Privacy Policy

This Privacy Policy explains how Copybara ("Copybara," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use our website, authenticated web application, Figma plugin, and related services.

1. Who We Are

Copybara provides a web application and Figma plugin for managing brand guidelines, generating product copy, and keeping a shared copy history across organizations.

The controller for personal information covered by this Privacy Policy is:

• William Hansen
• hello@getcopybara.com

1.1 Data Protection Contact

For privacy questions, data subject requests, or complaints, contact our privacy contact at hello@getcopybara.com.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal information collected through:

• getcopybara.com and related marketing pages
• the Copybara authenticated web application
• the Copybara Figma plugin
• transactional emails such as invitations and password reset messages
• billing and account administration workflows

This Privacy Policy does not apply to third-party websites, services, or platforms that we do not control, even if our Services link to them or integrate with them.

3. Personal Information We Collect

We collect the following categories of personal information depending on how you interact with the Services.

3.1 Information You Provide Directly

This includes information you or your organization submit to us directly, such as:

• account information, including your name, email address, password, and profile image
• profile and account settings, including email change requests and account preferences
• organization information, including organization name, slug, logo, member roles, and invitations
• billing and subscription information, including selected plan, billing organization, Stripe customer and subscription identifiers, subscription status, billing period, and seat counts
• brand guideline content you upload, including document files, file names, parsed text, parsed markdown, summaries, embeddings, and related metadata
• copy generation inputs and outputs, including selected Figma frame context, text content, generated candidates, rationales, accepted copy, publication status, and copy history
• communications you send to us, including support or privacy inquiries sent to our contact addresses

When you use the Figma plugin, the content you choose to generate from may include page names, frame names, frame IDs, file keys, node hierarchy, text content, element labels, and other context needed to produce copy suggestions.

3.2 Information Collected Automatically

We automatically collect certain technical, usage, and security information, including:

• session data, including session identifiers, cookie-based session state, active organization state, timestamps, IP address, and user agent
• device and browser data, including browser type, operating system, and request metadata
• product usage data, including page views, feature interaction, upload events, organization events, and other product analytics events
• error and diagnostic data, including exception reports and operational logs
• rate limiting and abuse prevention data, including user identifiers and, for some public requests, IP addresses
• cookies, local storage, and similar technologies used for authentication, analytics, and service continuity

3.3 Information From Third Parties

We may receive personal information from third parties, including:

• Google, if you choose Google sign-in
• Stripe, in connection with checkout, subscription, invoices, billing portal, and related billing events
• your organization or its administrators, such as when they invite you, assign a role, or manage your access
• Figma, to the extent the plugin transmits selected design context that you choose to send through the plugin

3.4 Sensitive Personal Information

We do not intentionally request or require sensitive personal information for the ordinary use of the Services.

Because users can upload documents and generate copy from their own content, you or your organization may choose to submit information that is sensitive under applicable law. Please do not upload sensitive personal information unless it is necessary for your intended use of the Services and you have authority to do so.

4. How We Use Personal Information

We use personal information for the following purposes.

4.1 To Provide and Operate the Services

We use personal information to create accounts, authenticate users, manage organizations and invitations, operate the Figma plugin, process uploaded documents, generate copy suggestions, maintain a copy library, and provide the features you request.

4.2 To Improve and Secure the Services

We use technical and usage data to monitor performance, debug issues, detect abuse, enforce rate limits, investigate incidents, improve prompts and product quality, and maintain the reliability and security of the Services.

4.3 To Communicate With You

We use your contact information to send transactional and service-related communications, such as invitation emails, password reset messages, billing messages, account notices, support replies, and important policy or security updates.

4.4 To Process Billing and Subscriptions

We use personal information to start checkout flows, manage subscriptions, route you to the Stripe billing portal, record subscription status, and support billing administration for organization accounts.

4.5 To Comply With Law and Enforce Our Terms

We may use personal information to comply with legal obligations, respond to lawful requests, protect our rights, resolve disputes, and enforce our terms, policies, and agreements.

5. Legal Bases for Processing

Where GDPR, UK GDPR, or similar laws apply, we generally rely on the following legal bases:

• Contract: to provide the Services you request, including account access, organization features, billing, document processing, and copy generation
• Legitimate interests: to secure, maintain, analyze, improve, and support the Services, including analytics, troubleshooting, abuse prevention, and product quality review
• Consent: where required, such as when you choose optional third-party sign-in or where consent is required for certain cookies or similar tracking technologies
• Legal obligation: to comply with applicable law, lawful process, tax or accounting rules, and regulatory obligations

6. How We Disclose Personal Information

We may disclose personal information to the following categories of recipients.

