Privacy Policy

1. Privacy officer

In accordance with Loi 25, the person responsible for the protection of personal information at DesignVault is:

Pascal Potvin, Privacy Officer
Email: privacy@designvault.net
Address: [TODO: postal address], Sherbrooke, Québec, Canada

If you have a disability, you may request this policy in an alternative format by contacting the address above.

2. Our role: controller and processor

DesignVault acts in two distinct capacities:

• As controller for account data (name, email), billing references, and security/audit logs — the processing described in this policy.
• As processor for the content your organization puts into the service (assets, tags, collections, comments, annotations, member data). For this data, your organization is the controller and our processing is governed by our Data Processing Agreement. If you have a question or request about content belonging to an organization (for example, a comment mentioning you), please contact that organization first; we will assist it in responding.

3. Personal information collected

We collect the following categories of information:

• Identification: name, email address
• Authentication: Figma access token (AES-256-GCM encrypted), session data
• Organizational: organization name, team role
• Financial (reference): Stripe customer ID (payment data is handled by Stripe)
• Technical: IP address and browser type (audit log and security; we do not analytically track pages visited)
• Content: imported design assets, tags, collections. When AI is enabled for your organization, asset content (image and text) is processed by OpenAI for auto-tagging and semantic search

4. Purposes of processing

Your information is used for the following purposes:

• Provide and maintain the DesignVault service (legal basis: contract)
• Authenticate users and secure accounts (legitimate interest)
• Import assets from Figma via your access token (express consent)
• Process payments via Stripe (contract)
• Send transactional emails: invitations, alerts, invoices (contract)
• Artificial-intelligence features — auto-tagging and semantic search of assets via OpenAI, only if enabled by your organization (legitimate interest; can be disabled)
• Send marketing communications — only if you expressly consent (none are sent by default)

5. Consent

In accordance with Loi 25 and the GDPR, we obtain your consent granularly for each purpose that requires it. You can withdraw your consent at any time in your account settings, as easily as it was given.

Figma token: storing your Figma access token requires express consent because it grants access to your Figma account. This token is encrypted with AES-256-GCM and is never accessible in clear text.

6. Subprocessors and transfers

Your data may be processed by the following subprocessors, with whom we have data processing agreements (DPAs):

• Supabase — database hosting and authentication (Canada — ca-central-1 region, Toronto)
• Vercel — application hosting (global CDN)
• Stripe — payment processing (United States)
• Resend — email delivery (United States)
• OpenAI — AI auto-tagging and embeddings, only if AI is enabled for your organization (United States)
• Sentry — error monitoring and observability (United States; configured without sending direct personal data — no IP, cookies, or request bodies)
• Upstash — rate limiting and abuse protection (United States)
• Figma (Adobe) — design API (United States) — separate controller

The current list, with roles and locations, is maintained at designvault.net/subprocessors. We give organization owners 30 days' notice before adding or replacing a subprocessor, as described in our DPA.

Transfers: for transfers from the EEA/UK to subprocessors in the United States, we rely on the European Commission's standard contractual clauses (Decision (EU) 2021/914) or, where the subprocessor is certified, the EU–US Data Privacy Framework. Before communicating personal information outside Québec, we conduct the assessment required by Loi 25.

7. Your rights

You have the following rights over your personal information:

• Access: obtain a copy of your data
• Rectification: correct inaccurate data
• Erasure: delete your account and your data
• Portability: export your data in a structured format (JSON)
• Objection: object to processing for certain purposes
• Restriction: restrict processing in certain cases

To exercise these rights, go to Settings > Privacy or contact our officer at privacy@designvault.net. We will respond within 30 days.

8. Data retention

Your data is retained while your account is active. After account deletion, your data is erased within 30 days, except where the law requires retention (financial data: 7 years).

9. Security

We put the following measures in place to protect your data:

• Multi-tenant isolation via PostgreSQL Row Level Security (RLS)
• AES-256-GCM encryption of Figma tokens
• HTTPS on all communications
• Secure authentication with Supabase Auth
• Granular access roles (owner, admin, member, viewer)
• Validation of all user input
• Audit log of sensitive actions

10. Cookies

We use first-party cookies only:

• Strictly necessary: authentication, session, and remembering your consent choice (dv-cookie-consent).
• Functional: language/theme preference (dv-theme) and, if you arrive via a referral link, an attribution cookie dv_ref (90 days).

We use no advertising cookies or third-party analytics trackers. If we ever introduced any, they would be subject to your prior consent via the dedicated banner — where refusing is as easy as accepting — and manageable at any time.

11. Privacy incidents

In the event of a confidentiality incident presenting a serious risk of harm, we notify the Commission d'accès à l'information du Québec (CAI) and the affected individuals in accordance with Loi 25. For EU residents, the competent data protection authority is notified within 72 hours.

12. Complaints

If you believe your rights have not been respected, you may file a complaint with:

• Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
• Office of the Privacy Commissioner of Canada — priv.gc.ca

13. California residents (CCPA/CPRA)

If you are a California resident, you have the rights to know, access, delete, correct, and to non-discrimination under the CCPA/CPRA. You can exercise them via Settings > Privacy or at privacy@designvault.net. We do not sell or “share” your personal information within the meaning of the CCPA (no cross-context targeted advertising), so no “Do Not Sell or Share” link is required. We do not discriminate against you for exercising these rights.

14. Artificial intelligence

Some features (auto-tagging, semantic search, similar-asset suggestions) rely on OpenAI AI models. They are active only if your organization has explicitly enabled them, and can be disabled at any time. No solely automated decision producing legal effects is taken about you. Content processed by AI is not used to train third-party models.

15. Changes

We may amend this policy. Any material change will be communicated by email or in-app notification. The current version is always available on this page.