Privacy Policy

Last updated: 2026-04-21 · Effective: 2026-04-21

1. Who we are

Generato is operated by Eutin Warren Pvt. Ltd., a private limited company incorporated in India ("Eutin Warren", "we", "us", "our"). The Generato service comprises the Figma Community plugin ("Plugin"), the hosted web application at studio.generato.app ("Web App"), and the marketing site at generato.app (collectively, the "Service"). This policy describes what personal data we collect, why we collect it, and your rights over it. Indian users: this policy is also intended to meet the notice requirements of the Digital Personal Data Protection Act, 2023 (DPDP Act).

2. What we collect and why

2.1 Data you provide

• Email address — used as the unique identifier for billing and entitlement. Collected when you complete a Pro/Team checkout or when your Google OAuth sign-in returns an email we store for the entitlement lookup.
• Billing details (name, payment method, billing address) — collected by Stripe on our behalf. We never see or store your full card number. We retain Stripe customer + subscription IDs to map your entitlement.
• API keys you paste — Anthropic, OpenAI, Gemini, etc. These live only in Figma's per-user encrypted storage on your machine. We never receive them.
• Google OAuth refresh token — when you connect a private Google Sheet. Stored only in Figma's per-user encrypted storage on your machine. Our server sees the token briefly during a token-exchange call; it's not logged or persisted.

2.2 Data the Plugin sends to third parties you choose

• When you use AI features, compact layer snapshots (names, types, text, positions) of the frame you select are sent directly to the AI provider you've configured (Anthropic / OpenAI / OpenRouter / Gemini / DeepSeek / xAI / Moonshot / zAi). These requests do not pass through our servers.
• When you connect a Google Sheet, row data is fetched from Google's Sheets API directly to the plugin. We do not receive this data.

2.3 Data we do not collect

• We do not embed analytics or telemetry SDKs in the Plugin.
• We do not have access to the contents of your Figma files beyond what the Plugin actively reads for generation, which stays on your machine.
• We do not sell data to anyone.

3. How we use your data

• To determine your tier and let the Plugin enable the features you've paid for.
• To bill you (via Stripe) and send receipts / payment failure notices.
• To respond to support requests you initiate.
• To investigate and remediate abuse, fraud, or security incidents.

4. Sub-processors and third parties

• Stripe, Inc. — payment processing. Governed by Stripe's own privacy policy.
• Railway Corp. — hosts the CMS / Web App infrastructure.
• Cloudflare, Inc. — CDN + Pages hosting for the marketing site; edge TLS and DNS for our subdomains.
• Figma, Inc. — hosts the Plugin and stores your API keys + OAuth tokens in its per-user encrypted plugin storage (figma.clientStorage).
• Google LLC — via the user-authorized OAuth flow, for reading Google Sheets when you choose to connect.

We share only what each sub-processor needs to perform its function. We do not share personal data with advertisers or data brokers.

5. Where your data lives

Web App data is stored on Railway infrastructure (region: Europe West 4, as of the date of this policy). Stripe processes payment data under its own infrastructure, primarily in the United States. Your API keys and OAuth tokens remain on your machine, within Figma's per-plugin encrypted storage.

6. Retention

• Entitlement records — retained while your subscription is active plus 24 months thereafter for accounting, tax, and dispute purposes.
• Stripe-side data — retained per Stripe's retention policy.
• Credentials on your machine — retained until you click Disconnect in the Plugin or clear Figma's plugin storage.

7. Your rights

Depending on your jurisdiction (India DPDP Act, GDPR/EEA, UK, California CCPA, etc.), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict processing. Indian users additionally have the right to nominate another individual to exercise these rights in the event of death or incapacity. To exercise any of these, email [email protected]. We will respond within 30 days.

You can also:

• Revoke Generato's access to your Google account at any time at myaccount.google.com/permissions.
• Cancel your Pro or Team subscription from the Plugin's AI tab → Manage billing (Stripe customer portal).
• Uninstall the Plugin from Figma, which purges your locally-stored credentials.

8. Security

Credentials are stored in Figma's per-user, per-plugin encrypted storage. Server-held secrets (Google OAuth client secret, Stripe secret key) live only as Railway environment variables, encrypted at rest and injected at runtime. TLS 1.2+ is enforced for every network request.

We operate the minimum-viable stateful surface: no user database for the plugin itself, stateless OAuth relay, no analytics SDKs. This reduces the blast radius of any incident.

9. Children

Generato is not directed at children under 16 and is not intended for use by them. We do not knowingly collect data from children.

10. Changes to this policy

We may update this policy to reflect product or legal changes. The "Last updated" date at the top reflects the most recent revision. For material changes, we'll email registered users (Pro/Team) at the address on file.

11. Contact

Email [email protected] for privacy questions or data requests.