BC
BioCanvas
Log inSign up

Privacy Policy

Last updated: April 18, 2026

About BioCanvas

BioCanvas is a scientific figure editor built and maintained as part of the agentic-federation GitHub organization. This policy explains what data we collect, how we use it, and your rights.

Data Controller

BioCanvas is operated from Botterboulevard 95, 2022 GA Haarlem, Netherlands (KvK 98223631, VAT NL005317081B33). The operating company is the data controller for the personal data processed through this service, as defined under the EU General Data Protection Regulation (GDPR).

What We Collect

Account information: your name and email address, provided via OAuth or directly when you sign up.

Workspace data: workspace names, member lists, and roles.

Figure content: the scientific figures you create — canvas state (shapes, primitives, text, colours, arrangement) and associated metadata (name, visibility, template origin).

Waitlist / contact submissions: if you join the waitlist or send a message via the contact form, we retain your email address, optional name/role, and any message body you submit.

Usage logs: API request metadata (timestamps, endpoints, response codes) for operational monitoring.

How We Use It

We use your data to provide the BioCanvas service: storing and displaying your figures, supporting collaboration in your workspaces, processing billing for AI generation plans, and improving the product. We do not sell your data.

Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

  • Contractual necessity (Article 6(1)(b)): processing required to provide the BioCanvas service, manage your account, and fulfill our agreement with you.
  • Legitimate interest (Article 6(1)(f)): product improvement, operational monitoring, and fraud prevention, where these interests are not overridden by your rights.
  • Consent (Article 6(1)(a)): waitlist and outreach emails, which you can unsubscribe from at any time.

Third Parties

We share data with the following third-party services, only as needed to operate BioCanvas:

  • AWS for cloud infrastructure and data storage.
  • Stripe for payment processing (Pro and Enterprise tiers only).
  • Vercel for static site hosting.
  • Porkbun as the domain registrar for biocanvas.app.
  • Telegram as the delivery channel for internal notifications from the contact and waitlist forms.
  • LLM providers (Anthropic, OpenAI) when you use the optional AI figure-generation agent. Prompts you submit to the agent are sent to these providers. We do not send your account information or billing data to LLM providers.

AI Figure-Generation Agent

The AI agent is an optional Pro feature — off by default. When you use it, the prompts you submit and the figure context the agent needs to generate a scene are sent to third-party LLM providers to produce a draft. The resulting draft is then saved to your workspace as a regular figure.

Do not include secrets, credentials, patient-identifying information, or any confidential data in prompts to the AI agent. We cannot guarantee that an agent will never produce unexpected output.

Cookies & Local Storage

We use cookies and local storage for session authentication and theme preferences. We do not use advertising or cross-site tracking cookies.

International Data Transfers

BioCanvas is operated from the Netherlands. Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our infrastructure providers (AWS, Vercel) and LLM providers (Anthropic, OpenAI) operate. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions to ensure an appropriate level of data protection.

Data Retention

Your data is kept for as long as your account is active. If you delete your account, we will delete your data. You can request data deletion at any time through our contact page.

Waitlist and contact submissions are retained for up to 24 months, after which they are deleted unless you have opted into ongoing correspondence.

Your Rights

Under the GDPR, you have the right to:

  • Access your personal data and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Eraseyour personal data (“right to be forgotten”).
  • Restrict processing of your data.
  • Port your data to another service. You can export figures at any time from the editor.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time, where processing is based on consent.

To exercise these rights, reach out via our contact page. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Third-Party Links

BioCanvas may contain links to third-party websites and services (e.g. Stripe customer portal, LLM provider documentation). We are not responsible for the privacy practices or content of these external sites. We encourage you to review their privacy policies before providing them with your data.

Security

All data is encrypted in transit via TLS. Passwords are hashed before storage. Access to production systems is restricted to authorized personnel with role-based access controls. See our security page for details.

Children

BioCanvas is not designed for or directed at anyone under the age of 16. We do not knowingly collect data from children.

Changes

We may update this policy from time to time. When we do, we will update the “last updated” date at the top and notify you via email or in-app notification.

Contact

Questions about this policy? Reach out via our contact page.