Privacy Policy

1. Introduction

GenCanvas.ai ("GenCanvas", "the Platform", "we", "us", "our") is operated by MHBB Ventures LLP, a limited liability partnership registered under the Limited Liability Partnership Act, 2008, having its registered office in Mumbai, Maharashtra, India. This Privacy Policy describes the categories of personal and non-personal data we collect, the purposes for which such data is processed, the technical and organisational measures we employ to protect it, and the rights available to you under applicable law, including but not limited to the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act"), to the extent notified and in force.

By accessing or using GenCanvas, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you are using GenCanvas on behalf of an organisation, you represent and warrant that you have the authority to bind that organisation to this Privacy Policy.

2. Data We Collect

2.1 Account & Identity Data

Authentication is handled by our third-party identity provider, Clerk. When you sign in, Clerk transmits your email address, display name, and profile image to GenCanvas via authenticated webhooks and server-side API calls. This data is stored in our database and associated with your organisation record for the sole purpose of access control, role assignment, and audit attribution.

2.2 User-Generated Content

We store all content you create or upload, including:

• Projects, folders, organisational and project-level settings
• AI generation prompts, generation parameters, and resulting images, videos, and chat outputs
• Chat conversations, including individual messages and file attachments
• Presets, pipeline configurations, pipeline runs, and scaffold metadata
• Uploaded assets (reference images, context files, thumbnails, documents)
• Tags, notes, and other metadata you attach to any record

2.3 Credential Data

To enable AI generation and cloud storage, you or your organisation administrator may provide Google Cloud Platform (GCP) service account credentials and/or S3-compatible storage credentials (access keys, secret keys, bucket configuration). These credentials are encrypted at rest using AES-256-GCM authenticated encryption before being persisted to our database. The encryption key is stored separately from the encrypted data. We do not have the ability to recover encrypted credentials if the encryption key is lost, and this is by design.

2.4 Audit & Access Logs

For security, compliance, and accountability, we maintain audit logs of actions performed within your organisation. Each audit entry records: the action type, timestamp (ISO-8601), user ID, resource type, resource ID, contextual metadata (e.g., prompt snippets, file names, dimension changes), your IP address (derived from request headers), and your browser user-agent string. Audit logs are append-only and scoped to your organisation.

2.5 Client-Side Storage

GenCanvas uses browser localStorage solely for non-sensitive UI preferences (sidebar collapse state, sort preferences) scoped per project. We do not use tracking cookies, advertising cookies, or third-party analytics pixels. Clerk may set its own session cookies strictly for authentication purposes and subject to Clerk's own privacy policy.

3. Third-Party Service Providers

GenCanvas integrates with multiple third-party services to deliver its functionality. Each of these providers operates under its own independent privacy policy, terms of service, and data protection commitments. We do not control, and expressly disclaim responsibility for, the data practices of these third-party providers. You are encouraged to review their respective policies independently.

• Clerk (Authentication & Identity) — Processes your sign-in credentials, session tokens, and profile data. Clerk's data processing is governed exclusively by Clerk's Privacy Policy and Clerk's Terms of Service. We have no visibility into or control over how Clerk stores, processes, or transfers your authentication data within its infrastructure.
• Google Cloud Platform (Vertex AI, Cloud Storage) — AI generation requests (prompts, reference images, context files) are transmitted to Google's Vertex AI APIs using your own GCP project credentials. Generated outputs (images, videos, chat responses) are returned by Google and stored by GenCanvas. If configured, files may also be stored in Google Cloud Storage buckets under your GCP project. All data transmitted to or stored within Google Cloud is subject to Google Cloud's Terms of Service, Google Cloud's Data Processing Terms, and Google's Privacy Policy. We make no representations regarding Google's data handling, retention, or training practices.
• S3-Compatible Storage Providers — When configured by your organisation (AWS S3, Cloudflare R2, MinIO, Backblaze B2, or others), assets are stored in your designated bucket using credentials you provide. Each storage provider operates under its own terms of service and data processing agreements. We do not guarantee the security, availability, or compliance posture of any third-party storage provider you choose to configure.

We do not sell, rent, trade, or otherwise share your personal data with third parties for advertising, marketing, or data brokerage purposes. Data is transmitted to the above services solely as necessary to provide the Platform's functionality.

3A. Subprocessors

The following subprocessors may process your data as part of delivering the Service. All subprocessors are bound by their own data protection policies and, where applicable, contractual obligations regarding confidentiality and data security.

This list may be updated as we add or change service providers. We will update this page to reflect any changes.

3B. How We Use Your Data

No Model Training (Default)

As of the date of this policy, GenCanvas does not use your content — including prompts, uploads, generated outputs, chat messages, presets, or any other user data — to train, fine-tune, or improve any machine learning model, algorithm, or AI system.

Service Operations & Diagnostics

We may access, review, or analyse your data (including prompts, generation outputs, metadata, and logs) for the following operational purposes:

• Diagnosing, debugging, and resolving technical issues, errors, or service disruptions
• Investigating security incidents, abuse, or violations of these Terms
• Responding to user support requests
• Ensuring the integrity and performance of the Service
• Complying with legal obligations, regulatory requests, or law enforcement inquiries

Such access is limited to personnel with a legitimate operational need and is subject to our internal access controls and audit logging.

Aggregated & Anonymised Data

We may collect, aggregate, and anonymise data derived from your use of the Service (such as feature usage patterns, error rates, and generation volumes) in a manner that does not identify you or your organisation. We may use such aggregated and anonymised data for any purpose, including service improvement, analytics, and research, without restriction or obligation to you.

Future Use for Model Training

If we ever decide to use identifiable user data for training or improving machine learning models, we will: (a) update this Privacy Policy to reflect the change, (b) provide prominent notice through the Service, and (c) where required by applicable law, obtain your explicit, informed consent before any such use. You will always have the right to opt out of such use.

Third-Party AI Provider Data Practices

When your prompts and files are sent to third-party AI providers (such as Google Vertex AI), those providers' own data usage and training policies apply. We recommend reviewing Google's data usage policies for Vertex AI to understand how your generation data may be handled on their end. We make no representations regarding whether third-party providers use your data for their own model training or improvement purposes.

3C. Credential Revocation & Access Control

You retain full control over the credentials you provide to GenCanvas. You may revoke or rotate your GCP service account credentials, S3 access keys, or any other credentials at any time through the respective provider's console (e.g., Google Cloud IAM, AWS IAM). Revoking credentials will immediately prevent GenCanvas from accessing the associated services on your behalf.

Organisation administrators can also remove stored credentials from GenCanvas at any time through the organisation or project settings interface.

4. Credential Storage & Security Measures

We implement the following security measures:

• Encryption at rest — GCP service account keys, S3 access credentials, and other sensitive secrets are encrypted using AES-256-GCM (authenticated encryption with associated data) before database storage. The encryption key is a 256-bit key stored separately from the database, with file-system permissions restricted to the application process owner.
• Organisation-scoped data isolation — Every database query is scoped by organisation ID at the SQL level. Project-level role-based access control (owner, manager, editor, viewer) provides an additional isolation layer. Cross-organisation data access is architecturally prevented.
• Preview link tokens — Shared preview links are authenticated via HMAC-SHA256 signed tokens with configurable time-to-live (default: 72 hours). Token verification uses timing-safe comparison to prevent timing attacks.
• File upload validation — Uploaded files are validated for size, type, and filename safety. Path traversal attacks are blocked. File names are replaced with random UUIDs on storage.
• SHA-256 content deduplication — Uploaded and generated files are deduplicated by content hash. Identical files are stored once and referenced by hash, scoped to your organisation.

5. File Storage & Processing

Files uploaded to or generated by GenCanvas are stored in one of the following locations depending on your organisation's configuration: the local server filesystem, a Google Cloud Storage bucket, or an S3-compatible storage bucket. All storage is scoped to your organisation; files are never shared across organisations. Files are deduplicated using SHA-256 content hashing — identical files are stored once and referenced by their hash.

When you configure third-party cloud storage, your files leave our direct infrastructure and are governed by the terms and security practices of the storage provider you select. We are not responsible for data loss, corruption, or unauthorised access that occurs within third-party storage infrastructure.

6. Analytics & Tracking

GenCanvas does not use any third-party analytics services, tracking pixels, advertising networks, or behavioural tracking cookies. We do not build user profiles for advertising purposes. We do not track your activity across websites. The only client-side storage is browser localStorage for non-sensitive UI preferences (sidebar state, sort order).

7. Data Retention & Deletion

Your data is retained for the duration of your account and organisation's active use of the Platform. GenCanvas provides user-initiated deletion mechanisms: individual records (generations, assets, presets, etc.) can be soft-deleted (moved to trash) and subsequently hard-deleted permanently. Deleting an organisation cascades to all associated data, including projects, generations, assets, presets, pipelines, members, credentials, and audit logs.

Deletion from GenCanvas does not guarantee deletion from third-party services. Files stored in your GCS or S3 buckets, data processed by Google Vertex AI, and authentication records held by Clerk are subject to the retention policies of those respective providers. It is your responsibility to manage data retention within those services independently.

8. Organisational Responsibility & Employee Notification

If you use GenCanvas as part of an organisation (company, studio, agency, educational institution, or any other entity), the organisation administrator (typically the "owner" role) is responsible for:

• Informing all employees, contractors, and collaborators ("Organisation Members") about the types of data collected by GenCanvas and the purposes for which it is processed
• Communicating the organisation's own data retention, access, and deletion policies to Organisation Members
• Obtaining any consents required from Organisation Members under applicable data protection laws before inviting them to the Platform
• Ensuring that credentials (GCP service accounts, S3 keys) provided to GenCanvas are appropriately scoped and that the organisation has authority to use them
• Configuring appropriate project access modes, roles, and permissions to reflect the organisation's internal access control requirements
• Reviewing audit logs periodically for compliance with internal policies

MHBB Ventures LLP is not responsible for an organisation's failure to notify its members, obtain required consents, or comply with its own internal data governance obligations.

9. Multi-Tenancy & Data Isolation

GenCanvas is a multi-tenant platform. Each organisation operates in a logically isolated data environment. All database queries are scoped by organisation ID, and project-level permissions provide an additional access control layer. While we implement logical isolation at the application and database query levels, all organisations share the same underlying infrastructure (database server, application runtime, network). If your compliance requirements mandate physical data isolation (dedicated infrastructure, separate database instances), GenCanvas in its standard configuration may not meet those requirements.

10. AI Content & Data Processing Disclaimer

When you use GenCanvas to generate images, videos, or chat responses, your prompts, reference images, and context files are transmitted to Google's Vertex AI APIs for processing. We have no control over how Google processes, stores, retains, or uses this data within its infrastructure. Google's data handling practices, including whether generation data may be used for model training or improvement, are governed solely by Google's terms. You should review Google's Cloud Data Processing Addendum and Vertex AI terms before submitting sensitive or proprietary content.

11. Children's Privacy

GenCanvas is not intended for use by individuals under the age of 18, or the age of majority in your jurisdiction, whichever is higher. We do not knowingly collect personal data from minors. If you are an organisation administrator, you must ensure that no minor is granted access to the Platform. If we become aware that a minor's personal data has been collected, we will take steps to delete it promptly.

12. International Data Transfers

MHBB Ventures LLP is based in India. However, your data may be processed and stored in jurisdictions outside India depending on the third-party services your organisation configures (e.g., Google Cloud regions, S3 bucket locations, Clerk's infrastructure). By using GenCanvas, you consent to the transfer and processing of your data in jurisdictions that may have different data protection standards than your country of residence. It is the organisation administrator's responsibility to configure storage regions that meet their compliance requirements.

13. Your Rights

Subject to applicable law (including the DPDP Act, 2023 to the extent notified), you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate personal data
• Request deletion of your personal data (subject to legitimate retention needs such as audit log integrity and legal obligations)
• Withdraw consent where processing is consent-based
• Lodge a grievance with the Data Protection Board of India, once constituted, or any other applicable regulatory authority

To exercise these rights, contact us at the address provided in Section 15. We will respond within a reasonable timeframe and in any event within the period required by applicable law.

14. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of GenCanvas after the revised Privacy Policy is posted constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

15. Contact & Grievance Redressal

If you have any questions, concerns, or grievances regarding this Privacy Policy, your data, or our data practices, you may contact: