Privacy Policy

Effective Date: 01.01.2026
Last Updated: 01.01.2026

1. Introduction

Iterate OÜ ("we," "us," or "our") operates Garden Canvas (the "Service"). This Privacy Policy explains how we collect, use, and protect your personal data when you use our Service, and your rights under the General Data Protection Regulation (GDPR).

For the purpose of the GDPR:

  • We are the Data Controller for your account information (e.g., your billing details, login credentials).
  • We are the Data Processor for the content you upload or manage within our SaaS platform (e.g., your customers' data). We process this data strictly based on your instructions.

2. Personal Data We Collect

We collect and process the following data:

  • Account Information: Name, email address, billing address, and payment information (processed via our payment provider [e.g., Stripe]).
  • Technical Usage Data: IP addresses, browser type, device type, operating system, and page interaction data (logs) to ensure security and improve the app.
  • Cookies and Analytics:
    • Essential Cookies: Necessary for the app to function (e.g., keeping you logged in).
    • PostHog: We use PostHog to understand how our Service is used. This service collects technical data (IP address, device info) and usage events.

3. Lawful Basis for Processing

We only process your data when we have a legal reason to do so:

  • Contractual Necessity: To provide the Service to you (e.g., logging you in, processing payments).
  • Legitimate Interest: To improve our Service, prevent fraud, and ensure security.
  • Legal Obligation: To comply with tax laws (e.g., retaining invoice data).
  • Consent: For sending optional marketing newsletters.

4. How We Share Your Data

We do not sell your personal data. We share data only with the following third-party service providers (Sub-processors) who help us operate the Service:

  • Hosting & Infrastructure: Google Cloud Platform (GCP). Data is stored primarily in the United States.
  • Payment Processing: Stripe. Stripe processes payment details directly; we do not store full credit card numbers on our servers.
  • Analytics: PostHog. Used for tracking user behavior and website performance in a privacy-focused way.

All third parties have signed Data Processing Agreements (DPAs) with us to ensure GDPR compliance.

5. International Transfers

Some of our servers or vendors are located outside the EEA (e.g., USA). In these cases, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs).

6. Data Retention

We retain personal data only as long as necessary:

  • Account Data: Retained as long as your account is active. If you delete your account, we delete your personal data within 30 days.
  • Billing Records: Retained for 7 years to comply with tax laws.
  • Logs: Retained for 90 days for security auditing.

7. Your Rights

Under the GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request that we delete your data ("Right to be Forgotten"), subject to legal retention obligations (like tax laws).
  • Portability: Receive your data in a structured, machine-readable format (e.g., JSON/CSV).

To exercise these rights, email us at hello@gardencanvas.app.

8. Security

We implement industry-standard security measures, including encryption in transit (HTTPS/TLS) and encryption at rest, to protect your data. However, no method of transmission over the Internet is 100% secure.

9. Contact Us

If you have questions about this policy, please contact us: hello@gardencanvas.app.