Privacy Policy

Last Updated: November 2025

This Privacy Policy describes how Okto Labs LLP ("we," "our," or "us"), a limited liability partnership registered in England and Wales (Company Number OC458551, registered office at Stoney Works, 8 Stoney Lane, London, United Kingdom SE19 3BD), collects, uses, stores, and protects your personal information when you use Pipeline, our Figma plugin service.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

1.1 Personal Information You Provide

When you use Pipeline, we may collect the following personal information:

Account Information:

  • Email address
  • Name (if provided)
  • Account credentials
  • Profile information

Payment Information:

  • Payment method details (processed by third-party payment processors)
  • Billing address
  • Transaction history

Communications:

  • Support inquiries and correspondence
  • Feedback and survey responses

1.2 Automatically Collected Information

Usage Data:

  • Workflow creation and execution data
  • Plugin interactions and feature usage
  • API call logs and statistics
  • Error logs and diagnostic information

Technical Data:

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Time zone and locale settings
  • Figma version and environment

Cookies and Tracking Technologies:

  • Session cookies for authentication
  • Analytics cookies to understand usage patterns
  • Preference cookies to remember your settings

1.3 Figma Integration Data

Figma-Related Information:

  • Figma file access permissions
  • File metadata (names, IDs, structure)
  • Design data processed through workflows
  • Team and project information

We only access Figma data necessary to provide the Service and with your explicit authorization.

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Service Provision

  • Provide, operate, and maintain the Plugin
  • Execute workflows and automation tasks
  • Process API requests to Figma
  • Authenticate users and manage accounts

2.2 Service Improvement

  • Analyze usage patterns and trends
  • Identify and fix bugs and errors
  • Develop new features and functionality
  • Optimize performance and user experience

2.3 Communication

  • Send service-related notifications
  • Respond to support requests
  • Provide customer service
  • Send updates about new features (with your consent)
  • Deliver marketing communications (with your consent)

2.4 Security and Compliance

  • Detect and prevent fraud and abuse
  • Monitor for security threats
  • Enforce our Terms of Service
  • Comply with legal obligations

2.5 Analytics and Research

  • Understand how users interact with the Service
  • Conduct research and analysis
  • Generate aggregated, anonymized statistics

3. Data Storage and Security

3.1 Storage Infrastructure

Your data is stored using industry-leading cloud infrastructure with secure, redundant storage and encryption.

3.2 Security Measures

We implement comprehensive security measures to protect your data:

Encryption:

  • TLS/SSL encryption for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database connections

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication for administrative access
  • Regular access audits

Monitoring:

  • 24/7 security monitoring
  • Automated threat detection
  • Regular security assessments and penetration testing

Data Backup:

  • Regular automated backups
  • Geographically distributed backup storage
  • Disaster recovery procedures

3.3 Security Limitations

While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4.2 Service Providers

We may share data with trusted third-party service providers who assist us in operating the Service:

Payment Processing:

  • Stripe for payment processing and subscription management
  • Stripe handles payment information directly and is PCI-DSS compliant

Analytics:

  • We use analytics services to understand usage patterns and improve the Service
  • Analytics data is typically aggregated and anonymized

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

  • Court orders or legal processes
  • Government or regulatory requests
  • Protection of our rights, property, or safety
  • Investigation of fraud, security, or technical issues
  • Enforcement of our Terms of Service

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide options regarding your data.

4.5 Aggregated Data

We may share aggregated, anonymized data that does not identify you personally for research, marketing, or other purposes.

5. Your Privacy Rights

5.1 UK GDPR Rights

If you are in the UK or EEA, you have the following rights:

Right to Access: Request a copy of the personal data we hold about you.

Right to Rectification: Request correction of inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances.

Right to Restrict Processing: Request that we limit how we use your data.

Right to Data Portability: Receive your data in a structured, commonly used format.

Right to Object: Object to processing of your data for certain purposes.

Right to Withdraw Consent: Withdraw consent for processing where we rely on consent.

Right to Lodge a Complaint: File a complaint with the UK Information Commissioner's Office (ICO).

5.2 California Privacy Rights

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know: Request information about data collection and sharing.

Right to Delete: Request deletion of personal information.

Right to Opt-Out: Opt-out of the sale of personal information (note: we do not sell personal information).

Right to Non-Discrimination: Exercise privacy rights without discrimination.

5.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@pipeline.dev. We will respond to your request within 30 days.

You may need to verify your identity before we can process your request.

6. Data Retention

6.1 Active Accounts

We retain your data for as long as your account is active or as needed to provide the Service.

6.2 Closed Accounts

After you close your account, we retain your data for 90 days to allow for account recovery. After 90 days, we permanently delete your account and associated data, except as required for:

  • Legal compliance and record-keeping
  • Fraud prevention and security
  • Backup retention periods (typically 30 additional days)

6.3 Workflow Data

Workflow data and executions are retained while your account is active. Deleted workflows are permanently removed after 30 days.

6.4 Legal and Compliance Data

We may retain certain information longer if required by law, for regulatory compliance, or to resolve disputes and enforce our agreements.

7. Cookies and Tracking Technologies

7.1 Types of Cookies

Essential Cookies: Required for the Service to function (authentication, security).

Analytics Cookies: Help us understand how users interact with the Service.

Preference Cookies: Remember your settings and preferences.

7.2 Cookie Management

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality.

7.3 Third-Party Tracking

We may use third-party analytics services (e.g., Google Analytics, Plausible) that use cookies to collect usage data. These services have their own privacy policies.

8. Third-Party Services and Links

8.1 Figma Integration

Pipeline integrates with Figma, which has its own privacy policy. We are not responsible for Figma's data practices. Review Figma's privacy policy at https://www.figma.com/privacy/.

8.2 Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

8.3 Third-Party Features

If you use third-party features or integrations within Pipeline, those third parties may collect data about you. Their data practices are governed by their privacy policies.

9. International Data Transfers

9.1 Data Location

Your data may be processed and stored in the United Kingdom, European Economic Area, United States, or other countries where our service providers operate.

9.2 Transfer Safeguards

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Other legally approved transfer mechanisms

10. Children's Privacy

Pipeline is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13.

If you become aware that a child under 13 has provided us with personal information, please contact us at privacy@pipeline.dev, and we will take steps to delete such information.

11. AI and Automated Processing

11.1 AI Features

Pipeline may use AI and machine learning for features such as workflow generation. When you use these features:

  • Your input prompts may be processed by AI services
  • We may use anonymized data to improve AI models
  • AI-generated outputs are provided "as is" without guarantees

11.2 Third-Party AI Services

We may use third-party AI services (e.g., OpenAI) that have their own privacy policies and data practices.

11.3 No Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

12. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

  • Material changes will be communicated via email or prominent notice within the Service
  • Continued use of the Service after changes constitutes acceptance
  • The "Last Updated" date at the top indicates when the policy was last revised

We encourage you to review this Privacy Policy periodically.

14. Contact Information

14.1 Data Controller

The data controller responsible for your personal information is:

Okto Labs LLP Stoney Works, 8 Stoney Lane London, United Kingdom SE19 3BD Company Number: OC458551

14.2 Privacy Inquiries

For privacy-related questions, requests, or concerns:

Email: privacy@pipeline.dev Support: support@pipeline.dev

14.3 Data Protection Officer

For significant data protection matters, you may contact our Data Protection Officer at: dpo@pipeline.dev

14.4 Supervisory Authority

If you are in the UK or EEA and have concerns about our data practices, you have the right to lodge a complaint with your local supervisory authority:

UK Information Commissioner's Office (ICO) Website: https://ico.org.uk Telephone: 0303 123 1113

15. Additional Information

15.1 Data Accuracy

We rely on you to provide accurate information. Please keep your account information up to date.

15.2 Security Incidents

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by law.

15.3 Account Security

You are responsible for maintaining the security of your account credentials. Please use a strong password and do not share your credentials with others.

By using Pipeline, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

If you do not agree with this Privacy Policy, please do not use the Service.