Privacy Policy | Magic Canvas

TeamCraft AI ("we", "us", "our") operates the TeamCraft.ai workflow automation platform. This Privacy Policy describes how we collect, use, and share information when you use our service.

1. Data We Collect

Account information: email address and display name provided during registration or Google OAuth sign-in.
Workflow data: workflow definitions, node configurations, run histories, and execution logs that you create within the platform.
Usage data: page views, feature interactions, and performance metrics collected automatically to improve the service.
Authentication data: session tokens stored as HTTP-only cookies for secure access.

2. How We Use Your Data

Service operation: your data is used to run workflows, display dashboards, generate reports, and provide the core functionality of TeamCraft AI.
Service improvement: aggregated, anonymized usage data helps us identify performance bottlenecks and prioritize features.
Communication: we may send transactional emails related to your account, such as invitations, password resets, and billing notifications.
Security: we monitor access patterns to detect and prevent unauthorized use.

3. Third-Party Processors

Groq AI: workflow node content may be processed by Groq AI for AI-powered automation steps. Data sent to Groq is limited to the specific node input and is not retained by Groq beyond processing.
Google OAuth: if you sign in with Google, Google provides your email and profile name. We do not access any other Google account data.
Stripe: payment processing is handled by Stripe. We do not store credit card numbers; Stripe manages all payment data under their own privacy policy.
Infrastructure providers: the platform runs on cloud infrastructure. All data is encrypted in transit (TLS) and at rest.

4. Data Retention

Error logs: retained for 30 days, then automatically purged.
Usage analytics: retained for 90 days in identifiable form, then aggregated.
Audit trail: workflow run records and approval evidence retained for 365 days.
Account data: retained for the lifetime of your account. Upon account deletion, personal data is removed within 30 days.
Backups: encrypted backups may retain data for up to 90 days after deletion before being cycled out.

5. Your Rights

Access: you can view all data associated with your account through the Settings > Privacy page.
Export: you can download a copy of your data at any time via the "Download My Data" feature in Settings.
Deletion: you can request full account deletion through Settings > Privacy. This removes your personal data, workflow definitions, and run history.
Correction: contact us to correct any inaccurate personal information.
Objection: you may object to data processing by contacting us. Note that objecting to essential processing may require account closure.

6. Cookies

TeamCraft AI uses essential cookies only. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
Authentication token: an HTTP-only secure cookie that maintains your login session. Expires after 30 days.
Cookie consent: a localStorage flag that records whether you have acknowledged the cookie notice.
No data is shared with third-party advertisers or tracking networks.

7. Security

All data is transmitted over TLS 1.2+.
Connection secrets and credentials are encrypted at rest using Fernet symmetric encryption.
Authentication tokens expire after 30 days and can be rotated manually.
The platform enforces rate limiting, Content Security Policy headers, and HSTS.

8. Contact

For privacy-related questions, data requests, or concerns, contact us at privacy@teamcraft.ai.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the service after changes constitutes acceptance of the updated policy.