PRIVACY Policy
Effective Date: August 31, 2023
1. ABOUT
Figma, Inc. and its affiliates’ (“Figma,” “we,” “us,” and “our”) goal is to make design accessible to all. This Privacy Policy will help you understand how we collect, use and share your personal information and assist you in exercising the privacy rights available to you.
Capitalized terms not defined in this Privacy Policy have the meanings set forth in our Terms of Service.
2. SCOPE
This Privacy Policy applies to personal information collected, processed, and shared by us, including on our websites (e.g., figma.com, designsystems.com and any other websites that we own or operate), our mobile applications, our application program interfaces, our design tool services, and our related online and offline offerings (collectively, the “Services”).
This Privacy Policy does not apply to any processing by third-party websites, services or applications, even if they are accessible through our Services. It does apply to data received by Figma from such third-parties. In addition, a separate privacy notice, available upon request if it applies to you, governs processing relating to our current employees and contractors.
3. PERSONAL INFORMATION WE COLLECT
The personal information we collect depends on how you interact with our Services.
When we use the term “personal information” in this Privacy Policy, we mean all information that can be used to identify a natural person, either alone or when combined with other information.
Information You Provide to Us
Account Information. When you create a Figma account, we collect the personal information you provide to us, such as your name, email address, personal website, and picture. If you enable phone based two-factor authentication, we collect a phone number and you agree to receive text messages from Figma to enable two-factor authentication when you login. Message and data rates may apply.
Payment Information. Where we sell products and services through the Services, we use third-party applications, such as the Apple App Store, Google Play App Store, Amazon App Store, and/or services such as Stripe to process your payments. These third-party applications will collect information from you to process a payment on behalf of Figma, including your name, email address, mailing address, payment card information, and other billing information. Figma does not receive or store your payment information, but it may receive and store information associated with your payment information (e.g., the fact that you have paid, the last four digits or your credit card information, and your country of origin).
Communication Information. We collect personal information from you such as email address, phone number, mailing address, and marketing preferences when you request information about the Services, register for our newsletter, or otherwise communicate with us.
Candidate Information. We may post job openings and opportunities on the Services. If you reply to one of these postings or otherwise provide us with your candidacy information, we will collect and process the information you provide to us.
Service Use Information. We collect information you provide to the Services for the purpose of providing the Services to you, which may include personal information such as information about your interactions with other users and any content you create or upload when using the Services.
Customer Service Information (including Training and Quality Assurance). If you call or otherwise interact with Figma’s sales, customer service or support personnel, we collect the information you provide to our representatives. In addition, we may record telephone calls or video conferences between you and our representatives for training or quality assurance purposes.
Educational Account Information. If you qualify for Educational Use, we may collect information relating to your school and curriculum, such as your school name, school mailing address, school website and proof of registration. Note that, as provided in our Terms of Service, you may only use the Services if you are old enough to consent (by yourself and not by a parent or guardian) to share your data under applicable law. For example, you must be 13 years or older under most United States’ law, or 16 years or older under California or European Union law. If you are using Figma Community, you must be at least 16 years or older. Users under the age of 13 may use the Services pursuant to an agreement we have with the student’s educational institution (see Children’s Information below)
Sweepstakes, Contests, Surveys and Events Information. In connection with sweepstakes, contests, surveys, conferences, and other events hosted, run or sponsored by us, you may provide information to us, or we may receive information about you, such as name, email address, mailing address, demographic data, and any information specific to the event.
Marketing Program and Co-Promotional Activities Information. In connection with applying to and participating in any marketing or partnership programs offered by Figma, we may collect and process the information you provide to us, such as name, email address, mailing address, and any information specific to the program, to assess your suitability for participation and administer the program.
Information Collected Automatically (Technical information)
Automatic Data Collection. We collect certain information automatically when you use the Services. This information may include your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile advertising and other unique identifiers, details about your browser, operating system or device, location information (inferred from your IP address), internet service provider, pages that you visit before, during and after using the Services, information about the links you click, and information about how you interact with and use the Services.
With your permission, we may also collect information about your operating system’s installed fonts in connection with providing the Services to you.
Cookies, Pixel Tags/Web Beacons, and Analytics Information. We, as well as third parties that may provide content, advertising, or other functionality on or in connection with the Services, may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through the Services. Technologies are essentially small data files placed on your device that allow us and our partners to record certain pieces of information whenever you visit or interact with our Services.
- Cookies. Cookies are small text files placed in device browsers to store their preferences. For more information about how to control what data are collected by cookies, see below in the “Your Choices” section.
- Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about engagement on the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.
Analytics. We use Google Analytics and other service providers to collect and process analytics information on our Services. For more information about how Google uses data, please visit www.google.com/policies/privacy/partners/. You can opt out of Google Analytics’ collection and processing of data generated by your use of our website by going to http://tools.google.com/dlpage/gaoptout.
Information from Other Sources
Figma Customers. If you use our Services on behalf of, or in collaboration with, an organization (e.g., your employer), that organization may provide us with information about you so that we can provision your account.
Third Party Services and Organizations. We may obtain information about you from other sources, including from third party services and organizations. If you choose to enable third party services, Figma may access and exchange Service Use Information, Account Information, and Technical Information with the third party on your behalf, in accordance with any permissions granted by you (including your Authorized User(s)). For example, if you access our Services through a third-party service, we may collect information about you from that third party service that you have made available via your privacy settings.
4. HOW WE USE YOUR INFORMATION AND OUR LEGAL BASIS FOR PROCESSING
In this section we describe all the ways we use your personal information, and the legal bases we rely on to do so.
In certain situations, we require your data to pursue our legitimate interests in a way which is reasonable for you to expect as part of running our business and which does not materially affect your rights and freedoms. We have identified below what our legitimate interests are.
When we process your information based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on such consent before it is withdrawn. To exercise your rights, see the Contact Us section of this Privacy Policy.
We use the personal information that you provide to us, that we collect (automatically), and that we receive from third parties for a variety of business purposes, including:
1. Providing and managing the Services or information requested, such as:
- account creation;
- managing your information and account;
- responding to questions, comments, and other requests;
- processing payment card and/or other financial information to facilitate your use of the Services;
- managing payments and recovery of debts due to us;
- providing access to certain areas, functionalities, and features of our Services, including the sharing of content with friends, colleagues and other users;
- answering requests for customer or technical support; and
- responding to requests in relation to personal information processed about the individual.
This includes: the processing of all categories of information except for Candidate Information.
Legal Basis: Performance of the contract with you. Necessary for our legitimate interests to recover debts due to us. Necessary for our legitimate interests to respond to and communicate with you (where we do not have a contractual relationship or legal obligation to do so). Necessary to comply with a legal obligation (including national data protection and consumer protection laws, for example to respond to requests in relation to personal information processed about the individual)
2. Communicating with you about your account, activities on our Services and Privacy Policy or terms of service changes. This includes: the processing of your Account Information Communication Information, Service Use Information, Student Account Information, Sweepstakes, Contests, Surveys and Events Information, Customer Service Information, and Marketing Program and Co-Promotional Activities Information.
Legal Basis: Performance of the contract with you. Necessary to comply with a legal obligation (including national data protection and consumer protection laws).
3. Administering and protecting our business and Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting, internal quality control and safety and hosting of data).
This includes: the processing of your Account Information, Communication Information, Technical Information, Service Use Information, Student Account Information, Marketing Program and Co-Promotional Activities Information, and Customer Service Information
Legal Basis: Performance of the contract with you. Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise). Necessary to comply with a legal obligation (including national data protection and information security laws)
4. Using data analytics to improve our website, products/Services, marketing, customer relationships and experiences.
This includes: the processing of your Technical Information, Service Use Information, and Customer Service Information.
Legal Basis: Necessary for our legitimate interests (to define types of customers for our products and Services, to keep our Services updated and relevant, to develop our business and to inform our marketing strategy).
Consent (in certain cases - see our cookie consent tool).
5. Enabling you to partake in a prize draw, competition or complete a survey.
This includes: the processing of your Sweepstakes, Contests, Surveys and Events Information and Communications Information.
