Figma Privacy Policy — Figma

8 Total

1 High severity

5 Medium severity

2 Low severity

Summary

This is Figma's Privacy Policy, explaining what personal information Figma collects when you use its design tools — including your account details, usage behavior, design file content, communications, and device information — and how it uses and shares that data. The most important thing to know is that Figma may use the content of your designs and files to train and improve its AI features, which could affect the confidentiality of sensitive creative work you store on the platform. If you are a California resident, an EU/UK user, or a Canadian user, you can exercise specific rights including data deletion and objection to certain processing by contacting Figma at privacy@figma.com.

Technical Summary

This document is Figma's Privacy Policy governing the collection, use, disclosure, and retention of personal data by Figma, Inc. in connection with its design, prototyping, and collaboration platform services, relying on legal bases including consent, contractual necessity, and legitimate interests under applicable law. Figma's most significant obligations include providing data subject rights (access, deletion, portability, correction, objection) and disclosing data to a broad range of third-party service providers, advertising partners, analytics vendors, and business transaction counterparties. A notable provision permits Figma to use content submitted to its services — including designs, files, and user-generated content — to train and improve AI/ML features, which may not be apparent to enterprise customers and raises IP and confidentiality concerns beyond standard SaaS data practices. The policy engages GDPR (with Figma's Irish entity as EU data controller), CCPA/CPRA for California residents, UK GDPR, and Canadian privacy law (PIPEDA), with cross-border data transfer mechanisms including SCCs and DPF certification referenced. Material compliance considerations include the breadth of advertising and analytics data sharing, the AI training use of user content, and the requirement for enterprise customers to assess whether their employee and client data processed through Figma is adequately covered by their own DPAs with Figma.

Institutional Analysis

REGULATORY EXPOSURE: This policy engages GDPR (EU) 2016/679 Arts. 6, 13, 17, 20 and 21 — with Figma Ireland Limited as EU controller — as well as UK GDPR, CCPA §1798.100 et seq. and CPRA amendments, PIPEDA (Canada), and implicates FTC Act Section 5 regarding unfair or deceptive data practices. Cros…

🔒

Compliance intelligence locked

Regulatory exposure, material risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Evidence Provenance

Captured March 31, 2026 06:04 UTC

Document ID CA-D-000206

Version ID CA-V-000396

Source URL https://www.figma.com/legal/privacy/

Wayback Machine View archived versions →

SHA-256 e1a2f7a15f19aa29e7fc89b1f208a7831dd29e05307be27791e5eec87e09f9f9

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Change Timeline

March 31, 2026 — Document updated medium

Figma updated their Privacy Policy on March 31, 2026, making two notable changes. First, the primary contact email for privacy-related requests changed from support@figma.com to privacy@figma.com, and the Data Protection Officer contact for UK and EEA users changed from FigmaDPO@Fieldfisher.com (an external law firm) to privacy@figma.com (an in-house address). Second, some navigation links in the policy were reorganized, including the removal of a Candidate Privacy Notice link and updates to the document version history reflecting the new March 30, 2026 effective date.

· 2 removed · 4 modified
View changes → View record →
e1a2f7a1…
March 19, 2026 — Initial capture

First snapshot archived

72a0872f…

Analyzed Changes

1 change analyzed since monitoring began.

Updated March 31, 2026

medium

What changed Figma updated their Figma Privacy Policy on March 31, 2026. Change detected: 2 sentence(s) removed, 4 sentence(s) modified. Document contained 330 sentences after update.

Consumer impact Figma has updated the contact email for privacy questions and data rights requests from support@figma.com to privacy@figma.com. For users in the UK and European Economic Area, the Data Protection Officer contact has also changed from an external law firm address (FigmaDPO@Fieldfisher.com) to the same in-house address (privacy@figma.com). If you have previously saved or bookmarked Figma's privacy contact details, you should update them to privacy@figma.com.

Why it matters The shift from an external law firm DPO contact to a generic internal email address may affect how EU and UK users can exercise GDPR data rights and reach a designated DPO, which is a regulated transparency requirement. Organizations relying on Figma's documented DPO contact for their own compliance records must update those records.

High Severity — 1 provision

AI/ML Training Use of User Content
Figma states that it may use the content you upload to its platform — including design files and other materials — to train, develop, and improve its AI and machine learning features and products.

Added April 1, 2026

Medium Severity — 5 provisions

Third-Party Advertising and Analytics Data Sharing
Figma shares your personal data — including behavioral data, device identifiers, and usage information — with advertising partners and analytics providers such as Google and Meta to serve targeted advertisements and analyze platform performance.

Added April 1, 2026
Cross-Border Data Transfers
Figma transfers personal data internationally — including from the EU, UK, and Canada to the United States — using mechanisms such as Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework to make those transfers lawful.

Added April 1, 2026
Data Subject Rights (Access, Deletion, Portability, Objection)
Figma grants users in the EU, UK, California, and Canada specific rights over their personal data, including the right to access, delete, correct, or export their data, and to object to or restrict certain types of processing.

Added April 1, 2026
Cookies and Tracking Technologies
Figma uses cookies, pixel tags, and similar tracking technologies to collect data about your browsing behavior, device, and interactions with its services, and shares some of this data with advertising and analytics partners.

Added April 1, 2026
Children's Data and Age Restrictions
Figma's services are not directed at children under 16 (or under 13 in the US), and Figma states it does not knowingly collect personal information from children below the applicable age threshold.

Added April 1, 2026

Low Severity — 2 provisions

Data Retention Policy
Figma retains your personal data for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce its agreements, without specifying fixed maximum retention periods for most data categories.

Added April 1, 2026
Business Transaction Disclosure
In the event of a merger, acquisition, asset sale, or similar corporate transaction, Figma may transfer your personal data to the acquiring company as part of the transaction.

Added April 1, 2026