Legal

Privacy Policy

Last updated: 20 March 2026

Who we are

Zephyr is a design critique tool that integrates with Figma, operated by Studio Sintez Ltd. ("we", "us", "our"). We are the data controller for the personal data described in this policy. We operate at zephyr.design.

Zephyr is not made by, affiliated with, or endorsed by Figma. We are solely responsible for the privacy, security, and integrity of any data we receive from Figma or from you through the service.

We do not sell, rent, or trade your personal data to third parties.

For any privacy-related questions, contact us at hello@zephyr.design.

What data we collect

Waitlist phase:

Your email address, submitted when you join the waitlist. Retained until you unsubscribe or request deletion.

Beta and beyond:

Figma account data — your name, email address, Figma user ID and handle, obtained via Figma OAuth during setup. Retained while your account is active and removed when you disconnect your team or delete your account.
Comment data — the text and location of the Figma comment that triggers Zephyr, along with event metadata (file key, comment ID, timestamp). Comment text is used transiently during processing and is not stored in our database. Only sanitised event metadata is retained (see Webhook data below).
Design frame images — a rendered PNG image of the specific frame or component where your comment is attached, exported from Figma's API. We do not export or access your entire file. More information available in the Design Image Lifecycle section.
Webhook event metadata — when you connect a team, Zephyr registers a webhook with Figma to listen for new comment events in your team's files. When a comment is posted, Figma sends Zephyr a notification containing the event type, file key, comment ID, team ID, and comment text. Zephyr only processes events that mention @Zephyr — all others are discarded.
Usage analytics — basic, cookieless analytics to help us improve the service (see Cookies and analytics below).

Why we collect it

To operate the waitlist and send your beta invite.
To provide the Zephyr feedback service — analysing your designs and delivering critique via Figma comments.
To maintain and troubleshoot your team's connection to Figma (webhook management, OAuth lifecycle).
To communicate important product updates.

Lawful basis for processing (GDPR)

We process your data under the following lawful bases:

Contract performance — connecting your Figma account via OAuth, processing your design data, managing webhooks, and delivering AI-generated feedback. This processing is necessary to provide the service you signed up for.
Legitimate interest — operational logging, security monitoring, and service reliability. We balance these interests against your privacy rights and limit processing to what is strictly necessary.
Consent — waitlist signup, marketing communications, and optional analytics. You may withdraw consent at any time by unsubscribing or contacting us.

How we process your design data

When you tag @Zephyr in a Figma comment, the following happens:

Figma sends a webhook event to Zephyr. The event contains metadata about the comment (file key, comment ID, team ID) and the comment text.
Zephyr reads the comment and identifies the frame or component it's attached to.
A PNG image of that specific frame is exported via Figma's API. Only the relevant frame is exported — not your entire file or project.
The frame image and your comment text are sent to our AI provider (see below) to generate design feedback.
The AI response is posted back to Figma as a reply to your comment.

Design image lifecycle

Design images follow a strict transient-only policy:

Trigger: An image export is only triggered when you explicitly tag @Zephyr in a Figma comment. Zephyr never proactively scans or exports your files.
Scope: Only the specific frame or component attached to your comment is exported — nothing else.
Processing: The image is held in server memory only for the duration of processing (typically a few seconds). It is passed directly to the AI provider as an encoded data payload.
Storage: Images are never written to disk, stored in a database, or served via a public URL. They exist only in memory during the processing pipeline.
After processing: The image data is discarded from memory when processing completes. No copy is retained by Zephyr.

AI provider and LLM data pipeline

Zephyr uses OpenAI to generate design feedback. When you tag @Zephyr, the following data is sent to OpenAI's API:

Your comment text (the message you wrote in Figma).
A rendered PNG image of the design frame your comment is attached to.
The approximate location of your comment on the frame (x/y coordinates).

This data is sent via OpenAI's API for the sole purpose of generating a design critique response. Key facts about how OpenAI handles this data:

OpenAI does not use data submitted via their API to train or improve their models.
API inputs and outputs are retained by OpenAI for up to 30 days for abuse and misuse monitoring, then deleted. Zephyr cannot request early deletion of data during this retention period.
For full details, see OpenAI's API Data Usage Policies ↗ and their Data Processing Addendum ↗.

No other AI or LLM provider receives your data. If we change providers in the future, we will update this policy and notify you before the change takes effect.

Webhook data

When you connect a Figma team to Zephyr, we register a webhook with Figma. This webhook notifies Zephyr when new comments are posted in your team's files. Here is how webhook data is handled:

What Figma sends: Webhook payloads include the event type, file key, comment ID, comment text, commenter information, and team ID.
Filtering: Zephyr only processes comment events that explicitly mention @Zephyr. All other events are acknowledged and discarded.
Sanitisation: Sensitive fields are stripped from payloads before any data is logged or stored.
Storage: Sanitised event metadata (event type, file key, comment ID, timestamp) is stored in our database for operational reliability. Full comment text is not stored after processing.
Deletion: When you disconnect a team, the webhook is deleted from Figma and associated event records are removed.

Third-party services

Platform you connect to:

Figma (San Francisco, US) — the design platform you already use. Zephyr accesses Figma's API using OAuth tokens you grant to read comments, export frame images, and post replies. Your relationship with Figma is governed by Figma's own terms and privacy policy. Figma is not a sub-processor of Zephyr.
Figma privacy policy ↗.

Sub-processors (services that process data on our behalf):

OpenAI (San Francisco, US) — AI provider. Receives comment text and design frame images to generate feedback. Data retained up to 30 days for abuse monitoring.
Data usage policy ↗.
Render (San Francisco, US) — Cloud hosting and managed database. Hosts the Zephyr API, database, and automation services.
Privacy policy ↗.
Firebase Authentication (Google Cloud, US) — User authentication. Handles sign-in and session tokens.
Privacy policy ↗.
PostHog (EU-hosted) — Cookieless product analytics. Collects anonymous usage data to help us improve the service. No personal identifiers are sent.
Privacy policy ↗.

Data storage and security

Your Figma OAuth credentials (access and refresh tokens) are encrypted at rest using AES-256-GCM with unique initialisation vectors. Webhook verification secrets are also encrypted at rest using the same scheme.

Your design files are not copied or stored by Zephyr. Frame images are processed entirely in memory and never written to disk or permanent storage. We do not build a database of your design work.

We limit access to personal data to only what is necessary to operate the service. All connections to external APIs (Figma, OpenAI) use TLS encryption in transit.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, in accordance with GDPR Articles 33–34.

International data transfers

Zephyr is operated from the EU. However, some of our sub-processors (OpenAI, Figma, Render, Firebase) are based in the United States. Personal data transferred to the US is protected by:

The EU-US Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023), where the provider is certified.
Standard Contractual Clauses (SCCs) as approved by the European Commission (June 2021), incorporated into Data Processing Agreements with our sub-processors.

We verify the transfer mechanisms of our sub-processors and will update this policy if they change. If you have questions about specific transfer safeguards, contact us at hello@zephyr.design.

Your rights (GDPR)

If you are in the European Economic Area (EEA), you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion of your data ("right to be forgotten").
Portability — request a machine-readable copy of your data.
Restriction — request that we limit processing of your data in certain circumstances.
Objection — object to processing based on legitimate interest.
Withdraw consent — at any time, by disconnecting your team or contacting us.
Lodge a complaint — with your local data protection supervisory authority.

To exercise any of these rights, email hello@zephyr.design. We will respond within 30 days.

Automated decision-making

Zephyr uses AI (via OpenAI) to generate design feedback in response to your comments. This processing is automated but advisory only — it does not produce legal effects or similarly significant decisions concerning you. You are free to disregard the feedback at any time.

Cookies

The waitlist landing page does not use cookies. The beta application uses strictly necessary cookies to maintain your login session. We do not use tracking or advertising cookies. Our analytics provider (PostHog) operates in cookieless mode.

Changes to this policy

We may update this policy from time to time. If we make significant changes — particularly to how we process your design data or which AI providers we use — we will notify you by email or with a prominent notice on the website before the changes take effect. Where changes affect processing based on consent, we will seek fresh consent before applying them.

Children and age restriction

Zephyr is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at hello@zephyr.design and we will delete it promptly.

Contact

Questions about this policy? Reach us at hello@zephyr.design.