Privacy Policy

Effective Date: January 26, 2026 · Last Updated: February 26, 2026

1. Introduction

This Privacy Policy explains how Current Labs (“we”, “us”, or “our”) collects, uses, stores, and shares your personal information when you use the Current Plugin Figma plugin and associated web application (“the Service”).

Current Labs is the data controller responsible for your personal data. This Privacy Policy applies specifically to the Current Plugin service and is separate from the privacy policy of the Current Labs ecosystem (currentlabs.dev).

We process your personal data primarily on the basis of contractual necessity (GDPR Article 6(1)(b)) — i.e., the data processing is necessary to provide the Service you have signed up for. Where we process data for other purposes, we rely on legitimate interest or legal obligation as described in Section 4 below.

2. Information We Collect

2.1 Account Information (via Google OAuth)

When you sign in, we collect the following from your Google account:

Name
Email address
Profile picture
Google account identifier

This information is required to create and manage your account.

2.2 Figma Component Data (Processed Temporarily)

When you use the plugin to analyze components, we temporarily process:

Component names and types
Component structure (children, nesting levels)
Variant names and properties
Design tokens (colors, spacing, typography)
Component dimensions and layout properties

This data is processed in real time and is not permanently stored on our servers. It is sent to our AI provider for analysis and the results are returned to you immediately.

2.3 Subscription and Payment Data

We store subscription-related information including:

Subscription status (trial, active, cancelled)
Paddle customer ID
Billing period dates

We do not collect, store, or have access to your payment card information. All payment details are collected and processed exclusively by Paddle, our payment processor and merchant of record.

2.4 Usage and Session Data

Pairing codes and session identifiers
Plugin session activity (connection timestamps)
AI API usage metrics (token counts, for internal cost tracking only)
Login timestamps and login count

2.5 Automatically Collected Information

IP address (from server logs)
Browser and device type (from standard HTTP headers)

3. How We Use Your Information

We use the information we collect to:

Provide and operate the plugin service
Process AI-powered component analysis
Manage your account and subscription
Authenticate your identity and plugin sessions
Provide customer support
Monitor usage for abuse prevention and service stability
Improve the Service

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

Account information (name, email, profile): Contractual necessity — required to create your account and provide the Service (Art. 6(1)(b))
Figma component data: Contractual necessity — required to perform AI-powered analysis you have requested (Art. 6(1)(b))
Subscription and billing data: Contractual necessity and legal obligation — required to manage your subscription and comply with tax/accounting laws (Art. 6(1)(b) and Art. 6(1)(c))
Usage and session data: Legitimate interest — necessary for service stability, abuse prevention, and improving the Service (Art. 6(1)(f))
Server logs (IP, browser info): Legitimate interest — necessary for security monitoring and debugging (Art. 6(1)(f))

5. How We Share Your Information

We share your information with the following third-party service providers, each for a specific purpose:

We maintain Data Processing Agreements (DPAs) with our sub-processors in accordance with GDPR Article 28.

5.1 Anthropic (Claude AI)

Figma component data (names, structure, properties) is sent to Anthropic's Claude AI API for analysis. This data is processed in real time and is not stored by Anthropic beyond their standard API processing. Subject to Anthropic's Privacy Policy.

5.2 Paddle (Payment Processor)

Your email address and user identifier are shared with Paddle for checkout and subscription management. Paddle acts as the merchant of record and handles all payment data, taxes, and billing compliance. Subject to Paddle's Privacy Policy.

5.3 Google (Authentication)

Google OAuth is used for sign-in. Google receives standard authentication requests. Subject to Google's Privacy Policy.

5.4 Google Cloud Platform (Infrastructure)

Your data is stored on Google Cloud Firestore and processed on Google Cloud Run, located in the us-central1 (Iowa, USA) region. Subject to Google Cloud's Data Processing Terms.

5.5 No Sale of Personal Data

We do not sell, rent, or trade your personal information to any third parties for marketing or advertising purposes.

6. Data Storage and Security

We implement reasonable security measures to protect your data:

Data is stored on Google Cloud Firestore with encryption at rest
All data in transit is encrypted using HTTPS/TLS
Authentication uses JWT tokens with 24-hour expiry
Plugin pairing codes expire after 5 minutes
Sessions can be revoked by administrators

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Breach Notification

In the event of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
Document the breach, its effects, and the remedial actions taken

8. Data Retention

Account data: Retained while your account is active and for 30 days after account deletion to allow recovery, then permanently deleted
Figma component data: Processed in real time and not permanently stored on our servers
Pairing codes: Expire and are deleted after 24 hours
Plugin sessions: Expire after 7 days; expired sessions are cleaned up periodically
Server logs: Retained for 90 days, then automatically deleted
Subscription and billing data: Retained for 7 years after the end of the subscription to comply with tax and accounting obligations
Support requests: Retained for 2 years, then deleted

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

Right to access: Request a copy of the personal data we hold about you. You can export your data at any time from your dashboard using the “Export My Data” button.
Right to rectification: Request correction of inaccurate personal data
Right to erasure: Request deletion of your personal data (“right to be forgotten”). You can delete your account and all associated data from your dashboard using the “Delete My Account” button.
Right to restrict processing: Request that we limit how we use your data
Right to data portability: Request your data in a structured, machine-readable format (JSON). Available via the self-service export on your dashboard.
Right to object: Object to the processing of your personal data
Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, you may use the self-service tools in your dashboard or contact us using the details in section 15. We will respond to your request within 30 days.

10. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to know: Request information about what personal data we collect and how it is used
Right to delete: Request deletion of your personal information
Right to opt-out of sale: We do not sell your personal information
Right to non-discrimination: We will not discriminate against you for exercising your rights

11. Cookies and Tracking

We use only essential cookies required for the Service to function:

Session cookies: NextAuth session tokens used for authentication. These are strictly necessary and cannot be disabled without losing access to the Service.

We do not use any third-party tracking, analytics, or advertising cookies.

12. Children's Privacy

The Service is not directed at individuals under the age of 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly.

13. International Data Transfers

Your data is processed and stored in the United States (Google Cloud us-central1 region). If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. We rely on the following transfer mechanisms to ensure adequate protection:

Google Cloud Platform: Certified under the EU-US Data Privacy Framework (DPF). Additionally covered by Standard Contractual Clauses (SCCs) in Google Cloud's Data Processing Terms.
Anthropic (Claude AI): Component data is processed via API under Anthropic's commercial service terms. No personal data or design images are sent; only structural component metadata is transmitted for analysis. Anthropic does not use API data for model training.
Paddle (Payments): Acts as Merchant of Record and maintains its own GDPR compliance. Transfers are covered by Paddle's SCCs and Data Processing Agreement.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The “Last Updated” date at the top of this page indicates when the policy was most recently revised. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Current Labs (Data Controller)
Email: support@currentlabs.dev
Address: Shmuel Sharira 28, Rishon LeZion, Israel