Privacy Policy

Last updated: March 17, 2026

1. Introduction

This Privacy Policy explains how Icon AI ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our website at iconai.design and our Figma plugin (collectively, "the Service").

By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

Information from Figma Authentication

When you sign in with Figma, we receive and store:

Figma User ID — A unique identifier for your Figma account (used as your account key).
Display Name — Your Figma profile name.
Email Address — Your Figma email (if available).
Profile Photo URL — A link to your Figma avatar image.

We do not store your Figma OAuth access token. It is used only during authentication to fetch your profile and is then discarded.

Information Generated Through Use

Generated Icons — The SVG data of icons you generate, along with the prompt, style, and model used.
Feedback — Ratings and optional messages you submit through the feedback form.
Usage Data — Token balance, plan type, and generation counts.

Technical Information

IP Address — Collected for rate limiting, security, and session management.
User Agent — Your browser or plugin identifier, collected for session records and debugging.
Session Data — A secure, hashed session token stored in an HTTP-only cookie. Sessions expire after 24 hours.

Information We Do NOT Collect

We do not use analytics or tracking scripts (no Google Analytics, no Meta Pixel, etc.).
We do not collect payment card details — all payments are processed by Polar (polar.sh).
We do not access your Figma files, designs, or any content beyond your public profile.

3. How We Use Your Information

Authentication — To verify your identity and maintain your session.
Service Delivery — To generate icons, track your token usage, and manage your subscription.
Public Library — Icons generated with "Public" visibility are displayed in the shared icon library (without associating your personal identity publicly).
Security — IP addresses are used for rate limiting and abuse prevention.
Logging — We maintain internal logs for debugging, security monitoring, and service improvement. Logs include action types, anonymized user IDs, and timestamps.
Communication — We do not send marketing emails. We may contact you at your Figma email address only for critical account-related matters.

4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Supabase. We use Row Level Security (RLS) policies and a service-role key to ensure data is only accessed through our authenticated API endpoints.

Session tokens are hashed (SHA-256) before storage — we never store raw session tokens.
Passwords (admin) are hashed with bcrypt.
All communications between your browser/plugin and our servers use HTTPS/TLS encryption.
We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Cookies

We use the following cookies:

Cookie	Purpose	Duration
session	Authentication — keeps you logged in	24 hours
oauth_state	CSRF protection during Figma login	10 minutes

Both cookies are HTTP-only and essential for the Service to function. We do not use any tracking, advertising, or analytics cookies. Because these are strictly necessary cookies, a cookie consent banner is not required under GDPR.

6. Third-Party Services

The Service integrates with the following third-party providers:

Figma — OAuth authentication and plugin platform. Figma Privacy Policy
Cloudflare — AI model hosting for icon generation. Cloudflare Privacy Policy
Polar — Payment processing for subscriptions and token purchases. Polar Privacy Policy
Supabase — Database hosting. Supabase Privacy Policy
Vercel — Web hosting and CDN. Vercel Privacy Policy

These providers may process data as described in their own privacy policies. We share only the minimum data necessary for each integration to function.

7. Your Rights (GDPR & CCPA)

You have the right to:

Access — Request a copy of the personal data we hold about you.
Rectification — Request correction of inaccurate data. Your name, email, and photo are synced from Figma on each login.
Deletion — Request deletion of your account and all associated data (icons, sessions, feedback, logs). We will process deletion requests within 30 days.
Data Portability — Request your data in a machine-readable format.
Objection — Object to processing of your data for specific purposes.
Restriction — Request that we limit processing of your data.

To exercise any of these rights, contact us through the feedback form in the Service or via our Figma plugin page. We will verify your identity before processing any request.

8. Data Retention

Account Data — Retained as long as your account is active.
Generated Icons — Retained as long as your account is active. Deleted when you request account deletion.
Sessions — Automatically expire after 24 hours. Expired sessions are periodically cleaned up.
Logs — Retained for up to 90 days for debugging and security, then deleted.
Feedback — Retained indefinitely for service improvement unless you request deletion.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.

10. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our hosting providers operate. We ensure appropriate safeguards are in place through our providers' data processing agreements and compliance with applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes by posting the updated policy with a new "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please reach out through our Figma plugin page or the feedback form within the Service.