Legal Basis: Performance of a contract with you. Necessary for our legitimate interests (to study how customers use our products/services, and to develop them and grow our business).
6. Carrying out surveys for user research and analyzing your feedback.
This includes: the processing of your Surveys and Events Information and Account Information, Student Account Information, Communications Information, and Use of Services Information.
Legal Basis: Necessary for our legitimate interests (to study how customers use our products/services, and to develop them and grow our business).
7. Make suggestions and recommendations to you about goods or services that may be of interest to you.
This includes: the processing of your Account Information, Student Account Information, Communications Information, Service Use Information, and Technical Information.
Legal Basis: Necessary for our legitimate interests (to develop our products/services and grow our business) (where consent is not required by marketing laws – in which case consent shall be relied upon).
8. Contacting customers and prospective customers about products, services, developments and events we think may be of interest to you.
This includes: the processing of your Account Information, Student Account Information, and Communication Information.
Legal Basis: In certain situations, we seek consent before sending marketing materials to individuals and in such cases consent is our lawful basis for sending marketing to you.
Where we do not obtain consent, we rely on our legitimate interests (to develop our products/services and grow our business) as our lawful basis for sending marketing materials to you.
If you have any questions about our marketing practices or if you would like to withdraw your consent or opt out of the use of your personal information for marketing purposes, you may contact us as set out in the Contact Us section of this Privacy Policy.
9. Delivering relevant content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you.
This includes: the processing of your Account Information, Student Account Information, Communications Information, Service Use Information, and Technical Information.
Legal Basis: Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). If required by marketing laws, we seek consent before serving advertisements to individuals and in such cases consent is our lawful basis for sending marketing to you.
10. Enforcing our agreements, and complying with our legal obligations including to share information with law enforcement, the courts and other authorities.
This could include any personal information we process about you.
Legal Basis: Necessary to comply with a legal obligation (including national data protection, cyber security and surveillance laws). Necessary for our legitimate interests (to enforce our agreements, to seek professional advice, or to establish, exercise or defend a legal claim).
11. Recruiting and hiring, including considering your candidacy for employment.
This includes: the processing of Candidate Information and Communication Information.
Legal Basis: Necessary for our legitimate interests (to screen candidates and consider your suitability for a position). Entry into a contract with you.
12. De-identifying data and creating aggregated information.
This could include any personal information we process about you.
Legal Basis: Necessary for our legitimate interests (to use personal information to create de-identified and/or aggregated information, such as de-identified demographic information, de-identified location information, and information about the device from which you access our Services. De-identified and/or aggregated information is used for several purposes, including research, industry analysis, analytics, and any other legally permissible purposes.)
13. Enabling your participation in marketing and partnership programs
This includes the processing of your Communication Information and Marketing Program and Co-Promotional Activities Information.
Legal Basis: Performance of a contract with you. Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).
Consent: In certain cases.
5. DISCLOSING YOUR INFORMATION TO THIRD PARTIES
We may share any personal information we collect with the following categories of third parties for the purposes described above and as follows:
Other Users of Figma’s Services. When you use the Services to collaborate or interact with others, we will share certain information with your collaborators. For example, you can create content, which may contain information about you, and grant permission to others to see, share, edit, copy and download that content based on settings you or your administrator (if applicable) select. In addition, some of the collaboration features of the Services display some or all of your profile information to other Service users when you share or interact with specific content. For example, when you comment, we display your profile picture and name next to your comments so that other users with access to the comment know who made it. Similarly, when you join a team, your name, profile picture and contact information will be displayed in a list for other team members so they can find and interact with you. Please note that while we require all our users to comply with our acceptable use policy, we are not responsible for privacy practices of users who receive information about you through the Services.
The Public. Content can be made publicly available by you or others collaborating on it, and in such cases any information about you included in such content is also publicly available and can be indexed by search engines. You can check at any time whether particular content is public or private by viewing the content’s settings. In addition, in connection with your posting of content on Figma Community, we will publicly share your picture, name, user handle, and Twitter (or other social networking site) handle (to the extent you have provided us with this information).
Service Providers. We may share personal information we collect about you with our service providers. The categories of service providers to whom we entrust personal information include service providers for: (i) the provision of the Services; (ii) the provision of information, products, and other services you have requested; (iii) marketing and advertising; (iv) payment and transaction processing; (v) customer service activities; and (vi) the provision of IT and related services, and (vii) distributing the Services through regional channel partners. Third-party services include, for example, reCAPTCHA and anti-spam services provided by Arkose Labs which are subject to their Privacy Policy, helpdesk support services provided by Zendesk, analytic and experimental services provided by Statsig, subject to Statsig's Privacy Policy, and anti-spam services provided by Akismet subject to Akismet’s Privacy Policy. The Figma Store (https://store.figma.com/) and related subdomains are operated by Shopify, and therefore subject to Shopify’s privacy policy.
Your Organization and Administrator. If you access the Services on behalf of an organization (such as with your organization’s domain) or have your account paid for by another party, we will share your information with that organization or paying party at its request and give such organization certain rights over your information. For example, your organization may request that we provide extra security controls around your account to protect information about your organization or your organization may request that we link your Figma account with your organization’s account to enhance collaboration. If you are the administrator of a team, organization or other account holder within the Services, we may share your contact information with current or past Service users related to you, for the purpose of facilitating Service-related requests. Please note that your information may also be subject to your organization’s privacy policy, and we are not responsible for the privacy or security practices of our customers.
Community Creators. If you acquire any resources from third-party creators on Figma Community (available at www.figma.com/community), in connection with the transaction we will share your personal information with such creators, including your name and any other information reasonably related to the transaction. Any other information shared between you and the creator (if any) is governed by the creator’s privacy policy.
Third-Party Platforms and Services. We will share your personal information with third-party platforms and/or services if you have expressly consented or requested that we do so. Please note we do not endorse, screen or approve, and are not responsible for, the practices or conduct of such third-party services.
Advertising Partners. Through our Services, we allow third-party advertising partners to set Technologies and other tracking tools to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners use this information (and similar information collected from other websites) for purposes of delivering targeted advertisements to you when you visit third-party services within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.” If you prefer not to share your personal information with third-party advertising partners, you may follow the instructions under the Your Choices heading below.
Disclosures to Protect Us or Others. We will access, preserve, and disclose information we have associated with you to competent law enforcement bodies, regulatory and government agencies, courts or other third parties if we believe doing so is required or appropriate to: (i) comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) protect your, our or others’ rights, property, or safety; (iii) enforce Figma’s policies and contracts; (iv) collect amounts owed to us; (v) prevent financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vi) if we, in good faith, believe that disclosure is otherwise necessary or advisable.
Disclosure in the Event of Merger, Sale, or Other Asset Transfer. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your information may be sold or transferred in accordance with our legitimate interests in administering our business as part of such a transaction, as permitted by law and/or contract.
6. INTERNATIONAL DATA TRANSFERS
The personal information we process may be transferred to, processed, and stored anywhere in the world, in jurisdictions which may have data protection laws that are different from the laws where you are located (and, in some cases, may not be as protective), and may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to applicable laws. We endeavor to safeguard your personal information in accordance with the requirements of applicable laws
Specifically, all personal information we process is transferred to, processed, and stored in the United States, where our headquarters and our main servers are located. Our group affiliates and our third party service providers and partners operate in the geographies identified on https://www.figma.com/sub-processors/. This means that when we collect your personal information, we will process it in any of these countries.
Where we transfer your personal information to countries and territories outside of the European Economic Area (“EEA”), Switzerland and the UK, which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” and “adequacy regulations” from the European Commission, Swiss and UK authorities.
Where the transfer is not subject to an adequacy decision, we take appropriate safeguards to ensure that your personal information will remain protected in accordance with this Privacy Policy and applicable laws. These safeguards include implementing the European Commission’s Standard Contractual Clauses as issued on 4 June 2021 under Article 46(2) GDPR for transfers originating in the EEA and the UK Addendum permitted under Article 46(2) of the UK GDPR for the transfer of data originating in the UK.
Our Standard Contractual Clauses entered into by our group companies and with our third party service providers and partners can be provided on request. Please note that some sensitive commercial information will be redacted.
If you have any questions or concerns related to international data transfers, please contact us using the information set forth below.
7. E.U. – U.S. DATA PRIVACY FRAMEWORK, UK EXTENSION AND SWISS – U.S. DATA PRIVACY FRAMEWORK
Figma, Inc. (for the purposes of this section, “Figma”, “we”, or “us”) has certified to the U.S. Department of Commerce that we adhere to: (i) the EU-U.S. Data Privacy Framework Principles with regards to the processing of personal information received from the European Union in reliance on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and (ii) the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) with regards to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”).
The Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF and to view our certification, please, please visit the Data Privacy Framework Program's website.
The types of personal information we receive in the U.S., as well as the purposes for which we collect and use it, are set out in Section 3 and 4 above. We will give you an opportunity to opt out where personal information we control about you is to be disclosed to an independent third party, or is to be used for a purpose that is materially different from those set out in this Privacy Policy. If you otherwise wish to limit the use or disclosure of your personal information, please contact us via the contact details set out below.
Information about the types of third parties to which we disclose personal information and the purposes for which we do so is described in Section 5 above. If we have received your personal information in the U.S. and subsequently transfer that information to a third party acting as an agent, and such third party agent processes your personal information in a manner inconsistent with the DPF Principles, we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.
Please note that, under certain circumstances, we may be required to disclose your personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you are from the EEA, UK or Switzerland, you have the right to request access to the personal information that we hold about you and request that we correct, amend, or delete it if it is inaccurate or processed in violation of the DPF Principles. If you would like to exercise these rights, please write to us at the contact details provided below. We may request specific information from you to confirm your identity and we will respond to your request in accordance with the DPF Principles and applicable data protection laws. You may also opt-out of receiving marketing communications from us by writing to us at the contact details provided below or by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you.
We commit to resolve DPF-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal information received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact us using the contact details provided below. We will investigate and attempt to resolve any DPF-related complaints or disputes within forty-five (45) days of receipt.
If you have any questions or concerns related to our DPF certification or to resolve any complaints about our collection or use of your personal information, you should first contact us using the information set forth below.
If you have an unresolved DPF complaint that we have not addressed satisfactorily, we have further committed to refer unresolved complaints to JAMS Data Privacy Dispute Resolution Program, an independent dispute resolution provider located in the U.S. made available free of charge. For more information or to submit a complaint please visit: https://www.jamsadr.com/eu-us-data-privacy-framework.
Under certain conditions, more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution options do not satisfactorily resolve your concerns.
We reserve the right to amend this section from time to time consistent with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF requirements.
8. YOUR CHOICES
General. You have the right to opt out of certain uses of your personal information.
Email. If you receive an unwanted marketing email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future marketing emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to our Terms of Service or this Privacy Policy).
Mobile Devices. We may send you push notifications through our mobile application. You may at any time opt out from receiving these types of communications by changing the settings on your mobile device.
Cookies and Interest-Based Advertising. You have the right to decide whether to accept or reject cookies. If you are located in the European Union, you can change your cookie preferences through our cookie consent tool, which you can access at any time by clicking “Manage Cookies” in the footer of our website (you may need to log out of your Figma account to access the footer). You can also stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt out of personalized advertisements on some mobile applications by following the instructions for Android and iOS.
The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these websites and learn more about targeted advertising and consumer choice and privacy, at www.networkadvertising.org/managing/opt_out.asp, http://www.youronlinechoices.eu/, https://youradchoices.ca/choices/, www.aboutads.info/choices/, and https://adstandards.ca/about/ad-choices-accountability-program/.
Please note you must separately opt out in each browser and on each device.
“Do Not Track” and “Global Privacy Consent”. Do Not Track (“DNT”) and Global Privacy Consent (“GPC”) signals are a privacy preferences that users can set in certain web browsers. We do not respond to DNT signals; however, we do recognize and process GPC signals by certain web browsers. If we are able to reasonably associate a GPC signal with an identifiable consumer, we will treat it as a request to opt-out of the sale or sharing of that consumer’s personal information (as such terms are defined by the California Consumer Privacy Act).
9. YOUR PRIVACY RIGHTS
In accordance with applicable law, you may have the right to:
- Confirm whether we are processing your personal information;
- Request access to and portability of your personal information about you, including: (i) obtaining access to or a copy of your personal information; and (ii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company (the “right of data portability”);
- Request correction of your personal information where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your personal information;
- Request deletion of your personal information (including to request deletion of your account). In limited circumstances, it may be necessary to retain your Personal Information to comply with legal requirements even if a deletion request is made;
- Request restriction of or object to our processing of your personal information;
- Withdraw your consent to our processing of your personal information; and
- Opt-out of marketing communications. Please see more on this in Section 8, above.
If you would like to exercise any of these rights, please contact us as set forth below.
We will process such requests in accordance with applicable laws. To protect your privacy, we will take steps to verify your identity before fulfilling your request.
Please note that if you use our Services on behalf of an organization (e.g., your employer), that organization may be responsible for fulfilling the individual rights requests referenced above.
10. DATA RETENTION
We store the personal information we receive as described in this Privacy Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and/or comply with applicable laws. The specific retention periods depend on the nature of the information and why it is collected and processed and the nature of the legal requirement.
When we have no ongoing legitimate business need or legal reason to process or retain your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. You may request deletion of your personal information at any time as noted in “Your Privacy Rights”, above, but that will require you to delete your account with us, as we need your personal information to maintain your account.
11. SECURITY OF YOUR INFORMATION
We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy.
We may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on the Services, by mail or by sending an email to you.
12. THIRD-PARTY WEBSITES/APPLICATIONS
The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Visiting these other websites or applications is at your own risk.
13. SUPPLEMENTAL NOTICE FOR CALIFORNIA RESIDENTS
This Supplemental Notice for California Residents supplements our Privacy Policy and only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (as amended from time to time) (“CCPA”). The CCPA provides California residents with the right to know what categories of personal information Figma has collected about them, whether Figma disclosed that personal information for a business purpose (e.g., to a service provider), whether Figma “sold” that personal information, and whether Figma “shared” that personal information for “cross-context behavioral advertising” in the preceding 12 months. California residents can find this information above, in the respective sections of this Privacy Policy, and below:
Figma collects the following Categories of Personal Information:
- Identifiers: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, or other similar identifiers.
- Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)): A name, signature, address, telephone number or employment. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Note: Some personal information included in this category may overlap with other categories.
- Protected classification characteristics under California or federal law: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status.
- Commercial information: Records of products or services purchased or obtained from Figma.
- Internet or other electronic network activity: Information on a consumer's interaction with websites, applications, or advertisements related to the Services.
- Geolocation data: Physical location.
- Sensory data: Audio, electronic, visual, or similar information.
- Inferences drawn from other personal information to create a profile about a consumer: Profile reflecting a consumer's preferences or characteristics as they relate to the Services.
- Personal information that reveals a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account: Figma account credentials, payment information. For clarification, Figma does not process your credit card information, but instead uses a third party, Stripe.
Figma Discloses to the following Categories of Third Parties for a Business Purpose:
- Other users of Figma’s Services
- The public (as set forth in Section 5)
- Your organization and administrator
- Community creators
- Third-party platforms and services
- Internet service providers
- Data analytics providers
- Social networks
- Service providers
- Creators on Figma Community
Sales of Personal Information and Sharing of Personal Information for Cross-Context Behavioral Advertising under the CCPA
Under the CCPA, there is uncertainty regarding what may be (1) a “sale” of personal information and/or (2) “sharing” personal information for “cross-context behavioral advertising.” For example, it is unclear whether or not a Figma’s use of retargeting pixels or third party cookies (in either case, which you can opt out of) on its website is a “sale” of personal information.
To the extent Figma’s processing of personal information is considered “selling” or “sharing”, we “sell” and “share” your personal information to provide you with “cross-context behavioral advertising” about Figma’s products and services.
To the extent Figma’s processing of personal information is considered “selling” or “sharing”, below is a list of the categories of personal information Figma has “sold” or “shared” for “cross-context behavioral advertising” in the last twelve months:
· Identifiers disclosed to advertising networks.
· Internet or other electronic network activity disclosed to advertising networks.
· Inferences drawn from other personal information to create a profile about a consumer disclosed to advertising networks.
Additional Disclosures for California Residents
Notice of Right to Opt-Out of “Sale” of Personal Information and/or “Sharing” for “Cross-Context Behavioral Advertising”. California residents have the right to opt out of the “sale” of personal information and the “sharing” of personal information for “cross-context behavioral advertising.” To the extent Figma’s processing of personal information is considered “selling” or “sharing”, California residents may exercise these rights by clicking on the “Manage Cookies” link in the footer of figma.com (users may need to log out of their Figma account to access the footer) and following the instructions on that page.
Disclosure Regarding Individuals Under the Age of 16. Figma does not have actual knowledge of any “sale” of personal information of minors under 16 years of age. Figma does not have actual knowledge of any “sharing” of personal information of minors under 16 years of age for “cross-context behavioral advertising.”
Disclosure Regarding Sensitive Personal Information. Figma only uses and discloses sensitive personal information for the following purposes:
- To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
- To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted personal information.
- To resist malicious, deceptive, fraudulent, or illegal actions directed at Figma and to prosecute those responsible for those actions.
- To ensure the physical safety of natural persons.
- For purposes that do not infer characteristics about individuals.
- Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
- Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us as set forth below.
Verification. To protect your privacy, we will take steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include asking you to log in to your account or verify your email address.
If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as set forth below. We will process such requests in accordance with applicable laws.
14. SUPPLEMENTAL NOTICE FOR NEVADA RESIDENTS
If you are a resident of Nevada, you have the right to opt out of the sale of certain personal information to third parties who intend to license or sell that personal information. You can exercise your right by contacting us as described below with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. As defined by Nevada Revised Statutes Chapter 603A, we do not currently sell personal information of Nevada residents.
15. CHILDREN’S INFORMATION
The Services are not directed to children under 13 (or other age as required by local law - please see Section 3, in many jurisdictions, including California and the EU, the Services may not be used by anyone under 16), and, except for limited circumstances set forth below, we do not knowingly collect personal information from children. If you learn that your child has provided us with personal information without your consent, you may contact us as set forth below. If we learn that we have collected a child’s personal information in violation of applicable law, we will promptly take steps to delete such information and terminate the child’s account, or, if appropriate and possible, seek written consent from such child’s guardian.
Although our Services are designed for a general audience, in some cases students in the United States under the age of thirteen may use the Services pursuant to an agreement we have with the student’s educational institution. For more details regarding our processing of personal information that we collect from children, please see our Supplemental Privacy Policy for Children attached hereto as Exhibit A.
16. SUPERVISORY AUTHORITY
If you are located in the European Economic Area, the UK or Canada, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law.
17. CHANGES TO OUR PRIVACY POLICY
We may revise this Privacy Policy from time to time at our sole discretion. If there are any material changes to this Privacy Policy, we will notify you as required by applicable law. The date that this Privacy Policy was last updated appears at the top of this page.
18. CONTACT US
If you have any questions about this Privacy Policy or our privacy practices, or if you wish to submit a request to exercise your rights as detailed in this Privacy Policy, please contact us at:
Figma, Inc.
760 Market St, Floor 10
San Francisco, CA 94102
Email: support@figma.com
If you are from the United Kingdom or the European Economic Area, you may also contact our Data Protection Officer at FigmaDPO@Fieldfisher.com.
