Privacy Policy — Vibe Plugin

Last updated: April 22, 2026

1. Who We Are

"VIBE Versatile Image & Banner Exporter" ("the Plugin") is a Figma plugin published under the **Galago Imago** brand, developed and operated by ClickFive Paweł Bachniak ("we", "us", "our"). This Privacy Policy explains what personal data we collect when you use the Plugin, how we use it, and your rights regarding that data.

Contact: contact@galagoimago.com

2. What Data We Collect and Why

When you open the Plugin, it reads your Figma identity (provided by the Figma platform) and sends it to our authentication server. We collect and store the following data:

Data	Source	Purpose
Figma User ID	Figma API	Uniquely identifies your account across sessions
Figma display name	Figma API	Shown in the plugin UI and team member panel
Figma avatar URL	Figma API	Displayed as your profile picture inside the Plugin
Subscription plan (trial / pro)	Derived internally	Controls access to paid features
Export counter (count + limit)	Plugin usage	Enforces the free trial export limit
Timestamp of last export	Plugin usage	Internal engagement analytics
Plugin version	Plugin itself	Compatibility tracking and support
Lemon Squeezy customer ID	Payment processor	Links your account to your purchase
Subscription ID, order ID, product ID, variant ID	Payment processor	Manages subscription status and billing events
Subscription status and renewal/expiry date	Payment processor webhooks	Determines your current access level
Team license key (if applicable)	Payment processor	Enables multi-seat team licenses
Team role (admin / member)	Plugin usage	Controls team management permissions
Team seat limit (max seats purchased)	Payment processor	Controls the maximum number of team members allowed under the subscription
Webhook event log	Payment processor	Audit trail for billing events; used for dispute resolution and debugging
Figma handle (username)	Figma OAuth `/v1/me` endpoint	Records that your account was verified through Figma's OAuth flow (anti-abuse / seat sharing prevention)
OAuth verification timestamp	Derived internally	Indicates when identity verification was completed
IP address	HTTP request header	Short-term rate limiting to prevent abuse. Stored only in an auto-expiring cache and never linked to your account record

  Principle of data minimization. Even when third-party APIs (such as Figma OAuth) return additional fields — for example an email address — we explicitly discard them on the server and store only the minimum data required to deliver the service.

We do not collect:

The content of your Figma files, designs, comments or any project data
Payment card numbers or banking details (handled entirely by Lemon Squeezy)
Your email address — even during Figma OAuth verification we explicitly discard the email field returned by Figma and do not persist it. Email is only received indirectly via Lemon Squeezy if you make a purchase, for billing purposes
Any data from your device beyond what is listed above
Cookies or any client-side tracking identifiers

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

Contract performance (Art. 6(1)(b) GDPR) — processing your Figma User ID, subscription data, and export counter is necessary to provide the Plugin service you requested.
Legitimate interests (Art. 6(1)(f) GDPR) — storing the plugin version and last export timestamp to ensure compatibility and support.
Legal obligation (Art. 6(1)(c) GDPR) — retaining billing and webhook event logs to meet accounting and dispute resolution requirements.

4. Third-Party Services

Your data is processed by the following third-party sub-processors:

Cloudflare, Inc.

Our authentication server and database run on Cloudflare Workers, Cloudflare D1 (SQLite-based database hosted by Cloudflare) and Cloudflare KV (short-term key-value cache used for rate-limit counters and OAuth state tokens). Cloudflare processes your data as a data processor on our behalf.

Privacy policy: https://www.cloudflare.com/privacypolicy/
Data location: United States / European data centres (depending on routing)

Lemon Squeezy (Stripe, Inc.)

Payments and license management are handled by Lemon Squeezy, which acts as the Merchant of Record. When you make a purchase, you enter into a transaction governed by Lemon Squeezy's own terms and privacy policy. We receive billing event notifications (webhooks) from Lemon Squeezy and store the subscription identifiers listed in Section 2.

Figma, Inc.

The Plugin runs inside the Figma application. Figma provides us with your User ID, display name, and avatar URL via its Plugin API.

When you choose to verify your identity, we additionally use Figma's OAuth 2.0 flow with the current_user:read scope. This scope grants access only to your Figma user ID and handle — it does not grant us access to any Figma files, designs, comments, projects, teams, or other content. OAuth verification is used solely to confirm that the person running the Plugin is the legitimate owner of the associated account, preventing seat-sharing and subscription abuse.

Your use of Figma is governed by Figma's own privacy policy.

5. Data Retention

Data category	Retention period
User account record (ID, name, avatar, plan)	Until you request deletion by contacting us at contact@galagoimago.com
Subscription and billing identifiers	Until you request deletion, subject to any applicable legal retention obligations (e.g. accounting records)
Webhook event log	Until you request deletion
Team license activations	Until the seat is released or the subscription expires
Rate-limit counters (per-user)	Maximum 60 seconds (auto-expiring)
IP-based rate-limit counters	Maximum 60 seconds (auto-expiring)
OAuth state tokens (CSRF protection)	Maximum 10 minutes (auto-expiring)

6. Data Sharing

We do not sell, rent, or share your personal data with any third parties except:

Cloudflare and Lemon Squeezy as described in Section 4 (sub-processors)
When required by law or a valid legal process

7. Security

Your data is protected by:

HMAC-SHA256 signed session tokens (time-limited to 24 hours)
HTTPS/TLS for all data in transit
Timing-safe cryptographic comparisons for webhook signature verification
Rate limiting on all API endpoints (both per-user and per-IP)
Cryptographically random state tokens (64 hex characters) for OAuth CSRF protection
Pessimistic locking on multi-seat license activations to prevent race conditions
Idempotency keys on billing webhooks to prevent duplicate processing
Parameterized SQL queries (no risk of SQL injection)

8. Children's Privacy

The Plugin is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us immediately.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access — request a copy of the data we hold about you
Rectification — request correction of inaccurate data
Erasure ("right to be forgotten") — request deletion of your account and associated data
Portability — receive your data in a machine-readable format
Objection / Restriction — object to or restrict certain types of processing
Withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at contact@galagoimago.com. We will respond within 30 days.

If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority.

10. International Data Transfers

Your data may be stored and processed in the United States (Cloudflare infrastructure). When we transfer data from the EEA to the US, we rely on Cloudflare's Standard Contractual Clauses (SCCs) as the appropriate transfer mechanism under GDPR Art. 46.

11. Cookies and Tracking

The Plugin does not use cookies, local storage trackers, advertising identifiers or any other client-side tracking mechanisms. The Plugin runs entirely inside the Figma desktop/web application and stores no browser cookies. The legal information pages hosted at galagoimago.com are served as static HTML and do not set cookies either.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the Plugin after changes constitutes acceptance of the updated policy. For material changes, we will notify users via the Plugin interface.

13. Contact

ClickFive Paweł Bachniak
NIP: PL5532178020
contact@galagoimago.com