What are the institutional and regulatory implications of this document?

REGULATORY EXPOSURE: This policy engages GDPR (EU) 2016/679 Arts. 6, 13, 17, 20 and 21 — with Figma Ireland Limited as EU controller — as well as UK GDPR, CCPA §1798.100 et seq. and CPRA amendments, PIPEDA (Canada), and implicates FTC Act Section 5 regarding unfair or deceptive data practices. Cross-border transfer mechanisms include EU-U.S. Data Privacy Framework, UK Extension, and Standard Contractual Clauses. Enforcement authorities include the Irish Data Protection Commission (lead EU super…

How does Figma's Figma Privacy Policy affect users?

Figma collects a wide range of personal and behavioral data including account information, design file content, usage patterns, device identifiers, and communications, and shares this with advertising partners, analytics providers, and potential business acquirers. A particularly significant impact is Figma's ability to use content you upload — including design files — to develop and improve AI and machine learning features, which may affect users who store proprietary or sensitive creative wor…

How often is Figma's Figma Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Figma updates this document?

Yes. Watcher subscribers ($9.99/month) can add Figma to their watchlist and receive same-day email alerts whenever this document or any other Figma document changes.

Figma Privacy Policy — Figma

8 Total

1 High severity

5 Medium severity

2 Low severity

Summary

This is Figma's Privacy Policy, explaining what personal information Figma collects when you use its design tools — including your account details, usage behavior, design file content, communications, and device information — and how it uses and shares that data. The most important thing to know is that Figma may use the content of your designs and files to train and improve its AI features, which could affect the confidentiality of sensitive creative work you store on the platform. If you are a California resident, an EU/UK user, or a Canadian user, you can exercise specific rights including data deletion and objection to certain processing by contacting Figma at privacy@figma.com.

Technical Summary

This document is Figma's Privacy Policy governing the collection, use, disclosure, and retention of personal data by Figma, Inc. in connection with its design, prototyping, and collaboration platform services, relying on legal bases including consent, contractual necessity, and legitimate interests under applicable law. Figma's most significant obligations include providing data subject rights (access, deletion, portability, correction, objection) and disclosing data to a broad range of third-party service providers, advertising partners, analytics vendors, and business transaction counterparties. A notable provision permits Figma to use content submitted to its services — including designs, files, and user-generated content — to train and improve AI/ML features, which may not be apparent to enterprise customers and raises IP and confidentiality concerns beyond standard SaaS data practices. The policy engages GDPR (with Figma's Irish entity as EU data controller), CCPA/CPRA for California residents, UK GDPR, and Canadian privacy law (PIPEDA), with cross-border data transfer mechanisms including SCCs and DPF certification referenced. Material compliance considerations include the breadth of advertising and analytics data sharing, the AI training use of user content, and the requirement for enterprise customers to assess whether their employee and client data processed through Figma is adequately covered by their own DPAs with Figma.

Evidence Provenance

Captured April 19, 2026 06:16 UTC

Document ID CA-D-000206

Version ID CA-V-000742

Source URL https://www.figma.com/legal/privacy/

Wayback Machine View archived versions →

SHA-256 058c63680da2853d71c00961c452a8f133cdf997252f2de34a83e6b46de510ab

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

March 31, 2026 — Document updated low

Figma updated its Privacy Policy on March 31, 2026, with the most notable change being to its contact email addresses. Previously, users were directed to email support@figma.com for privacy inquiries and FigmaDPO@Fieldfisher.com to reach the Data Protection Officer; both have now been replaced with privacy@figma.com. Additionally, some navigation links in the document were reorganized, including the removal of the Candidate Privacy Notice link and the addition of a version history display.

· 2 removed · 4 modified
View diff → View full record →
e1a2f7a1…
March 19, 2026 — Initial capture

Initial snapshot — monitoring begins

72a0872f…

View full version history (0 captures) →

Analyzed Changes

1 change analyzed since monitoring began.

Updated March 31, 2026

low

What changed Figma updated their Figma Privacy Policy on March 31, 2026. Change detected: 2 sentence(s) removed, 4 sentence(s) modified. Document contained 330 sentences after update.

Consumer impact Figma has consolidated its privacy contact points into a single email address, privacy@figma.com, replacing the previous support email and the separate third-party Data Protection Officer address. For EU and UK users, this means the DPO is no longer hosted externally at Fieldfisher and is now reached through Figma's own domain. You can update any saved contact information and direct privacy requests or DPO inquiries to privacy@figma.com going forward.

Why it matters EU and UK users who need to contact Figma's Data Protection Officer — for example to exercise GDPR rights — now have a different address, and it is unclear whether the DPO role remains independently held as required by law. Using the old contact addresses may result in unanswered requests.

Recent Clause-Level Changes Mar 31, 2026

8 provisions unchanged.

View full change record →

High Severity — 1 provision

AI/ML Training Use of User Content

Figma states that it may use the content you upload to its platform — including design files and other materials — to train, develop, and improve its AI and machine learning features and products.

Added April 1, 2026

Medium Severity — 5 provisions

Third-Party Advertising and Analytics Data Sharing

Figma shares your personal data — including behavioral data, device identifiers, and usage information — with advertising partners and analytics providers such as Google and Meta to serve targeted advertisements and analyze platform performance.

Added April 1, 2026
Cross-Border Data Transfers

Figma transfers personal data internationally — including from the EU, UK, and Canada to the United States — using mechanisms such as Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework to make those transfers lawful.

Added April 1, 2026
Data Subject Rights (Access, Deletion, Portability, Objection)

Figma grants users in the EU, UK, California, and Canada specific rights over their personal data, including the right to access, delete, correct, or export their data, and to object to or restrict certain types of processing.

Added April 1, 2026
Cookies and Tracking Technologies

Figma uses cookies, pixel tags, and similar tracking technologies to collect data about your browsing behavior, device, and interactions with its services, and shares some of this data with advertising and analytics partners.

Added April 1, 2026
Children's Data and Age Restrictions

Figma's services are not directed at children under 16 (or under 13 in the US), and Figma states it does not knowingly collect personal information from children below the applicable age threshold.

Added April 1, 2026

Low Severity — 2 provisions

Data Retention Policy

Figma retains your personal data for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce its agreements, without specifying fixed maximum retention periods for most data categories.

Added April 1, 2026
Business Transaction Disclosure

In the event of a merger, acquisition, asset sale, or similar corporate transaction, Figma may transfer your personal data to the acquiring company as part of the transaction.

Added April 1, 2026