Privacy Policy
Last Updated: 2026-05-19
Introduction
Canvas Tasks ("the Service") respects your privacy and is committed to protecting your personal information. This Privacy Policy describes how we handle your personal information in accordance with the Act on the Protection of Personal Information of Japan ("APPI"). The Service is operated in Japan and is governed by Japanese law.
Business Operator Information
The personal information handling business operator for the Service is as follows: • Operator: Takafumi Okubo • Address: 2F-C Shibuya Dogenzaka Tokyu Building, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan • Personal Information Protection Manager: Takafumi Okubo • Contact: [email protected]
Information We Collect
We collect the following information: • Account Information: Email address, display name, profile picture (when using Google sign-in) • Task Data: Tasks, ideas, categories, and phase information you create • Payment Information: Stripe customer ID, subscription details (when using a paid plan) • Usage Data: Service usage and settings • Technical Information: Browser type, access time, IP address • Cookies and Identifiers: Cookie identifiers, Google Analytics client ID, and advertising identifiers (only when cookie consent has been granted)
Payment Data Handling
If you use a paid plan, payments are processed through Stripe, Inc. Sensitive payment information such as credit card numbers is not stored on our servers and is securely managed by Stripe. We store your Stripe customer ID and subscription information (plan, status, billing period). Please check Stripe's privacy policy below.
Stripe Privacy PolicyHow We Use Your Information
We use the personal information we collect within the scope of the following purposes: • Providing, maintaining, and improving the Service • User authentication, account management, and prevention of unauthorized use • Storing your tasks, ideas, and related data in the cloud and synchronizing them across your devices • Processing payments, managing subscriptions, and sending billing-related communications for paid plans • Responding to inquiries and providing customer support • Analyzing service usage to improve existing features and develop new ones • Sending important notices and notifications of changes to our Terms of Service or Privacy Policy If we intend to use personal information for any purpose beyond those listed above, we will obtain your consent in advance.
Retention Period
We retain personal information only for as long as necessary to fulfill the purposes of use, and will promptly delete or anonymize it when no longer required. • Account and related data: Retained while your account is active • Upon account deletion: When you request account deletion from the settings screen, your account and related data (tasks, ideas, categories, etc.) stored in our database will be deleted immediately. Any data contained in operational backups will be fully erased within a reasonable period as backups are rotated • Payment and billing information: If you have used a paid plan, such information will be retained in accordance with the retention periods required by applicable laws (the Companies Act, the Corporation Tax Act, the Consumption Tax Act, etc.) • Inquiry records: Retained for a reasonable period after resolution and then deleted
Data Storage and Security
Your data is stored on servers with industry-standard security measures. Communications are encrypted with SSL/TLS to protect data from unauthorized access. However, we cannot guarantee complete security over the internet.
Security Measures
We implement the following security measures: • SSL/TLS encryption for all communications • Secure authentication via Firebase Authentication • No storage of credit card information (managed by Stripe) • Proper access control management • Regular security updates
Response to Data Breaches
In the event of a leak, loss, damage, or other incident involving personal information that requires reporting under the APPI, we will promptly report to the Personal Information Protection Commission and notify affected users. We will also investigate the cause and take measures to prevent recurrence.
Cookies
We use cookies to improve user experience and maintain service functionality. Cookies are used for maintaining login state, saving language preferences, and remembering theme settings.
Analytics Tools
The Service uses Google Analytics 4 (provided by Google LLC, "GA4") to understand usage patterns and improve features. GA4 uses cookies to collect information about your interactions with the site (page views, feature usage, referrer, IP address, etc.). The Service implements Google Consent Mode v2, and analytics cookies and identifiers (client ID) are set only when you have granted the "Analytics" category in the cookie consent. If consent is not granted, the Service does not set identifier-bearing cookies and does not perform individual user-level tracking (Google may still receive minimal signals that do not contain identifiers, in accordance with the Consent Mode specification). • Opt-out: You can withdraw your "Analytics" consent at any time from the cookie consent banner or the consent settings screen. Withdrawal stops the setting of analytics cookies. • For more details on Google's data collection, please see Google's Privacy Policy (https://policies.google.com/privacy) and the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).
Advertising
Once you have made a choice (accept or decline) on the cookie consent banner, free-plan users 14 or more days after registration may see ads in parts of the screen (including third-party ads such as Google AdSense). Until you have responded to the cookie consent banner, no ad slots are displayed. • If you have allowed the "Marketing" category in the cookie consent: personalized ads based on your browsing history may be served. • If you have not allowed the "Marketing" category: only non-personalized (contextual) ads that do not use your browsing history are served. The use of ad-related cookies and advertising identifiers is disabled. • Consent and withdrawal: You can change your choice at any time from the consent banner or settings screen. • Third-party ad providers: Google LLC (AdSense). Google may use cookies to serve ads based on your visits to this site and other sites. Please see Google's privacy policy for details. • Upgrading to the Pro plan stops all ads and ad-related tracking.
Trial Abuse Prevention
To prevent re-consumption of the 14-day free trial, the Service stores a SHA-256 hash (emailHash) of your normalized email address (where +alias and dot variants on gmail.com are unified). The hash is one-way and cannot be reverted to the original address. It is stored under a unique constraint in the TrialHistory table, and is used solely to prevent granting trials to email addresses that have already consumed one. The emailHash may be retained even after account deletion to keep this protection effective. At checkout, Stripe's unique credit-card fingerprint (cardFingerprint) may be retained for the same purpose. These values are not used for any purpose other than trial control.
Third-Party Services and Cross-Border Data Transfer
The Service uses the following third-party services (entrusted vendors) and entrusts the handling of personal information to them within the scope necessary to operate the Service. Each of these vendors is located in the United States. Accordingly, pursuant to Article 28 of the APPI, the Service provides personal data to third parties in a foreign country only after obtaining the user's consent, and your agreement to this Privacy Policy shall constitute such consent. [Information required under Article 28, Paragraph 2 of the APPI] • Destination country: United States of America • Vendors and purpose of handling: - Firebase Authentication (Provider: Google LLC): User authentication - Google Cloud Platform (Provider: Google LLC): Database and server hosting - Stripe, Inc.: Payment processing - Google Analytics 4 (Provider: Google LLC): Usage analytics (identifier-bearing data is transmitted only when the "Analytics" cookie category is granted) - Google AdSense (Provider: Google LLC): Ad delivery (only for free-plan users 14+ days after registration and after the cookie consent choice is made; personalized ads are served only when the "Marketing" cookie category is granted, otherwise non-personalized ads without advertising identifiers are served) • Personal information protection system of the destination country: For information regarding the personal information protection system of the United States, please refer to the following page published by the Personal Information Protection Commission of Japan: https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/#gaikoku • Protective measures taken by the vendors: Each vendor implements security measures corresponding to the eight principles of the OECD Privacy Guidelines, based on its own privacy policy and a data processing agreement with the Service.
Your Rights
You have the following rights: • Access: The right to access and review your data • Correction: The right to request correction of inaccurate data • Deletion: The right to request deletion of your account and data • Export: The right to export your data To exercise these rights, use the settings page or contact us.
Data Access, Correction, and Deletion Requests
If you wish to request disclosure, correction, or deletion of your personal information, please contact us via the feedback feature in the Service or by email. We will respond within a reasonable period after verifying your identity. You can also delete your account and all associated data from the "Data Management" section in Settings.
Policy Changes
This Privacy Policy may be updated as needed. We will notify you of significant changes through the Service.
Contact
If you have questions or concerns about privacy, please contact us through the feedback feature in the Service.