Privacy Policy
Privacy Policy
Last updated: 10 April 2026
This privacy policy explains how drawing-grid.app collects, uses, stores, and protects your personal data. We believe in transparency and have written this policy to accurately reflect our actual data practices — not from a generic template.
drawing-grid is a browser-based drawing grid tool for artists. Most features run entirely on your device with no data sent to our servers. When you create an account, we collect only the minimum data necessary to provide the service.
1. Who we are
drawing-grid.app is operated by the operator of drawing-grid.app (the “operator,” “we,” “us,” or “our”). We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR).
Our application infrastructure is hosted in the European Union (Hetzner, Germany). For any questions about this privacy policy or your personal data, you can contact us at contact@drawing-grid.app.
2. What data we collect
Account data (registered users only)
When you create an account, we collect and store:
- Email address — normalised to lowercase, used for account identification and transactional emails
- Password — stored only as a bcrypt hash (never in plaintext). Users who sign in via Google OAuth do not have a password stored.
- Google user ID — if you sign in with Google, we store your unique Google user identifier (an opaque numeric string). We do not store your Google profile picture, display name, or any other Google profile data.
- User preferences — functional tool settings such as default grid configuration, measurement units, canvas size, and grid labels. For registered users, these preferences are stored on our servers so they sync across your devices. These contain no personal data.
- Account timestamps — when your account was created and last updated, and when your email was confirmed.
Session data
When you log in, we set a single authentication cookie to keep you signed in. This cookie is strictly necessary for the service to function when you are logged in. It expires after 30 days or when you log out.
Usage analytics
We use Google Analytics to understand how visitors use the site. Google Analytics collects data such as page views, referrer URLs, browser and device type, geographic location, and session information. Google Analytics sets cookies on your device. These cookies are not strictly necessary for the service to function, so we ask for your consent before enabling Google Analytics. You may decline, and the site will work fully without it.
Server logs
Our web server automatically records standard access logs for every HTTP request. These logs include your IP address, User-Agent string (browser and operating system information), the requested URL path, HTTP status code, and a timestamp. Sensitive parameters such as email addresses and passwords are filtered from log output.
Rate-limiting data
To protect against brute-force attacks and abuse, we process IP addresses against rate-limit counters on authentication endpoints. These counters are stored temporarily in the application cache (database-backed) and auto-expire within 15 minutes to 1 hour depending on the endpoint. They are not associated with any user account.
Reference images — unregistered users
If you use drawing-grid without an account, your reference images are processed entirely on your deviceusing your browser’s Canvas API. Images are stored in your browser’s IndexedDB and never leave your device. We never see, access, or store your images.
Reference images — registered users
For registered users, images are automatically uploaded to our cloud storage (AWS S3, eu-west-1 region, located in Ireland) to build your library of works and keep a history in your account. If you were using the tool before registering, any image already loaded in the editor will be uploaded automatically upon registration. The following data is stored alongside each image: the original filename, content type (MIME type), file size, and a checksum. If you prefer not to have images stored on our servers, you can continue using the tool without an account.
Browser local storage (all users)
drawing-grid stores editor state, grid configuration, sidebar preferences, default measurement units, default grid presets, canvas size presets, grid label configuration, and colour palette ownership data in your browser’s localStorage. For unregistered users, this is the only place your settings are stored — entirely on your device, never sent to our servers. For registered users, some of these settings are also synced to our servers to provide a consistent experience across devices (see “User preferences” above). Local storage data is cleared when you reset the tool or clear your browser storage manually.
3. How we use your data
We use the data we collect to:
- Provide your account — authenticate you, manage your session, and sync your tool preferences across devices
- Send transactional emails — send a one-time account confirmation email when you register (no marketing emails)
- Store your image library — if you choose to upload images as a registered user, provide cloud storage for your reference photo library
- Understand usage patterns — with your consent, use analytics to understand how the site is used and improve the product
- Maintain security — use server logs and rate-limit counters to detect and prevent abuse, brute-force attacks, and other security threats
- Debug issues — use server logs to diagnose and fix technical problems
We do not sell your personal data. We do not use your data for profiling or automated decision-making. We do not send marketing emails.
4. Legal bases for processing
Under GDPR Article 6, we process your personal data on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Account registration and management | Performance of a contract — Art. 6(1)(b) |
| Email confirmation | Performance of a contract — Art. 6(1)(b) |
| Google OAuth sign-in | Performance of a contract — Art. 6(1)(b) |
| Storing and syncing user preferences | Performance of a contract — Art. 6(1)(b) |
| Authentication cookie | Performance of a contract (strictly necessary) — Art. 6(1)(b) |
| Rate limiting (transient IP storage) | Legitimate interests (security) — Art. 6(1)(f) |
| Server logs (IP addresses, User-Agent) | Legitimate interests (security, debugging) — Art. 6(1)(f) |
| Google Analytics | Consent — Art. 6(1)(a) |
Where we rely on legitimate interests (rate limiting, server logs), our interest is protecting the service and its users from abuse. This processing is minimal (transient IP storage, standard web server logs) and proportionate to the security benefit.
Where we rely on consent (Google Analytics), you may withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
5. Data retention
| Data | Retention period |
|---|---|
| User account (email, password hash, preferences) | Until you delete your account |
| OAuth identity link (Google UID) | Until you delete your account (deleted automatically with account) |
| Email confirmation token | Expires after 24 hours; cleared upon confirmation |
| Unconfirmed accounts | Periodically purged |
| Uploaded images (AWS S3) | Until you delete your account |
| Rate-limit counters (IP addresses) | Auto-expire within 15 minutes to 1 hour |
| Server logs | Retained for a limited period necessary for security and debugging purposes |
| Google Analytics data | Subject to Google’s data retention settings |
| Browser local storage (localStorage, IndexedDB) | Stored on your device; under your control. Cleared when you reset the tool or clear browser storage. |
6. Your rights under GDPR
If you are in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR:
- Right of access (Art. 15) — you can request a copy of the personal data we hold about you
- Right to rectification (Art. 16) — you can request that we correct inaccurate personal data
- Right to erasure(Art. 17) — you can request that we delete your personal data (“right to be forgotten”)
- Right to restriction of processing (Art. 18) — you can request that we limit how we use your data
- Right to data portability (Art. 20) — you can request your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21) — you can object to processing based on legitimate interests
To exercise any of these rights, contact us at contact@drawing-grid.app. We will respond within 30 days.
You also have the right to lodge a complaint with a data protection supervisory authority in your country of residence if you believe our processing of your personal data violates the GDPR.
7. Cookies and local storage
Cookies set by drawing-grid
We set a single authentication cookie to keep you signed in. This cookie is strictly necessary for the service to function and expires after 30 days or when you log out. It is set only when you log in or complete email confirmation. If you are not logged in, no cookies are set by drawing-grid.
Google Analytics cookies
Google Analytics sets cookies to distinguish users and track sessions. These cookies are not strictly necessary and will only be set with your consent. You can withdraw consent at any time, and the site will continue to function normally without them.
Browser local storage
drawing-grid uses your browser’s localStorage and IndexedDB to store editor state, tool preferences, and your reference image. For unregistered users, this data stays entirely on your device. For registered users, some preferences are also synced to our servers to provide a consistent experience across devices. The following keys are used:
- IndexedDB database
drawing-grid, storeeditor— your reference photo as a PNG blob drawing-grid-settings— editor state (image dimensions, position, scale, grid config, B&W settings, image adjustments, canvas size, sidebar state)drawing-grid-sidebars— sidebar open/closed statedrawing-grid:default-unit— preferred measurement unitdrawing-grid:default-grid— default grid presetdrawing-grid:default-canvas-size— default canvas size presetdrawing-grid:default-grid-labels— default grid label configurationdrawingGrid.ownedColors.{brand}— colour palette ownership per branddrawing-grid:section:{sectionId}— settings section expanded/collapsed state
8. Third-party services
We share personal data with the following third-party services, only as necessary to provide the service:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Google OAuth | Sign in with Google | Email address, Google user ID | Google’s servers (EU/global) |
| Our email service provider | Transactional email (account confirmation only) | Email address | EU region |
| AWS S3 (eu-west-1) | Image storage for registered users | Image file, filename, content type, file size | AWS EU (Ireland) |
| Google Analytics | Page view analytics (with consent) | Page views, browser info, geographic location, session data | Google’s servers (US) |
Google Fonts: We use Google Fonts (Inter, Playfair Display, Roboto) but they are downloaded and self-hosted at build time. No requests are made to Google Fonts servers when you visit drawing-grid.app — there is no data transfer to Google for font loading.
9. International data transfers
Our application infrastructure is hosted in the European Union (Hetzner, Germany). However, some third-party services process data outside the EU:
- Google OAuth — Google processes authentication data on global infrastructure. This transfer is covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
- Google Analytics— if you consent to analytics, data is sent to Google’s servers (US-based). This transfer is covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
- AWS S3— image storage is in the eu-west-1 region (Ireland, EU). Data remains in the EU per AWS’s regional data residency guarantees.
- Email service provider — transactional emails are sent from an EU-region service endpoint.
Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses and adequacy decisions where applicable.
10. Children's privacy
drawing-grid is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us at contact@drawing-grid.app and we will promptly delete it.
11. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our data practices or legal requirements. When we make changes, we will update the “Last updated” date at the top of this page and post the revised policy here. We encourage you to review this page periodically.
For significant changes that materially affect how we process your data, we will make reasonable efforts to notify registered users (for example, via email or a notice on the site).
12. Contact us
If you have questions about this privacy policy, want to exercise your data protection rights, or have a complaint about how we handle your personal data, please contact us:
Email: contact@drawing-grid.app
We aim to respond to all data protection requests within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence.