Privacy Policy

Effective Date: January 26, 2026 · Last Updated: February 6, 2026

1. Introduction

Current Labs ("we", "us", or "our") operates the Atomic Design Extractor Pro Figma plugin and web application. This Privacy Policy explains how we collect, use, store, and protect your personal information.

We serve as data controller and process personal information primarily under contractual necessity (GDPR Article 6(1)(b)) when delivering the requested service. Additional processing relies on legitimate interest or legal obligation as detailed in Section 4.

2. Information We Collect

2.1 Account Information (via Google OAuth)

During sign-in, we collect the following from your Google account: name, email address, profile picture, and Google account identifier. This information is required for account creation and management.

2.2 Figma Component Data (Processed Temporarily)

When analyzing components, we temporarily process: component names and types, structure details (children, nesting levels), variant names and properties, design tokens (colors, spacing, typography), and dimensions/layout properties.

This data is processed in real time and is not permanently stored on our servers. It is transferred to the AI provider for analysis with immediate result return.

2.3 Subscription and Payment Data

Subscription-related information includes: subscription status (trial, active, cancelled), Paddle customer ID, and billing period dates.

We do not collect, store, or have access to your payment card information. Paddle, our payment processor and merchant of record, handles all payment details exclusively.

2.4 Usage and Session Data

We collect: pairing codes and session identifiers, plugin session activity (connection timestamps), AI API usage metrics (token counts for internal cost tracking only), and login timestamps/counts.

2.5 Automatically Collected Information

We collect IP address (from server logs) and browser/device type (from standard HTTP headers).

3. How We Use Your Information

Information collected serves to: provide and operate the plugin service, process AI-powered component analysis, manage accounts and subscriptions, authenticate identity and plugin sessions, provide customer support, monitor usage for abuse prevention and stability, and improve the Service.

4. Legal Basis for Processing

Under GDPR Article 6:

• Account information: Contractual necessity — required to create your account and provide the Service (Art. 6(1)(b))
• Figma component data: Contractual necessity — required to perform AI-powered analysis you have requested (Art. 6(1)(b))
• Subscription and billing data: Contractual necessity and legal obligation — required to manage your subscription and comply with tax/accounting laws (Art. 6(1)(b) and Art. 6(1)(c))
• Usage and session data: Legitimate interest — necessary for service stability, abuse prevention, and improving the Service (Art. 6(1)(f))
• Server logs: Legitimate interest — necessary for security monitoring and debugging (Art. 6(1)(f))

5. How We Share Your Information

Data Processing Agreements (DPAs) align with GDPR Article 28 requirements across sub-processors.

5.1 Anthropic (Claude AI)

Figma component data (names, structure, properties) is transferred to Anthropic's Claude AI API for analysis. Processing occurs in real time without storage beyond standard API operations. Subject to Anthropic's Privacy Policy.

5.2 Paddle (Payment Processor)

Email address and user identifier are shared with Paddle for checkout and subscription management. Paddle acts as merchant of record, handling payment data, taxes, and billing compliance. Subject to Paddle's Privacy Policy.

5.3 Google (Authentication)

Google OAuth processes sign-in requests. Subject to Google's Privacy Policy.

5.4 Google Cloud Platform (Infrastructure)

Data is stored on Google Cloud Firestore and processed on Google Cloud Run in the us-central1 (Iowa, USA) region. Subject to Google Cloud's Data Processing Terms.

5.5 No Sale of Personal Data

We do not sell, rent, or trade your personal information to any third parties for marketing or advertising purposes.

6. Data Storage and Security

Security measures include:

• Encryption at rest on Google Cloud Firestore
• HTTPS/TLS encryption for data in transit
• JWT tokens with 24-hour expiry for authentication
• Pairing codes expiring after 5 minutes
• Administrator-revocable sessions

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Breach Notification

Upon breach discovery, we will:

• Notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, unless the breach poses minimal risk to individual rights and freedoms
• Notify affected individuals without undue delay if the breach presents high risk under GDPR Article 34
• Document the breach, effects, and remedial actions

8. Data Retention

• Account data: Retained during active status and for 30 days post-deletion to allow recovery, then permanently deleted
• Figma component data: Processed in real time without permanent server storage
• Pairing codes: Deleted after 24 hours
• Plugin sessions: Expire after 7 days; periodic cleanup follows
• Server logs: Retained 90 days, then automatically deleted
• Subscription and billing data: Retained 7 years post-subscription to comply with tax and accounting requirements
• Support requests: Retained 2 years, then deleted

9. Your Rights Under GDPR

EEA and UK residents possess these rights:

• Right to access: Request personal data copies; export available via dashboard's "Export My Data" button
• Right to rectification: Request inaccurate data correction
• Right to erasure: Request personal data deletion ("right to be forgotten"); account deletion available via "Delete My Account" button on dashboard
• Right to restrict processing: Request limitations on data usage
• Right to data portability: Request structured, machine-readable (JSON) data via dashboard self-service export
• Right to object: Object to personal data processing
• Right to withdraw consent: Withdraw consent where processing is consent-based

Requests receive responses within 30 days via self-service dashboard tools or contact details in Section 15.

10. Your Rights Under CCPA

California residents possess these rights:

• Right to know: Request information on collected personal data and usage
• Right to delete: Request personal information deletion
• Right to opt-out of sale: We do not sell personal information
• Right to non-discrimination: No discrimination occurs for exercising rights

11. Cookies and Tracking

Only essential cookies required for service functionality are used:

• Session cookies: NextAuth session tokens used for authentication. These are strictly necessary and cannot be disabled without losing access to the Service.

We do not use any third-party tracking, analytics, or advertising cookies.

12. Children's Privacy

The Service is not directed at individuals under the age of 13 (or under 16 in the EU). We do not knowingly collect data from children without parental consent; such information will be promptly deleted upon discovery.

13. International Data Transfers

Data processing and storage occur in the United States (Google Cloud us-central1 region). Data transferred from outside the US receives protection through:

• Google Cloud Platform: Certified under the EU-US Data Privacy Framework (DPF). Additionally covered by Standard Contractual Clauses (SCCs) in Google Cloud's Data Processing Terms
• Anthropic (Claude AI): Component data processed via API under commercial service terms. Only structural metadata is transmitted; no personal data or design images transfer. Anthropic does not employ API data for model training
• Paddle (Payments): Maintains GDPR compliance as Merchant of Record; transfers covered by SCCs and Data Processing Agreement

14. Changes to This Privacy Policy

Updates may occur periodically. Material changes will be communicated via email or through the Service. The "Last Updated" date at page top reflects the most recent revision. Continued service use after changes take effect signifies acceptance of the revised policy.

15. Contact Information

For questions or data rights exercise requests:

• Current Labs (Data Controller)
• Email: legal@currentlabs.dev
• Phone: +972 52-388-8570
• Address: Shmuel Sharira 28, Rishon LeZion, Israel