, dates, places, relationships, bios, photos you upload, and audio recordings you make. This is information you supply, including information about other people you choose to add.
  • Membership and invitations — which trees you belong to, what role you have, and metadata about invites you create or accept.
  • Push notification subscriptions — if you opt in, we store an endpoint URL and cryptographic keys provided by your browser so we can deliver notifications. We don’t store any other device identifiers.
  • Operational logs — minimal server logs from our hosting providers (IP addresses, request paths) used for debugging and abuse detection. We don’t use analytics cookies or third-party trackers.

We don’t request or store payment information; KinCanvas is free to use.

3. How we use it

  • To run the service — store and display your tree, sync edits, deliver invitations.
  • To authenticate you and protect your account.
  • To process audio recordings into transcripts and suggested edits via OpenAI’s API (only when you use the recording feature).
  • To send transactional emails (sign-in codes, invitations).
  • To send push notifications about new features, only if you’ve opted in.
  • To investigate and prevent abuse, fraud, and violations of our terms.

We don’t sell your information, and we don’t use it to train AI or machine-learning models — ours or anyone else’s.

4. Who else processes your data

KinCanvas is built on infrastructure operated by other companies (“subprocessors”). They process data only on our instructions and only to operate the service:

  • Supabase — database, authentication, and file storage. Hosted on Amazon Web Services. (privacy policy)
  • Vercel — hosts the web application and its edge/serverless functions. (privacy policy)
  • Resend — delivers transactional email (sign-in codes and invitations). (privacy policy)
  • OpenAI — transcribes audio recordings (Whisper) and extracts proposed tree edits (GPT-4o-mini) when you use the oral-history feature. OpenAI does not train on API-submitted content. (data usage policies)
  • Web push providers — Apple, Google, and Mozilla, who relay push notifications to subscribers’ devices.

5. International transfers

Our subprocessors operate data centers in the United States and elsewhere. By using KinCanvas, you understand that your data may be processed in countries other than your own, including in the United States.

6. How long we keep it

We retain your data for as long as your account exists. If you delete your account, we delete your profile and the trees you own within 30 days. Content in trees you don’t own remains with the owner. Server logs are typically rotated within 90 days. Audio recordings sent to OpenAI for transcription are retained by OpenAI per their data usage policies (currently 30 days for abuse monitoring) before being deleted on their side.

7. Your rights

You have the right to access, correct, delete, or export the personal data we hold about you. Most of these you can do directly in the app: profiles are visible to you, you can edit your own profile and trees you have edit rights on, and you can delete your account.

For requests we can’t fulfill in-app — including requests from people mentioned in someone else’s tree — email us at hello@kincanvas.app. We’ll verify your identity and respond within 30 days.

If you’re in the EU/UK, you have additional rights under GDPR including the right to object to processing and to lodge a complaint with your local supervisory authority.

8. Security

We use industry-standard security practices: TLS for all traffic, encrypted-at-rest storage for files and databases, row-level security in the database so members of one tree cannot read another tree’s data, hashed (SHA-256) invitation tokens. That said, no online service is completely secure. If you suspect a vulnerability, email hello@kincanvas.app.

9. Children

KinCanvas is not directed at children under 13, and we don’t knowingly create accounts for them. If you become aware that a child has signed up, contact us and we’ll delete the account.

People between 13 and 16 may appear as profiles in a tree (added by a parent or guardian). We treat such profiles with the same care as adult profiles.

10. Cookies and tracking

We use only the cookies necessary to keep you signed in (set by Supabase Auth) and to refresh your session. We don’t use analytics cookies, advertising trackers, or third-party fingerprinting. No cookie banner needed because we don’t set non-essential cookies.

11. Push notifications

We send push notifications only when you opt in from the What’s New page. You can unsubscribe at any time from the same screen or via your browser/OS notification settings. We use the W3C Web Push standard, which means delivery goes through Apple, Google, or Mozilla’s push services depending on your device.

12. Changes

If we make a meaningful change to this policy, we’ll notify you and update the “Last updated” date.

13. Contact us

Email hello@kincanvas.app for any privacy question or to exercise your rights above.