Legal
Privacy Policy
Data Controller
Zaklad is operated by Luke Hawkins, a sole trader registered in the Czech Republic. Under the EU General Data Protection Regulation (GDPR), the operator acts as the data controller for personal data processed in connection with the Service.
- IČO: 14031671
- Registered address: Osadní 23, 170 00 Prague 7, Czech Republic
- Contact: [email protected]
1. What Zaklad Is
Zaklad is a design system platform that manages design tokens, typography, icons, and components, and syncs them to Figma and production code. This policy explains what personal data we collect, why, how we protect it, and the rights you have over it.
2. Data We Collect
- Account information: email address and password when you register. Passwords are never stored in plain text.
- Organisation information: the name of your organisation and the email addresses of members you invite or who join your organisation.
- Project data: design tokens, typography settings, icon libraries, component configurations, and font files you upload. This is content you create and manage in Zaklad. We do not inspect or read the contents of your projects as a matter of operation; this data is stored for your retrieval and to serve the functionality of the platform.
- Figma connection data: if you use the OAuth integration (Enterprise plan), we store Figma access and refresh tokens and your Figma user ID. Sensitive tokens are encrypted at rest.
- API keys: when you generate project API keys (for the Figma plugin), we store a cryptographic hash of the key. The raw key is shown to you once at creation and is never stored.
- Session data: a secure, HTTP-only session cookie to keep you logged in.
- Operational metadata: aggregated, non-content metrics such as the number of projects or members in an organisation, used to understand how the platform is used and to plan capacity. This does not include the contents of your projects.
- Technical logs: IP address, browser type, and request metadata collected by our infrastructure for security, rate limiting, and debugging. Retained for a limited period (see Retention below).
3. What the Figma Plugin Accesses
The Zaklad Figma plugin communicates only with the Zaklad API. It sends your project API key to authenticate and fetches your design token data. It does not read or transmit the contents of your Figma file, your Figma user data, or document structure back to Zaklad. The plugin only writes to your Figma file (variables, styles, components); it does not read your existing design data.
4. Legal Basis for Processing
Under GDPR Article 6, we process your personal data on the following bases:
- Performance of a contract (Art. 6(1)(b)) — processing necessary to provide you with the Service you have signed up for, including account creation, authentication, project storage, and Figma sync.
- Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, rate limiting, operational logs, and aggregated usage metrics to improve the Service. Where we rely on this basis, we have balanced it against your rights and interests.
- Legal obligation (Art. 6(1)(c)) — where processing is required to comply with applicable law.
- Consent (Art. 6(1)(a)) — where you have explicitly consented, for example to marketing communications. You may withdraw consent at any time.
5. How We Use Your Data
Your data is used solely to operate the Service:
- Storing and managing your design system configuration.
- Generating Figma variables, text styles, icons, and components on sync.
- Authenticating your sessions and API requests.
- Sending transactional emails (account confirmation, password resets, billing).
- Understanding aggregated usage to plan capacity and improve the platform.
- Preventing abuse, securing the platform, and complying with legal obligations.
We do not sell or rent your data. We do not use your data for behavioural advertising, and we do not share your project content with third parties except as required to operate the Service (see Subprocessors below) or as required by law.
We do not use Your Content to train machine-learning or artificial-intelligence models, and we do not share Your Content with third parties for that purpose. Aggregated, non-identifying operational metrics (for example, the number of projects or members per organisation) are used only to plan capacity and improve the Service.
6. Data Storage and Security
We apply a layered set of technical and organisational measures appropriate to the nature of the data we process, including:
- Primary application data (accounts, organisations, project configurations, credentials) is stored at rest on infrastructure we operate and control, located in the European Union. We also use Cloudflare R2 object storage for content delivery of project assets (such as exported token files, fonts, and icons) and for encrypted backups. Cloudflare is further used for network delivery, DDoS protection, and aggregated analytics, and may process transient network metadata (such as IP addresses and request headers) at edge locations worldwide. All Cloudflare data processing, including R2 storage, is covered by Standard Contractual Clauses (see Section 7).
