privacy policy

I. Introduction

Welcome to Nullab Ltd (“Company”, “we”, “us”, or “our”). This Privacy Policy explains how we collect, use, store, and protect information when you visit https://nullab.io, or use our suite of digital products, web applications, and plugins, including the exporthub Figma plugin and its backend (collectively, the “Services”).

By using our Services, you agree to this Privacy Policy. As our studio grows and releases new products, this policy will apply to all tools provided by Nullab Ltd unless specified otherwise.

II. Information we collect

Depending on which of our Services you use, we may collect:

Account and authentication

• When you sign in to our Services via third-party providers like Google, we receive profile information such as your name and email address (and basic profile details like a profile picture URL) through standard OAuth flows.
• We store OAuth access and refresh tokens in encrypted form so our servers can call necessary APIs on your behalf.

Platform linking (e.g., Figma)

• For platform-specific tools like the exporthub plugin, we store your platform user identifier (e.g., your Figma user ID) to associate your active session with your Nullab user record.

Third-party integrations (e.g., Google Drive)

• When our tools integrate with third-party services (such as exporthub using Google Drive APIs), we only access data required to perform actions you initiate. For example, we use Google Drive APIs to upload files you export, support folder selection (including Google Picker), and create destination folders at your request.

Payments (if applicable)

• If we offer paid plans for any of our Services, payments are processed by third-party payment providers. We do not store full payment card numbers on our servers.

Technical and operational data

• We collect technical and diagnostic data needed to operate and secure our Services, such as browser or client information, platform-related context where available, error and performance data (for example via Sentry), structured logs, and rate-limiting metadata (for example request counts per user or IP) to protect our infrastructure.

III. Google API Services & user data

For any of our Services (including exporthub) that utilize Google APIs, our use of information received from Google APIs adheres strictly to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

• We use Google account data and Drive access only to provide features you request (such as signing you in and uploading exports you initiate).
• We do not sell Google user data and we do not use it for third-party advertising or unrelated profiling.

IV. How we use your information

We use collected information to:

• Provide, operate, and maintain our studio website, plugins, and backend APIs.
• Authenticate you and maintain secure sessions across our ecosystem.
• Facilitate specific tool functions (like uploading files to Google Drive for connected accounts).
• Monitor reliability and security, enforce fair-use rate limits, and improve our products.
• Communicate with you about support or important Service changes.
• Comply with legal obligations.

V. Cookies, local storage, and similar technologies

• Web Services: We use cookies and similar mechanisms for sign-in (for example NextAuth session handling) so you can stay signed in on the web portions of our Services.
• Plugins: We use local storage mechanisms (such as Figma clientStorage) to keep your session token, preferences, and settings on your device so the tools can function between sessions.

You can clear plugin-side storage by signing out within the specific plugin; web cookies can be cleared through your browser or by signing out of the web session.

VI. Sharing of information

We do not sell your personal data. We may share information with:

• Infrastructure and service providers required to run the Services (for example hosting such as Vercel, database hosting such as MongoDB Atlas, and error monitoring such as Sentry), under strict confidentiality expectations.
• Third-party platforms (like Google), strictly as needed for the integrations you choose to use.
• Legal or regulatory authorities when required by law or to protect our rights, users, or the security of the Services.

VII. Data retention and security

• Encryption: OAuth tokens are stored encrypted at rest using AES-256-GCM. Traffic between our tools, servers, and third parties uses HTTPS.
• Retention: We retain account and token data while your account is in use and integrations are connected. If you disconnect a linked account (like Google) through our tools, we remove the associated stored OAuth credentials from our database.
• Security: We use commercially reasonable safeguards. However, no method of transmission or storage is 100% secure.

VIII. Your rights and revoking access

Depending on your location, you may have rights to access, correct, delete, or object to certain processing of your personal data. To exercise those rights, contact us at support@nullab.io.

• Google integrations: You can review and revoke Nullab’s access to your Google account at https://myaccount.google.com/permissions. Revoking access may limit or disable related features in our products.

IX. Changes to this Privacy Policy

We may update this Privacy Policy from time to time as we release new products or change our practices. We will update the “Last updated” date at the top when we do. Continued use of the Services after changes constitutes acceptance of the updated policy where permitted by law.

X. Contact

Questions about this Privacy Policy: support@nullab.io.