School Draw Privacy and Data Handling Statement
Quick Summary: School Draw is a client-side web application. All drawing operations happen locally in your web browser, and you have complete control over where your drawings are saved. To access the full drawing toolset, you must sign in with a Google or Microsoft account — this allows us to verify your authorised access. We do not store your drawings on our servers, but we do process your email address to verify access, as described below.
1. Data Controller Information
Application Name: School Draw
Purpose: A web-based SVG drawing tool designed for simple, accessible drawing and illustration
Data Controller: Shuistyle
Contact: hello@schooldraw.net
Last Updated: 10 March 2026
2. What Data We Collect and Process
2.1 Data You Create
| Data Type | What It Includes | Where It's Stored | Legal Basis (GDPR) |
|---|
| Your Drawings | SVG files containing your artwork, shapes, text, and colours | Your web browser's local storage, your device, or your chosen cloud storage | Consent / Legitimate Interest |
| Drawing Metadata | Filename, timestamp of creation/modification, background colour | Embedded in your SVG files and browser storage | Consent / Legitimate Interest |
| Application Preferences | Auto-save settings, last save location | Your web browser's local storage | Legitimate Interest |
2.2 Authentication Data (Required to Access Auth-Gated Tools)
Signing in with Google or Microsoft is required to access the full drawing toolset. Authentication also enables cloud storage saving. When you sign in, we process:
| Data Type | What It Includes | Purpose | Where It's Stored | Legal Basis |
|---|
| Google Account Information | Name, email address, profile picture, OAuth access token | To authenticate you and access your Google Drive | Your browser's local storage (temporary) | Consent |
| Microsoft Account Information | Name, email address, profile picture, OAuth access token | To authenticate you and access your OneDrive | Your browser's local storage (temporary) | Consent |
| Cloud Storage Files | Your SVG drawings saved to Google Drive or OneDrive | To save and retrieve your drawings | Your Google Drive or OneDrive account | Consent |
Important — Google tokens: Your Google OAuth access token (which grants access to Google Drive) is stored temporarily in your browser and is used only to communicate directly with Google's APIs. It is never sent to our servers. This is required by Google's API Services User Data Policy.
Important — Microsoft tokens: Your Microsoft access token is temporarily transmitted to our Firebase Cloud Function ( checkAccessWithProviderToken ) solely to verify your identity and check whether your email address is authorised to use School Draw. The token is used to retrieve your email address from Microsoft Graph and is not stored on our servers.
3. How We Use Your Data
3.1 Client-Side Drawing; Server-Side Access Verification
School Draw separates two distinct concerns:
- Drawing operations happen entirely in your web browser — your artwork is never sent to our servers
- Access control uses Firebase Cloud Functions (hosted in Europe — eu-west1) to verify that your email address is on the authorised access list before you can use the application. This involves transmitting your email address to our Cloud Function for comparison against the registered list
- Your drawings and personal artwork remain under your direct control at all times and are never sent to our servers
- We do not collect analytics, track usage behaviour, or profile users
3.2 Specific Uses
- Creating and Editing Drawings: Processing your drawing commands to render SVG graphics (client-side only)
- Saving Your Work: Storing drawings in your chosen location (browser storage, device download, Google Drive, or OneDrive)
- Auto-Save Functionality: Automatically saving your work to prevent data loss (only when enabled and you're signed in to cloud storage)
- Version History: Maintaining undo/redo history in your browser's memory during your session
- Authentication: Using OAuth tokens to securely access your Google Drive or OneDrive (only with your explicit consent)
- Access Verification: Sending your email address to our Firebase Cloud Function to verify you are on the authorised access list. Your email is checked against a registered list stored in Firebase Realtime Database. It is not stored a second time solely as a result of this check — only pre-registered email addresses (managed by an administrator) are held in the database
4. Where Your Data Is Stored
4.1 Browser Local Storage
When you save drawings to "Browser Storage," your data is stored in your web browser's local storage using the localStorage API. This data:
- Remains on your device only
- Is not transmitted over the internet
- Can be cleared at any time through your browser settings
- Is subject to browser storage limits (typically 5-10 MB)
4.2 Device Downloads
When you save drawings to your device, files are downloaded directly to your chosen location on your computer, tablet, or phone. We have no access to or record of these files.
4.3 Cloud Storage (Google Drive / OneDrive)
When you choose to sign in and save to cloud storage:
- Google Drive: Files are saved to a folder called "MyDrawings" in your Google Drive
- OneDrive: Files are saved to a folder called "SVGEditor" or "MyDrawings" in your OneDrive
- Your drawings are subject to Google's or Microsoft's privacy policies and terms of service
- We do not have access to your cloud storage or your files
- You control who can access your cloud-stored files through Google or Microsoft's sharing settings
5. Data Retention
| Data Type | Retention Period | How to Delete |
|---|
| Browser-Stored Drawings | Until you delete them or clear your browser data | Use the application's delete function or clear browser storage |
| Authentication Tokens | 55 minutes (Google), or until you sign out | Sign out of the application or clear browser storage |
| Auto-Save Preferences | Until you change them or clear browser data | Clear browser storage or toggle settings |
| Undo/Redo History | Current session only (lost when you close the tab) | Automatically cleared when you close the browser tab |
| Cloud-Stored Drawings | Until you delete them from your Google Drive or OneDrive | Delete files directly from your Google Drive or OneDrive account |
6. Data Sharing and Third Parties
6.1 No Server-Side Data Sharing
Because School Draw operates entirely in your browser, we do not share your data with any third parties through our servers.
6.2 Third-Party Services (When You Choose to Use Them)
If you choose to sign in and use cloud storage integration:
Google Services
- Service: Google OAuth 2.0 and Google Drive API
- Purpose: Authentication and cloud file storage
- Data Shared: Your drawings (when you save them) and authentication credentials
- Google's Privacy Policy:https://policies.google.com/privacy
- Data Location: Google's data centres (which may include locations outside the UK/EEA)
- Safeguards: Google complies with GDPR and uses Standard Contractual Clauses for international transfers
- Google API Scopes Requested:
openid — Standard OpenID Connect identity authenticationprofile — Your display name and profile pictureemail — Your Google email address, used to verify your accesshttps://www.googleapis.com/auth/drive.file — Access only to files and folders created by School Draw in your Google Drive. This scope does not grant access to any other files in your Drive
Google API Services User Data Policy: School Draw's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements. Specifically: data obtained via Google APIs is used only to provide and improve School Draw's features; it is not used for advertising; it is not shared with third parties except as necessary to operate the service; and it is not used for purposes unrelated to the application.
Microsoft Services
- Service: Microsoft Authentication Library (MSAL) and Microsoft Graph API (OneDrive)
- Purpose: Authentication, access verification, and cloud file storage
- Data Shared: Your drawings (when you save them); your access token is temporarily sent to our Cloud Function for identity verification (see section 2.2)
- Microsoft's Privacy Policy:https://privacy.microsoft.com/privacystatement
- Data Location: Microsoft's data centres (which may include locations outside the UK/EEA)
- Safeguards: Microsoft complies with GDPR and uses Standard Contractual Clauses for international transfers
- Microsoft Graph Scopes Requested:
openid — Standard OpenID Connect identity authenticationprofile — Your display name and profile informationUser.Read — Your email address and basic profile, used to verify your accessFiles.ReadWrite — Read and write access to files in your OneDrive, used to save and load your drawings
Firebase (Google Infrastructure)
- Service: Firebase Cloud Functions and Firebase Realtime Database
- Purpose: Server-side access control — verifying that your email address is authorised to use School Draw
- Data Held: Pre-registered email addresses (managed by administrators), associated domain registrations, and an audit log of administrative actions. Access verification checks are processed server-side but the email addresses of ordinary users performing checks are not stored unless they have been pre-registered by an administrator
- Data Location: Europe West 1 (Belgium) — Firebase region eu-west1
- Google's Privacy Policy:https://policies.google.com/privacy
- Firebase Data Processing Terms:https://firebase.google.com/terms/data-processing-terms
6.3 No Analytics or Tracking
School Draw does not use:
- Google Analytics or similar analytics services
- Tracking cookies or advertising cookies
- Social media tracking pixels
- Any other tracking or profiling technologies
7. Your Rights Under UK GDPR
Under UK GDPR, you have the following rights regarding your personal data:
| Right | What It Means | How to Exercise |
|---|
| Right of Access | You can request a copy of your personal data | All your data is stored locally in your browser or cloud storage - you can access it directly at any time |
| Right to Rectification | You can correct inaccurate data | Edit your drawings directly in the application or update your account information with Google/Microsoft |
| Right to Erasure | You can request deletion of your data | Delete drawings from browser storage, cloud storage, or clear your browser data. For authentication data, sign out or revoke app permissions in your Google/Microsoft account |
| Right to Restrict Processing | You can limit how your data is used | Don't sign in to use cloud features; use only browser storage or device downloads |
| Right to Data Portability | You can obtain and reuse your data | Download your drawings as SVG files at any time from any storage location |
| Right to Object | You can object to certain processing | Don't use optional features like cloud storage integration |
| Rights Related to Automated Decision-Making | Protection against automated decisions | Not applicable - School Draw does not make automated decisions about you |
8. Data Security Measures
We implement robust security measures to protect your data:
8.1 Technical Security
- XSS (Cross-Site Scripting) Prevention: All user input is sanitised to prevent malicious code injection
- SVG Content Validation: All SVG content is validated and sanitised before processing to remove potentially dangerous elements
- Input Sanitisation: Filenames and user-provided text are sanitised to prevent path traversal and injection attacks
- Content Security: Dangerous SVG elements (script, object, embed, iframe, foreignObject) are automatically removed
- Event Handler Removal: All inline event handlers (onclick, onload, etc.) are stripped from uploaded or pasted content
- URL Validation: Dangerous URI schemes (javascript:, data:text/html, vbscript:) are blocked
- Secure Authentication: OAuth 2.0 protocols with industry-standard security practices
- Token Management: Access tokens are stored securely and automatically expire
- HTTPS Encryption: All communication with cloud services uses HTTPS encryption
8.2 Data Minimisation
- We only process the minimum data necessary for the application to function
- Authentication with Google or Microsoft is required to access auth-gated drawing tools; basic navigation of the landing page does not require sign-in
- We don't collect any data we don't need
- No tracking or analytics data is collected
8.3 Storage Limitations
- Browser storage is limited to 50 saved drawings to prevent excessive data accumulation
- SVG files are limited to 50 MB maximum size
- Browser storage content is limited to 2 MB per file
9. Cookies and Similar Technologies
9.1 Strictly Necessary Storage
School Draw uses browser local storage (not cookies) for essential functionality:
- Saving your drawings when you choose browser storage
- Storing authentication tokens when you sign in (temporary, session-based)
- Remembering your auto-save preferences
- Storing your last save location for convenience
Note: Browser local storage is similar to cookies but is not transmitted to any server with every request. It stays on your device and is only accessible by the School Draw application.
9.2 Third-Party Cookies
Google and Microsoft may set their own cookies when you use their authentication services. These are governed by their respective privacy policies.
9.3 No Tracking Cookies
We do not use any advertising, analytics, or tracking cookies.
10. Children's Privacy
School Draw is designed to be accessible to users of all ages, including children. We take children's privacy seriously:
10.1 Protection for Young Users
- Accessing the full drawing toolset requires signing in with a Google or Microsoft account; parental or guardian consent should be obtained before children sign in
- We do not knowingly collect personal information from children under 13 without parental consent — schools and parents should ensure appropriate accounts and permissions are in place before students use the application
- Once authenticated, drawings can be saved to the device without using cloud storage
- We do not use children's data for any purpose other than verifying access and enabling cloud save if chosen
10.2 Parental Guidance
We recommend that:
- Parents or guardians supervise children's use of cloud storage features
- Parents control whether children sign in with Google or Microsoft accounts
- Parents review and manage cloud storage permissions for children's accounts
- Children under 13 should not sign in with their own accounts without parental consent
11. International Data Transfers
11.1 Client-Side Processing
Because School Draw operates entirely in your browser, your data is not transferred internationally by our application.
11.2 Cloud Storage Transfers
If you choose to use Google Drive or OneDrive:
- Your data may be transferred to and stored in Google's or Microsoft's data centres, which may be located outside the UK or EEA
- Both Google and Microsoft have implemented appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
- Compliance with UK GDPR requirements
- Additional security measures for international transfers
- You consent to these transfers when you choose to sign in and use cloud storage
12. Data Breach Notification
12.1 Our Responsibilities
In the unlikely event of a data breach affecting our application:
- We will notify the ICO within 72 hours if required by UK GDPR
- We will notify affected users without undue delay if there is a high risk to your rights and freedoms
- We will take immediate steps to contain and remedy the breach
12.2 Limited Risk
Because School Draw does not collect or store your data on our servers, the risk of a data breach affecting your information through our systems is minimal. Your primary data security depends on:
- Your device's security (for browser-stored drawings)
- Your Google or Microsoft account security (for cloud-stored drawings)
- Your browser's security settings and updates
13. Changes to This Privacy Statement
We may update this Privacy Statement from time to time to reflect:
- Changes in UK GDPR requirements or guidance from the ICO
- Changes to our application features or functionality
- Changes to third-party services we integrate with
- User feedback and best practice improvements
13.1 Notification of Changes
When we make significant changes:
- We will update the "Last Updated" date at the top of this document
- We will display a prominent notice in the application
- For material changes affecting your rights, we will seek your consent where required
13.2 Reviewing Changes
We encourage you to review this Privacy Statement periodically to stay informed about how we protect your data.
14. Your Consent
14.1 Accessing School Draw
To use School Draw's drawing tools, you must sign in with Google or Microsoft. By doing so, you consent to:
- Verification of your email address against the authorised access list via our Firebase Cloud Function
- Processing of your drawing data locally in your browser
- Storage of your drawings in browser local storage (if you choose this option)
- Storage of application preferences in browser local storage
14.2 Using Cloud Storage Features
When you sign in with Google or Microsoft, you explicitly consent to:
- Authentication through Google OAuth or Microsoft MSAL
- Storage of authentication tokens in your browser's local storage
- Access to your Google Drive or OneDrive for saving and loading drawings
- Creation of folders in your cloud storage for School Draw files
- Processing of your drawings and account information as described in this statement
- International data transfers to Google or Microsoft's data centres
14.3 Withdrawing Consent
You can withdraw your consent at any time by:
- Signing out of the application
- Revoking School Draw's access in your Google or Microsoft account settings
- Clearing your browser's local storage
- Deleting your drawings from cloud storage
- Stopping use of the application
15. Complaints and Supervisory Authority
15.1 Contact Us First
If you have concerns about how we handle your data, please contact us first using the details at the top of this document. We will do our best to resolve any issues promptly.
15.2 Right to Complain
You have the right to lodge a complaint with the UK's supervisory authority:
16. Legal Basis for Processing
Under UK GDPR Article 6, we process your data based on:
| Processing Activity | Legal Basis | Explanation |
|---|
| Processing your drawings | Consent / Legitimate Interest | You choose to create drawings and save them |
| Storing drawings in browser | Consent | You choose to save drawings to browser storage |
| Authentication with Google/Microsoft | Consent | You explicitly sign in to use cloud features |
| Saving to cloud storage | Consent / Contract | You choose to save files to your cloud storage |
| Storing application preferences | Legitimate Interest | Necessary to provide you with a consistent user experience |
| Security measures (input sanitisation) | Legitimate Interest | Necessary to protect you and other users from security threats |
17. Accessibility of This Statement
We are committed to making this privacy statement accessible to all users:
- This statement is written in clear, plain language
- We avoid unnecessary legal jargon where possible
- Tables and formatting make information easy to scan
- This statement is available as an HTML document that works with screen readers
- If you need this information in a different format, please contact us
18. Additional Information for Specific Users
18.1 Educational Institutions
If School Draw is used in schools or educational settings:
- Sign-in with Google or Microsoft is required to access the drawing tools; schools should ensure students have appropriate institutional accounts before using the application
- Teachers should review this privacy statement before recommending School Draw to students
- Schools must ensure they have appropriate consent from parents/guardians before students sign in, as authentication involves processing the student's email address for access verification
- Use institutional Google Workspace for Education or Microsoft 365 Education accounts, which provide additional safeguards for young users
- Schools are responsible for ensuring their use of School Draw complies with their own data protection policies and any relevant safeguarding obligations
18.2 Business/Professional Users
If you use School Draw for business purposes:
- Ensure your use complies with your organisation's data protection policies
- Be aware that drawings saved to cloud storage are subject to your organisation's Google Workspace or Microsoft 365 policies
- Consider using browser storage or device downloads for sensitive business information
Document Version: 1.2
Last Updated: 10 March 2026
Next Review Date: March 2027
Legal Framework: UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018