School Draw Privacy and Data Handling Statement

1. Data Controller Information

Application Name: School Draw

Purpose: A web-based SVG drawing tool designed for simple, accessible drawing and illustration

Data Controller:Shuistyle

Contact:simpledraw_central@outlook.com

Last Updated:23/11/2025

2. What Data We Collect and Process

2.1 Data You Create

Data Type	What It Includes	Where It's Stored	Legal Basis (GDPR)
Your Drawings	SVG files containing your artwork, shapes, text, and colours	Your web browser's local storage, your device, or your chosen cloud storage	Consent / Legitimate Interest
Drawing Metadata	Filename, timestamp of creation/modification, background colour	Embedded in your SVG files and browser storage	Consent / Legitimate Interest
Application Preferences	Auto-save settings, last save location	Your web browser's local storage	Legitimate Interest

2.2 Authentication Data (Optional - Only When You Choose to Sign In)

If you choose to sign in with Google or Microsoft to save your drawings to cloud storage, we process:

Data Type	What It Includes	Purpose	Where It's Stored	Legal Basis
Google Account Information	Name, email address, profile picture, OAuth access token	To authenticate you and access your Google Drive	Your browser's local storage (temporary)	Consent
Microsoft Account Information	Name, email address, profile picture, OAuth access token	To authenticate you and access your OneDrive	Your browser's local storage (temporary)	Consent
Cloud Storage Files	Your SVG drawings saved to Google Drive or OneDrive	To save and retrieve your drawings	Your Google Drive or OneDrive account	Consent

3. How We Use Your Data

3.1 Client-Side Processing Only

School Draw is a client-side application, meaning:

• All drawing operations happen entirely in your web browser
• Your drawings and personal data are never sent to our servers
• We do not operate any backend servers that collect or process your data
• All data remains under your direct control at all times

3.2 Specific Uses

• Creating and Editing Drawings: Processing your drawing commands to render SVG graphics
• Saving Your Work: Storing drawings in your chosen location (browser storage, device download, Google Drive, or OneDrive)
• Auto-Save Functionality: Automatically saving your work to prevent data loss (only when enabled and you're signed in to cloud storage)
• Version History: Maintaining undo/redo history in your browser's memory during your session
• Authentication: Using OAuth tokens to securely access your Google Drive or OneDrive (only with your explicit consent)

4. Where Your Data Is Stored

4.1 Browser Local Storage

When you save drawings to "Browser Storage," your data is stored in your web browser's local storage using the localStorage API. This data:

• Remains on your device only
• Is not transmitted over the internet
• Can be cleared at any time through your browser settings
• Is subject to browser storage limits (typically 5-10 MB)

4.2 Device Downloads

When you save drawings to your device, files are downloaded directly to your chosen location on your computer, tablet, or phone. We have no access to or record of these files.

4.3 Cloud Storage (Google Drive / OneDrive)

When you choose to sign in and save to cloud storage:

• Google Drive: Files are saved to a folder called "MyDrawings" in your Google Drive
• OneDrive: Files are saved to a folder called "SVGEditor" or "MyDrawings" in your OneDrive
• Your drawings are subject to Google's or Microsoft's privacy policies and terms of service
• We do not have access to your cloud storage or your files
• You control who can access your cloud-stored files through Google or Microsoft's sharing settings

5. Data Retention

Data Type	Retention Period	How to Delete
Browser-Stored Drawings	Until you delete them or clear your browser data	Use the application's delete function or clear browser storage
Authentication Tokens	55 minutes (Google), or until you sign out	Sign out of the application or clear browser storage
Auto-Save Preferences	Until you change them or clear browser data	Clear browser storage or toggle settings
Undo/Redo History	Current session only (lost when you close the tab)	Automatically cleared when you close the browser tab
Cloud-Stored Drawings	Until you delete them from your Google Drive or OneDrive	Delete files directly from your Google Drive or OneDrive account

6. Data Sharing and Third Parties

6.1 No Server-Side Data Sharing

Because School Draw operates entirely in your browser, we do not share your data with any third parties through our servers.

6.2 Third-Party Services (When You Choose to Use Them)

If you choose to sign in and use cloud storage integration:

6.3 No Analytics or Tracking

School Draw does not use:

• Google Analytics or similar analytics services
• Tracking cookies or advertising cookies
• Social media tracking pixels
• Any other tracking or profiling technologies

7. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

Right	What It Means	How to Exercise
Right of Access	You can request a copy of your personal data	All your data is stored locally in your browser or cloud storage - you can access it directly at any time
Right to Rectification	You can correct inaccurate data	Edit your drawings directly in the application or update your account information with Google/Microsoft
Right to Erasure	You can request deletion of your data	Delete drawings from browser storage, cloud storage, or clear your browser data. For authentication data, sign out or revoke app permissions in your Google/Microsoft account
Right to Restrict Processing	You can limit how your data is used	Don't sign in to use cloud features; use only browser storage or device downloads
Right to Data Portability	You can obtain and reuse your data	Download your drawings as SVG files at any time from any storage location
Right to Object	You can object to certain processing	Don't use optional features like cloud storage integration
Rights Related to Automated Decision-Making	Protection against automated decisions	Not applicable - School Draw does not make automated decisions about you

8. Data Security Measures

We implement robust security measures to protect your data:

8.1 Technical Security

• XSS (Cross-Site Scripting) Prevention: All user input is sanitised to prevent malicious code injection
• SVG Content Validation: All SVG content is validated and sanitised before processing to remove potentially dangerous elements
• Input Sanitisation: Filenames and user-provided text are sanitised to prevent path traversal and injection attacks
• Content Security: Dangerous SVG elements (script, object, embed, iframe, foreignObject) are automatically removed
• Event Handler Removal: All inline event handlers (onclick, onload, etc.) are stripped from uploaded or pasted content
• URL Validation: Dangerous URI schemes (javascript:, data:text/html, vbscript:) are blocked
• Secure Authentication: OAuth 2.0 protocols with industry-standard security practices
• Token Management: Access tokens are stored securely and automatically expire
• HTTPS Encryption: All communication with cloud services uses HTTPS encryption

8.2 Data Minimisation

• We only process the minimum data necessary for the application to function
• Authentication is entirely optional - you can use School Draw without signing in
• We don't collect any data we don't need
• No tracking or analytics data is collected

8.3 Storage Limitations

• Browser storage is limited to 50 saved drawings to prevent excessive data accumulation
• SVG files are limited to 50 MB maximum size
• Browser storage content is limited to 2 MB per file

9. Cookies and Similar Technologies

9.1 Strictly Necessary Storage

School Draw uses browser local storage (not cookies) for essential functionality:

• Saving your drawings when you choose browser storage
• Storing authentication tokens when you sign in (temporary, session-based)
• Remembering your auto-save preferences
• Storing your last save location for convenience

9.2 Third-Party Cookies

Google and Microsoft may set their own cookies when you use their authentication services. These are governed by their respective privacy policies.

9.3 No Tracking Cookies

We do not use any advertising, analytics, or tracking cookies.

10. Children's Privacy

School Draw is designed to be accessible to users of all ages, including children. We take children's privacy seriously:

10.1 Protection for Young Users

• School Draw can be used without creating an account or providing any personal information
• Children can use all drawing features without signing in
• Drawings can be saved to the device without cloud storage
• We do not knowingly collect personal information from children under 13 without parental consent

10.2 Parental Guidance

We recommend that:

• Parents or guardians supervise children's use of cloud storage features
• Parents control whether children sign in with Google or Microsoft accounts
• Parents review and manage cloud storage permissions for children's accounts
• Children under 13 should not sign in with their own accounts without parental consent

11. International Data Transfers

11.1 Client-Side Processing

Because School Draw operates entirely in your browser, your data is not transferred internationally by our application.

11.2 Cloud Storage Transfers

If you choose to use Google Drive or OneDrive:

• Your data may be transferred to and stored in Google's or Microsoft's data centres, which may be located outside the UK or EEA
• Both Google and Microsoft have implemented appropriate safeguards including:
  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
  • Compliance with UK GDPR requirements
  • Additional security measures for international transfers
• You consent to these transfers when you choose to sign in and use cloud storage

12. Data Breach Notification

12.1 Our Responsibilities

In the unlikely event of a data breach affecting our application:

• We will notify the ICO within 72 hours if required by UK GDPR
• We will notify affected users without undue delay if there is a high risk to your rights and freedoms
• We will take immediate steps to contain and remedy the breach

12.2 Limited Risk

Because School Draw does not collect or store your data on our servers, the risk of a data breach affecting your information through our systems is minimal. Your primary data security depends on:

• Your device's security (for browser-stored drawings)
• Your Google or Microsoft account security (for cloud-stored drawings)
• Your browser's security settings and updates

13. Changes to This Privacy Statement

We may update this Privacy Statement from time to time to reflect:

• Changes in UK GDPR requirements or guidance from the ICO
• Changes to our application features or functionality
• Changes to third-party services we integrate with
• User feedback and best practice improvements

13.1 Notification of Changes

When we make significant changes:

• We will update the "Last Updated" date at the top of this document
• We will display a prominent notice in the application
• For material changes affecting your rights, we will seek your consent where required

13.2 Reviewing Changes

We encourage you to review this Privacy Statement periodically to stay informed about how we protect your data.

14. Your Consent

14.1 Using School Draw Without Sign-In

By using School Draw's basic features (drawing, saving to browser or device), you consent to:

• Processing of your drawing data locally in your browser
• Storage of your drawings in browser local storage (if you choose this option)
• Storage of application preferences in browser local storage

14.2 Using Cloud Storage Features

When you sign in with Google or Microsoft, you explicitly consent to:

• Authentication through Google OAuth or Microsoft MSAL
• Storage of authentication tokens in your browser's local storage
• Access to your Google Drive or OneDrive for saving and loading drawings
• Creation of folders in your cloud storage for School Draw files
• Processing of your drawings and account information as described in this statement
• International data transfers to Google or Microsoft's data centres

14.3 Withdrawing Consent

You can withdraw your consent at any time by:

• Signing out of the application
• Revoking School Draw's access in your Google or Microsoft account settings
• Clearing your browser's local storage
• Deleting your drawings from cloud storage
• Stopping use of the application

15. Complaints and Supervisory Authority

15.1 Contact Us First

If you have concerns about how we handle your data, please contact us first using the details at the top of this document. We will do our best to resolve any issues promptly.

15.2 Right to Complain

You have the right to lodge a complaint with the UK's supervisory authority:

16. Legal Basis for Processing

Under UK GDPR Article 6, we process your data based on:

Processing Activity	Legal Basis	Explanation
Processing your drawings	Consent / Legitimate Interest	You choose to create drawings and save them
Storing drawings in browser	Consent	You choose to save drawings to browser storage
Authentication with Google/Microsoft	Consent	You explicitly sign in to use cloud features
Saving to cloud storage	Consent / Contract	You choose to save files to your cloud storage
Storing application preferences	Legitimate Interest	Necessary to provide you with a consistent user experience
Security measures (input sanitisation)	Legitimate Interest	Necessary to protect you and other users from security threats

17. Accessibility of This Statement

We are committed to making this privacy statement accessible to all users:

• This statement is written in clear, plain language
• We avoid unnecessary legal jargon where possible
• Tables and formatting make information easy to scan
• This statement is available as an HTML document that works with screen readers
• If you need this information in a different format, please contact us

18. Additional Information for Specific Users

18.1 Educational Institutions

If School Draw is used in schools or educational settings:

• We recommend using the application without cloud sign-in for young children
• Teachers should review this privacy statement before recommending School Draw to students
• Schools should ensure they have appropriate consent from parents/guardians before students use cloud features
• Consider using institutional Google Workspace or Microsoft 365 accounts with appropriate safeguards

18.2 Business/Professional Users

If you use School Draw for business purposes:

• Ensure your use complies with your organisation's data protection policies
• Be aware that drawings saved to cloud storage are subject to your organisation's Google Workspace or Microsoft 365 policies
• Consider using browser storage or device downloads for sensitive business information