Privacy Policy

Last updated: February 7, 2026

This Privacy Notice for Hivetivity, Inc. ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

• Visit our website at orgcanvas.app, or any website of ours that links to this Privacy Notice
• Use OrgCanvas. OrgCanvas is an org chart maker that helps you create, edit, and share organization charts. It integrates with Google Sign-In for authentication.
• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

1. What Information Do We Collect?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

• names
• email addresses
• usernames
• contact preferences
• contact or authentication data

Sensitive Information. We do not process sensitive information.

Social Media Login Data. We may provide you with the option to register with us using your existing Google account. If you choose to register in this way, we will collect certain profile information about you from Google, as described in the section "How Do We Handle Your Social Logins?" below.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts.
• To deliver and facilitate delivery of services to the user.
• To respond to user inquiries/offer support to users.
• To protect our Services and keep them safe and secure.
• To identify usage trends so we can improve our Services.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract. Processing necessary to provide the OrgCanvas service you signed up for, including account management, chart storage, and export functionality.
• Legitimate Interest. Processing for analytics, security monitoring, fraud prevention, and service improvement, where our interests do not override your rights.
• Consent. Processing for optional marketing communications. You may withdraw consent at any time.
• Legal Obligation. Processing required to comply with applicable laws, such as tax and financial reporting.

4. When and With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section.

We may need to share your personal information in the following situations:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Other Users. When you share personal information (for example, by posting comments, contributions, or other content to the Services) or otherwise interact with public areas of the Services, such personal information may be viewed by all users and may be publicly made available outside the Services in perpetuity.

5. Sub-Processors

We use the following third-party service providers to process your data:

• Cloudflare, Inc. (United States) — Hosting, database (D1), storage (R2), CDN, and DDoS protection. SOC 2 Type II certified.
• Stripe, Inc. (United States) — Payment processing and subscription management. PCI DSS Level 1 certified.
• Resend, Inc. (United States) — Transactional email delivery (account verification, notifications).
• PostHog, Inc. (EU) — Product analytics (anonymized usage data). Can be opted out via cookie preferences.

International data transfers to US-based processors are governed by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

6. Do We Use Cookies and Other Tracking Technologies?

In Short: We use essential cookies for functionality and optional analytics cookies with your consent.

Essential Cookies (no consent required): Session authentication, security tokens, and user preferences. These are strictly necessary for the service to function.

Analytics Cookies (consent required): We use PostHog for product analytics to understand how users interact with OrgCanvas. You can opt out of analytics tracking via the cookie consent banner displayed on your first visit. Your preference is stored locally and respected on all subsequent visits.

7. How Do We Handle Your Social Logins?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your Google account. Where you choose to do this, we will receive certain profile information about you from Google. The profile information we receive may include your name, email address, and profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services.

8. How Long Do We Keep Your Information?

In Short: We retain your data for defined periods based on its purpose.

• Active account data (org charts, profile, settings): Retained while your account is active.
• Deleted accounts: All personal data permanently purged within 30 days of account deletion.
• Backups: Retained for 90 days, then permanently deleted.
• Analytics data: Anonymized after 12 months.
• Audit logs (Business tier): Retained for 90 days. Enterprise tier: unlimited retention.
• Payment records: Retained as required by tax and financial regulations (typically 7 years).

When your subscription ends, your data remains accessible for 30 days. You may export your data (PDF, PowerPoint, PNG, or native format) at any time before or during this period.

9. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure.

10. Do We Collect Information from Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services.

11. What Are Your Privacy Rights?

In Short: You have rights over your personal data, including access, correction, deletion, portability, and the right to object.

Under applicable data protection laws (including GDPR, UK GDPR, and CCPA), you have the following rights:

• Right of Access. Request a copy of the personal data we hold about you.
• Right to Rectification. Request correction of inaccurate or incomplete personal data.
• Right to Erasure. Request deletion of your personal data. You can delete your account directly from your account settings, or contact us.
• Right to Restrict Processing. Request that we limit how we use your data.
• Right to Data Portability. Request your data in a structured, machine-readable format. OrgCanvas supports export in PDF, PowerPoint, PNG, and native JSON formats.
• Right to Object. Object to processing based on legitimate interest, including profiling and analytics. You can opt out of analytics via cookie preferences at any time.
• Right to Withdraw Consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Account Deletion

You can delete your account at any time from your account settings in the app. This permanently removes all your personal data, org charts, and associated content within 30 days. You may also request deletion by emailing [email protected].

12. Data Processing Agreement (DPA)

For organizations that require a Data Processing Agreement under GDPR or other data protection regulations, we provide a DPA upon request. Contact [email protected] to receive a copy for review and execution.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Notifications will be sent via email to the address associated with your account and will include the nature of the breach, likely consequences, and measures taken to address it.

14. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice.

15. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at [email protected] or contact us by post at:

Hivetivity, Inc.
12476 Danesfeld Drive
Milton, GA 30004
United States

16. Google User Data

OrgCanvas integrates with Google services for authentication. This section describes how we handle data obtained through Google APIs.

Data We Access:

• Google Account Profile: Your name and email address for account identification

How We Use This Data:

Google user data is used exclusively to provide the core functionality of OrgCanvas, including:

• Identifying you within the application
• Managing your account and saved org charts

What We Do NOT Do:

• We do NOT use Google user data for advertising or marketing purposes
• We do NOT sell Google user data to third parties
• We do NOT share Google user data with third parties except as necessary to provide our Services
• We do NOT use Google user data to build user profiles for advertising

Data Retention:

Google user data is retained only as long as necessary to provide our Services. You can request deletion of your data at any time by contacting us or deleting your account.

Compliance:

Our use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements.