If you are in the EU, UK, or Switzerland, Figma processes your data under GDPR and provides you with rights to access, correct, delete, or export your personal data.
This analysis describes what Figma's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU, UK, and Swiss users have meaningful legal rights over their personal data under GDPR, including the ability to request deletion or a copy of their data, and Figma is required to respond to such requests within regulatory timeframes.
EU, UK, and Swiss users can exercise GDPR rights including data access, correction, deletion, and portability by contacting Figma's Data Protection Officer or using the in-product privacy tools. These rights are legally enforceable and Figma is obligated to respond.
How other platforms handle this
In addition to the above rights, your local laws (including those in the EU, UK, Japan, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia, or Utah) may afford you f...
If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection laws, including the right to access, correct, or delete your personal data, the right to object to or restrict processing, and the right to data portability. You may also ...
If you are located in the EEA or UK, you may have the following rights under applicable data protection law: the right to access your personal data; the right to rectify inaccurate personal data; the right to erasure of your personal data; the right to restrict processing of your personal data; the ...
Monitoring
Figma has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are located in the European Economic Area, the United Kingdom, or Switzerland, we collect and process your personal information on the following legal bases: Performance of a contract, Legitimate interests, Compliance with legal obligations, and Consent. You have certain rights with respect to your personal information, including the right to access, correct, delete, restrict processing, data portability, and to object to processing.— Excerpt from Figma's Figma Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR and UK GDPR, with enforcement authority resting with EU member state data protection authorities and the UK Information Commissioner's Office. The reliance on legitimate interests as a legal basis for certain processing activities, including potentially AI training and marketing, may be subject to challenge if the balancing test required under GDPR is not adequately documented. Data subject rights requests must be fulfilled within one month under GDPR, extendable by two additional months in complex cases. GOVERNANCE EXPOSURE: Medium. The policy asserts GDPR compliance and lists applicable legal bases but does not provide a granular mapping of each processing activity to its specific legal basis in the public-facing document. Regulators and auditors may expect more detailed documentation, particularly for AI-related processing. JURISDICTION FLAGS: EU and EEA users, UK users, and Swiss users are explicitly covered. The policy's assertion that Standard Contractual Clauses govern data transfers to the US should be verified against current regulatory guidance, as post-Schrems II transfer impact assessments may be required. Swiss Federal Act on Data Protection requirements may diverge from GDPR in specific respects and should be independently evaluated. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers acting as data controllers when using Figma as a data processor should ensure that a Data Processing Agreement is in place that reflects the legal bases and sub-processor arrangements described in this policy. The DPO contact information provided in the policy should be recorded in vendor management systems for rights request escalation. COMPLIANCE CONSIDERATIONS: Organizations should verify that Figma's data subject rights request process is operationally functional and test response timelines. Internal procedures for forwarding data subject requests received by the organization to Figma as a processor should be documented. Transfer impact assessments for US-based processing should be reviewed and updated as regulatory guidance evolves.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU, UK, and Swiss users have meaningful legal rights over their personal data under GDPR, including the ability to request deletion or a copy of their data, and Figma is required to respond to such requests within regulatory timeframes.
EU, UK, and Swiss users can exercise GDPR rights including data access, correction, deletion, and portability by contacting Figma's Data Protection Officer or using the in-product privacy tools. These rights are legally enforceable and Figma is obligated to respond.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Figma.