Web to Design
Choose language

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how your personal information is processed and what rights you have when you use Drawflare (browser-side download/package and import into Figma; membership or billing-related data may be processed on servers).

01 Scope and definitions

1.1 Scope of this Policy

  • This Privacy Policy ("Policy") describes how Drawflare and its operators ("we") process information when we provide capabilities and support related to the product via this marketing site, descriptions, and download entry points. The product centres on two plug-ins: one that identifies pages in your browser and downloads/packages them into files you can save locally; one that reads that package in Figma and parses it into editable layers. Routine download/import flows largely run on your device and inside Figma, and we do not operate a general-purpose backend aimed at hosting full web business payload for you. When you register, purchase membership/subscription, or use paid tiers, data related to identity, fulfilment of subscriptions, billing, quotas (such as export/import counts), anti-abuse, and support may be processed on servers or via third-party services — see subsequent sections for detail.
  • If a separate privacy notice or supplementary terms accompanies a release and contradicts this Policy, the specialised terms for that update prevail where they differ; all other matters continue to rely on this Policy.
  • This Policy does not cover independently operated offerings such as the Figma platform itself, browsers, operating systems, other extensions/tools you install, or purely local tooling. Your interactions there remain subject to those parties' notices and policies. We only collect what is reasonably needed to ship Drawflare as described herein.

1.2 Who this Policy applies to

  • "You" means any natural person who visits the site, downloads or uses our plug-ins, registers, or reaches out to support, plus any organisation and its duly authorised representatives when acting on behalf of that organisation.
  • If you are under the age threshold set by applicable law, review this Policy with parental/guardian consent; guardians may contact us to exercise rights attached to minors (see "Children's privacy" below).

1.3 Key terminology (informative glossary; authoritative legal definitions follow applicable statutes)

  • Personal information means information electronically or otherwise recorded that relates to identified or identifiable natural persons, excluding information that cannot identify individuals once anonymised.
  • Sensitive personal information means categories which, once leaked or misused, are likely to damage dignity or endanger persons or assets; such collection triggers additional explanation/consent absent statutory carve-outs.
  • Processing encompasses collection, storage, use, analysis, transmission, disclosure, deletion, plus related activity.
  • Controller / Processor roles: Drawflare is the controller deciding purposes/means inside this Policy; subcontractors follow our instructions pursuant to contracts and statutory duties.
  • Account: credentials registered with us plus associated identifying profile metadata.
  • Packaged file / User content: intermediate files emitted by the webpage plug-in (structure, styling, embedded assets), whose scope reflects pages you knowingly package.

1.4 Contacting us

  • Raise questions about this Policy or our processing practices through the publicly posted contacts on our site when you wish to complain or exercise rights.

1.5 Relationship to other documents

  • This Policy works together with the Terms of Service; where documents conflict on personal information, this Policy governs unless mandatory law says otherwise.

02 Information we collect

2.1 Overview

  • We only collect personal information to the extent required to provision, safeguard, optimise, operate Drawflare, and fulfil legal duties; specifics depend on the features you activate, browsers/devices, or whether you're signed in.
  • Some categories are volunteered; others are emitted automatically during site/plug-in use; social login/payment gateways may furnish limited artefacts when you authenticate with them.
  • Refusing identifiers needed for invoicing/login/billing scenarios may partially disable tied functionality.

2.2 Account and identifying data

  • Registration / sign-in captures email, telephone, display name/usernames, password or OAuth identifiers, unique account IDs, according to whichever methods we enable.
  • Team plans capture organisation metadata — names, invitations, seating/roles whenever such fields exist inside the SKU you purchase.
  • Billing/subscription artefacts include tier snapshots, transactional records, invoicing particulars you supply (tax IDs, postal addresses); payment artefacts usually remain inside the PSP while we ingest tokenised summaries plus transaction status descriptors.

2.3 Usage tied to quotas and memberships

  • Quotas and membership: exporting/importing quotas may invoke online validation; we persist counters, timestamps or session correlations so pricing pages stay accurate — these signals focus on entitlement enforcement, not re-hosting packaged page payloads.

2.4 Operational logs & diagnostics

  • Usage telemetry across site & plug-ins: clicks, configs, surfaced errors/results for reliability and roadmap planning.
  • Technical/security logs: IPs (masked/truncated), coarse geo-inference from IPs (city/regional fidelity, never constant tracking), UA strings, whichever Figma host facts the plug-ins can disclose, semantic versions, timestamps, URIs/session ids.

2.5 Device & reliability signals

  • Environment compatibility: OS, browser builds, locales, DPI hints when surfaced for responsiveness.
  • Crash/perf telemetry: condensed stack fingerprints, durations, instrumentation windows (privacy toggles surfaced in UX copy when available).

2.6 Web-facing content interplay

  • Packaging/import mostly stays offline + inside Figma. Beyond narrowly scoped network calls disclosed in-product — sign-in probes, entitlement checks, optional auto-update or crash ingestion — hosting complete site replication on our infra is outside day-one architecture. Were we to expose server-mediated routes in future launches, we'd secure consent and announce before activation.
  • Packed pages sometimes embed third-party IP or secrets; acknowledging this Policy does not appoint us controllers over those artefacts — you certify lawful authority yourself.

2.7 Interactions routed through Figma

  • Figma governs workspaces/permissions. Telemetry we glean via Figma APIs/host surfaces exists solely for import fidelity + diagnostics, never for unsolicited commercial repurposing beyond your session.

2.8 Support artefacts

  • Tickets, mails, questionnaires may expose narrative plus attachments/screenshots tying back to you.

2.9 Aggregates & anonymisation

  • We may statistically blend or pseudonymise data for analytics/improvements; resultant datasets fall outside personalised provisions where law permits.

03 How we use information

3.1 Overview

  • Processing stays limited to the purposes below and aligns with lawful grounds; absent consent or statutes to the contrary, we avoid unrelated secondary uses.
  • Our vendors receive written guardrails restricting scope/security minimums whenever they qualify as subprocessors.

3.2 Providing, sustaining and delivering services

  • Where memberships/paid tiers exist we maintain identifiers, entitlement views and quotas consistent with storefront + in-product disclosures.
  • Plug-in workloads remain predominantly local or within Figma; ancillary metadata verifies membership quotas, patching and diagnostics without warehousing entire page payloads as a baseline design.
  • Maintain marketing site UX, artefacts, changelog-style communications and staffed support.

3.3 Improving the product experience

  • Observe uptake, defect density and sluggish flows — prefer aggregates where feasible.

3.4 Security and anti-abuse

  • Thwart brute forcing, scripted quota theft, unauthorised account reuse or automation that harms others.
  • Implement access tiers, alerting and audited logs as appropriate.

3.5 Operational correspondence

  • Mission-critical notices spanning safety, SKU adjustments and invoicing; promotional channels remain opt-in with reliable unsubscribe tooling.

3.6 Billing and fulfilment

  • Reconcile metering, invoicing artefacts and PSP records where applicable.

3.7 Regulatory cooperation and privacy requests

  • Honour lawful orders within statutory bands; adjudicate SARs and similar requests according to workflow.

3.8 Corporate transactions

  • Mergers or asset purchases may reposition datasets — successors must honour this Policy or obtain fresh consent/disclosures as applicable law demands.

3.9 Automated decision-making

  • Automated decisions with material individual impact would ship with explanations and remedies; until then rely on factual product disclaimers unless extended later.

04 Legal bases (summary)

4.1 Overview

  • Typical bases include contract necessity, consent, legal duties and safeguarding legitimate interests. Judicial interpretation ultimately governs nuances beyond this synopsis.

05 Sharing and disclosure

5.1 Overview

  • We do not “sell” personal information within the meaning of applicable law except where statutes define the term broadly; onward transfers occur only within this Policy, with consent or when compelled.

5.2 Vendors and subprocessors

  • Hosting, storage, CDN, email, ticketing, monitoring, fraud tooling and PSPs underpin storefront and collaboration workloads under DPAs and necessity tests.

5.3 Parties you instruct

  • Uploading zipped outputs into Figma drives or other SaaS targets routes flows under counterparties whose notices apply to that hop.

5.4 Regulatory and judicial pathways

  • Lawful orders may mandate disclosure — we obey while notifying you unless tactically barred.

5.5 Protecting rights, safety and integrity

  • Counsellors/auditors may review slices when asserting defences or investigating fraud/abuse narratives.

5.6 Corporate restructuring

  • Asset transfers follow statutory choreography and counterpart notifications.

5.7 Public disclosures

  • No gratuitous publication of identifiable data absent legal mandates or affirmative permission.

5.8 Aggregate or de-identified data

  • Statistical outputs must remain compliant with masking rules imposed by statute.

06 Cross-border transfer

6.1 When transfers arise and safeguards

  • Opting into accounts or paid plans may traverse global infrastructure powering authentication, invoicing mailers and ticketing. Purely offline plug-in usage without furnishing identity rarely positions us as cross-border receivers of packaged website artefacts. Overseas transfers invoking SCCs/CBDT filings or analogous instruments will be mirrored in vendor onboarding per jurisdiction.

6.2 Questions

  • Contact us via published channels when you wish to understand transfer mechanics relevant to your profile.

07 Data retention

7.1 Overview

  • Retention tracks legitimate durations; afterward delete/anonymise; backups rotate systematically.

7.2 Accounts and profiles

  • Active accounts persist baseline registration rows; deactivated accounts purge within reasonable SLA unless law demands longer holds.

7.3 Metering, logs and care records

  • Quotas and settlement logs diverge SKU-by-SKU; support tickets linger briefly for QA and escalation genealogy.

7.4 Server-side placeholders

  • We do not, by default, warehouse entire packaged webpages merely because plug-ins interoperate — future relays would describe retention inline.

7.5 Finance ledgers

  • Tax artefacts survive statutory eras.

7.6 Security and disputes

  • Investigations may postpone deletion beyond nominal windows.

7.7 Erasure petitions

  • Honour unless exemptions attach.

7.8 Backups/remanence

  • Copies decay per backup playbook.

7.9 Self-serve fidelity

  • Follow dashboards for export/deletion choreography.

08 Security posture

8.1 Overview

  • Controls correlate with calibrated risk posture; nonetheless absolute security promises are impracticable — this synopsis is descriptive, not a warranty.

8.2 Organisational and administrative measures

  • Separation of duties, processor contracts, trainings sized to organisational maturity.

8.3 Technical safeguards (samples)

  • TLS in-flight, hashing/encryption selectively at rest, environment isolation, session/timeouts/KMS stewardship.

8.4 Product nuance

  • Dragging zipped exports between browsers and Figma hinges on workstation hygiene; paid APIs endeavour toward HTTPS-aligned stacks per implementation timelines.
  • Rotate browser/Figma credentials per issuer guidance.

8.5 Incidents & notices

  • Statutorily tuned breach signals via web, inbox or banners.

8.6 Your diligence

  • Guard passwords/API secrets; escalate suspected compromises after rotating exposures.

09 Your choices and rights

9.1 Overview

  • Location-dependent palettes may include access, rectification, erasure, restriction, portability, objection — surfaced via dashboards or mailboxes listed on-site after identity safeguards.
  • Response cadence parallels statutory horizons; nuisance surcharges permissible where statutes allow tariffs.

9.2 Access and portability copies

  • Learn whether/how we handle specific categories plus obtain machine-readable copies absent unjust third-party harm.

9.3 Rectification

  • Incorrect/incomplete dossiers merit collaborative correction or self-service editors.

9.4 Erasure (“right to be forgotten”)

  • Statutory triggers satisfied ⇒ deletion — conflicting retention owes explanation plus isolation tactics otherwise.

9.5 Restriction hiatus

  • Certain disputes warrant storage-only freezes mid inquiry.

9.6 Structured carry-out transfers

  • Transfer controller-designated dossiers technologically practicable successors accept.

9.7 Objections incl. marketing

  • Oppose balancing-test processing; veto direct advertisements outright.

9.8 Withdraw consent

  • Withdraw without retroactively erasing precedent lawful stretches yet feature loss may cascade.

9.9 Users located in mainland China (if applicable)

  • Pursuant to the Personal Information Protection Law and satellite rules you may exercise rights covering disclosure, determinism, review/reproduction, supplementation, deletion, explanatory dialogue — denials articulate reasoning pipelines including regulator complaints/litigation.

10 Children’s privacy

10.1 Orientation

  • Surfaces envisage occupational adults — no targeted harvesting from minors by design.

10.2 Age tiers and carers

  • Local statutes define permissible flows; carers may liaison with us preemptively.

10.3 Accidental collection

  • Upon discovery purge quickly and refactor intake safeguards.

11 Cookies & tracking aides

11.1 Mechanics

  • Session glue/preferences lean on cookies and analogues sparingly atop marketing realms.

11.2 Categories

  • Strictly necessary, ergonomic, analytic (consent-driven jurisdictions), hypothetical marketing overlays if spun up.

11.3 Third-party breadcrumbs

  • Embeds originate their trackers — scrutinise neighbouring policies proactively.

11.4 Controls

  • Browser sliders plus onsite preference canvases wherever launched.

11.5 Do Not Track

  • Lacking interoperability standards, signals may linger unacknowledged awaiting consensus.

12 Policy revisions

12.1 Revision authority

  • Iteratively refresh “Last updated” stamps headlining this document.

12.2 Material deltas

  • Prominent nudges/regathered consents wherever compelled.

12.3 Continued engagement

  • Unless outlawed alternatively, lingering post-effective usage signals acceptance—or cease usage and revoke accounts proactively.

12.4 Historical archives

  • Repositories aspire to squirrel superseded iterations when pragmatic.