Privacy Policy

Last updated: March 2026

We keep this short and readable on purpose.

1. Who We Are

SpecPeek ("we", "our", "us") is a Figma plugin and web-based viewer that lets designers share design specifications via an encrypted link. This policy explains what data we collect, why, and how it's protected.

Data controller: Todor Gospodinov, Bulgaria, EU
Contact: support@specpeek.com

2. What We Collect

Account data: Figma user ID, used to manage your subscription and trial status. We do not collect your email address unless you contact us directly.

Payment data: processed entirely by our payment provider (Lemon Squeezy). We never see or store your card details.

Usage data: anonymous spec creation counts used to detect abuse and improve the product. Not linked to your identity.

Encrypted design data: when you generate a spec, your design data is encrypted with XSalsa20-Poly1305 inside the Figma plugin before upload. Our servers store only the encrypted blob. The decryption key is embedded in the URL fragment (the part after the #) and is never transmitted to or stored on our servers. We have zero knowledge of your design content.

Spec metadata: file name, frame IDs, and creation timestamp are stored alongside the encrypted blob to enable spec management. These do not contain design content.

3. Why We Process Your Data (Legal Basis)

Figma user ID — contract performance (account management, trial tracking)
Payment processing — contract performance (subscription billing)
Encrypted design data — contract performance (delivering the spec viewing service)
Usage analytics — legitimate interest (product improvement, abuse prevention)

4. Third-Party Processors

Lemon Squeezy — payment processing
Cloudflare (Workers, D1, R2) — application hosting and encrypted data storage
Cloudflare Pages — viewer hosting
Figma — plugin runtime environment

We do not sell your data. We do not share it with advertisers. Cloudflare processes encrypted blobs it cannot decrypt.

5. Data Retention

Account data is retained for the duration of your subscription and deleted within 30 days of account closure upon request.

Encrypted spec data is retained for the duration of your subscription. Upon account deletion, all encrypted blobs are permanently deleted.

Payment records are retained as required by EU tax law (7 years).

Anonymous usage data has no personal identifiers and is retained indefinitely for analytics purposes.

6. Your Rights (GDPR)

As an EU resident you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (including all encrypted specs)
• Object to processing based on legitimate interest
• Request data portability

To exercise any of these rights, email support@specpeek.com. We respond within 30 days.

7. Cookies

The SpecPeek viewer does not use cookies. The Figma plugin uses Figma's clientStorage API to persist your encryption key and preferences locally within Figma. No advertising or tracking cookies are used on any SpecPeek surface.

8. Changes to This Policy

We may update this policy as the product evolves. Significant changes will be communicated via the Figma plugin. The "last updated" date at the top reflects the most recent revision. Continued use of SpecPeek after changes constitutes acceptance.

9. Contact

Questions about this policy or your data:
support@specpeek.com