UK GDPR Representative: Figma UK Ltd., with registered address Suite 2, First Floor, Templeback, 10 Temple Back, Bristol, BS1 6FL
EU GDPR Representative: Figma GmbH, with registered address Kurfürstendamm 15, 10719 Berlin
Exhibit A – Supplemental Privacy Policy for Children
This Supplemental Privacy Policy for Children governs Figma’s collection, use and disclosure of personal information from children under the age of thirteen in the United States who are students of Figma’s educational institution customers (each a “Child” and collectively “Children”). This Supplemental Privacy Policy for Children supplements Figma’s Privacy Policy to notify parents, guardians, schools, and/or school districts (each a “Responsible Parent”) of:
- The types of personal information Figma may collect from Children;
- How Figma uses the personal information it collects from Children;
- Figma’s practices for disclosing that Child’s personal information; and
- How a Responsible Parent may request access, modification, and deletion of the Children’s personal information Figma has collected.
If a school or school district has contracted with Figma to provide the services to students at its school (the “Services”), Figma relies on the school and/or school district to provide consent on behalf of each Child’s parent or guardian after providing this notice to, and obtaining verifiable consent from such Child’s parent or guardian to Figma’s collection, use, and disclosure of Children’s personal information as set forth in this Supplemental Privacy Policy for Children. If any provisions in this Supplemental Privacy Policy for Children conflict with the Privacy Policy, this Supplemental Privacy Policy for Children controls.
Personal Information Figma Collects from Children
Figma only collects personal information from a Child in connection with the creation or administration of the Child’s account or when the Child uses the Services in connection with their account.
Personal information that Figma collects in connection with the creation or administration of a Child’s account may include the Child’s first and last name, email address, IP address, photograph (if uploaded by Child for profile), phone number if two-factor authentication is enabled, job title, and educational records or details (including those provided by a school and/or school district). In addition, if a Child communicates with Figma for support or other purposes, Figma may collect personal information from the Child.
Figma may collect certain personal information from Children automatically when they use our Services, such as Internet protocol (IP) address, user settings, cookie identifiers, mobile advertising and other unique identifiers, browser or device information, and Internet service provider. Figma may also automatically collect personal information regarding a Child’s use of our Services, such as analytics about a Child’s use of the Services, personal information contained in any content a Child generates using our Services, details about the Child’s files created on our Services, pages that a Child visits before, during and after using our Services, information about the links a Child clicks, the types of content a Child interacts with, the frequency and duration of a Child’s activities, and other information about how a Child uses our Services.
How Figma Uses Children’s Personal Information
Figma only uses personal information collected from Children to provide the Services.
Figma’s Practices for Disclosing Children’s Personal Information
Figma may disclose a Child’s personal information:
- To the general public. Content can be made publicly available by a Child or others collaborating on it, and in such cases any information about a Child included in such content is also publicly available and can be indexed by search engines. A Child can check at any time whether particular content is public or private by viewing the content’s settings. In addition, in connection with a Child’s posting of content on Figma Community, Figma will publicly share the Child’s picture, name, user handle, and other online handle(s) (to the extent a Child has provided us with this information).
- To other users of the Services that a Child shares or interacts with.
- To the teacher, school, and/or school district on whose behalf the Child uses the Services.
- To service providers Figma uses to provide the Services.
- If Figma is required to do so by law or legal process, such as to comply with any court order or subpoena or to respond to any government or regulatory request.
- If Figma believes the disclosure is necessary or appropriate to protect the rights, property, or safety of Figma, its customers or others, including to:
- To law enforcement agencies or for an investigation related to public safety.
In addition, if Figma is involved in a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Figma’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding or event, Figma may transfer the Children’s personal information it has collected or maintain to the buyer or other successor.
Third-Party Operators
Our list of third-party operators that collect personal information from Children on our Services can be found at: https://www.figma.com/sub-processors/.
Parental Choices and Controls
At any time, a Responsible Parent may use the Services to review a Child's personal information, or request that Figma correct or delete a Child’s personal information, refuse to permit Figma from further collecting or using a Child’s personal information, and/or object to the disclosure of a Child’s personal information by emailing legal@figma.com. Please note that a request to delete records, or an objection to disclosure outlined above, may require termination of an account and/or the Services.
Figma may require that Responsible Parent take certain steps or provide additional information to verify its identity before Figma provides, corrects, or deletes any information.