- Passwords are stored using a modern, memory-hard password hashing algorithm; they are never stored in plain text.
- Sensitive credentials (including OAuth tokens) are encrypted at rest using authenticated encryption.
- API keys are stored only as cryptographic hashes; the raw key is shown once at creation and cannot be retrieved afterwards.
- All connections are served over HTTPS (TLS).
- Access to production infrastructure is restricted and logged.
- Regular backups, monitoring, and rate limiting are in place to support availability and abuse detection.
For security reasons, we do not publish specific algorithm names, key sizes, or configuration details. If you have a legitimate need to review our security posture (for example, a procurement or compliance requirement), contact us and we will share additional information under appropriate confidentiality terms.
No system is perfectly secure. While we implement reasonable technical and organisational measures to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Czech supervisory authority (ÚOOÚ) within 72 hours as required by GDPR, and we will notify affected users where required.
7. Subprocessors and Third-Party Services
Zaklad is self-hosted on infrastructure controlled by the operator. We use a small number of third parties to deliver the Service:
- Figma (Figma, Inc., United States) — only when you explicitly initiate a sync via the plugin or the OAuth integration. The Zaklad platform sends design token, style, and component data to your Figma file on your instruction.
- Cloudflare (Cloudflare, Inc., United States) — used for network delivery, DDoS protection, aggregated privacy-respecting analytics, and object storage via Cloudflare R2. R2 stores content delivery assets (such as exported tokens, fonts, and icons served to your applications) and encrypted backups of the Service. Cloudflare processes IP addresses and request metadata for network and security purposes, and stores data at rest for R2.
- Resend (Resend, Inc., United States) — transactional email delivery (account confirmation, password resets, billing notifications). Resend processes recipient email addresses and message content on our behalf.
- Payment processor — used to process subscription payments when paid plans become available. The processor will be named here once selected; we will not store full card numbers or bank details on our infrastructure.
Where any subprocessor is located outside the European Economic Area, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses for international transfers.
8. Data Retention and Deletion
- Account and project data: retained for as long as your account is active.
- On account deletion or request: all associated data (projects, tokens, fonts, Figma connections, API keys, organisation membership) is permanently removed within 30 days, except where we are required to retain specific records for legal or accounting purposes.
- Backups: deleted data may persist in encrypted backups for up to 30 days before being rotated out.
- Technical logs: retained for up to 30 days for security and debugging, then purged.
- Billing records: where paid plans are in use, invoices and related records are retained for the period required by Czech accounting and tax law (currently up to 10 years).
9. Your Rights Under GDPR
If the GDPR applies to you, you have the following rights:
- Right of access — to know what personal data we hold about you.
- Right to rectification — to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — to have your personal data deleted, subject to legal exceptions.
- Right to restrict processing — to limit how we use your data in certain circumstances.
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format. The Zaklad export feature is designed to support this right.
- Right to object — to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on your consent.
- Right to lodge a complaint — with a supervisory authority. In the Czech Republic this is the Úřad pro ochranu osobních údajů (ÚOOÚ), uoou.gov.cz. If you are in the United Kingdom, the equivalent authority is the Information Commissioner’s Office (ICO), ico.org.uk. If you are in another EU Member State, you may also contact your local supervisory authority.
To exercise any of these rights, contact [email protected]. We will respond within 30 days. We may need to verify your identity before acting on a request.
10. Cookies
Zaklad uses a minimal set of cookies. We use an essential, HTTP-only session cookie to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party social media cookies. Analytics, where provided via Cloudflare, do not rely on cookies and do not identify individuals.
11. Children
Zaklad is a professional tool and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to This Policy
We may update this policy as the Service evolves. Material changes will be communicated via the platform or by email where practicable, with reasonable advance notice before they take effect. The “Last updated” date at the top of this page reflects the most recent change.
13. Contact
For questions about this policy or to exercise your data rights, contact [email protected].