6.1 Service Providers and Subprocessors

We disclose personal information to vendors that help us operate the Services, including providers for:

• authentication and identity services, including Google where you choose Google sign-in
• billing and payment processing, including Stripe
• transactional email delivery, including Resend
• analytics and error tracking, including PostHog
• object storage for uploaded files and images, including Cloudflare R2
• AI and document processing, including OpenAI for embeddings and copy generation and Llama Cloud for document parsing
• rate limiting, temporary OAuth state, and caching support, including Upstash
• prompt management and tracing when enabled, including Langfuse
• hosting, infrastructure, and database services we use to run the Services

Profile images and organization logos are stored in a public object storage bucket and may be accessible via their direct URL. Uploaded guideline documents and parsed document artifacts are stored in private object storage.

6.2 Your Organization and Administrators

If you use the Services through an organization account, organization owners, admins, and authorized members may be able to access and manage information associated with that organization, including member lists, invitations, roles, uploaded guideline content, copy history, and related workspace activity.

6.3 Integrations and Third-Party Services

If you use optional integrations or connected services, we may disclose information as needed to support those workflows. For example:

• if you use Google sign-in, authentication data is exchanged with Google
• if you use Stripe checkout or the Stripe billing portal, billing-related data is exchanged with Stripe
• if you use the Figma plugin, the plugin sends the selected design context you choose to generate from to our APIs

6.4 Legal and Corporate Disclosures

We may disclose personal information when required by law, to respond to lawful requests, to protect rights or safety, or in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business.

7. Cookies and Similar Technologies

We use cookies and similar technologies to run the Services, keep users signed in, remember state, measure product usage, and capture diagnostics.

7.1 Types of Cookies We Use

We currently use:

• Essential cookies for authentication, security, and session continuity
• Analytics cookies and local storage through PostHog to understand product usage and capture exceptions
• Plugin-local storage inside Figma to keep the plugin connected, including stored base URL, access token, refresh token, expiry time, and OAuth client state

We do not currently use advertising cookies in the implemented product experience.

7.2 Your Choices

You can control cookies through your browser settings and can clear local storage or cookies on your device. If you block essential cookies, some parts of the Services may not function correctly. If you disconnect the Figma plugin or clear its local storage, the plugin may require you to reconnect.

8. Data Retention

We retain personal information for as long as necessary to provide the Services, maintain security, comply with legal obligations, resolve disputes, and enforce our agreements.

Retention periods vary depending on the type of information. For example:

• account, organization, billing, and workspace records are generally kept while the relevant account or organization remains active and for a reasonable period afterward
• invitation, session, OAuth, cache, and rate-limit records may be retained for shorter operational periods
• uploaded documents, generated copy records, and copy logs are retained until deleted, replaced, archived, or no longer needed for the relevant organization workspace
• legal, accounting, fraud prevention, and security records may be retained longer where required or reasonably necessary

9. International Data Transfers

Your personal information may be processed in countries other than the country in which you reside, including the United States or other jurisdictions where our vendors operate.

Where required by applicable law, we use appropriate safeguards for international transfers, such as contractual protections or other lawful transfer mechanisms made available by us or our service providers.

10. Data Security

We maintain administrative, technical, and organizational safeguards designed to protect personal information, including authentication controls, role-based permissions, rate limiting, access restrictions, and managed cloud storage and infrastructure services.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You should also protect your credentials and use appropriate care when deciding what information to upload to the Services.

11. Your Privacy Rights

Depending on your location, you may have certain privacy rights regarding your personal information.

11.1 Access, Correction, and Deletion

You may have the right to request access to the personal information we hold about you, ask us to correct inaccurate information, or request deletion of your personal information, subject to applicable exceptions.

11.2 Objection, Restriction, and Portability

You may have the right to object to certain processing, request restriction of processing, or receive a copy of certain personal information in a portable format where required by law.

11.3 Consent Withdrawal

Where we rely on consent, you may withdraw that consent at any time. For example, you may stop using optional integrations, adjust device or browser settings, or contact us to request withdrawal where applicable.

11.4 California Privacy Rights

California residents and residents of certain other U.S. states may have the right to know what categories of personal information we collect and disclose, request deletion or correction, obtain a copy of certain information, appeal a denial where applicable, and receive equal service for exercising those rights.

We do not sell personal information for monetary consideration. Based on the current implementation of the Services, we also do not share personal information for cross-context behavioral advertising.

11.5 How to Exercise Your Rights

To exercise privacy rights, contact hello@getcopybara.com. Please describe your request with enough detail for us to evaluate and respond to it. We may need to verify your identity before processing a request.

If your data is associated with an organization account, we may direct certain requests to your organization administrator when your organization controls the relevant workspace data.

11.6 Complaint Rights

If you believe our processing violates applicable law, you may have the right to lodge a complaint with your local data protection or privacy regulator.

12. Children's Privacy

The Services are intended for business and professional use and are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will investigate and take appropriate steps.

13. Third-Party Websites and Services

The Services may contain links to or rely on third-party websites and services, including Google, Stripe, Figma, and other external services. Those third parties have their own privacy policies and practices, and we are not responsible for them.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last Updated" date and may also provide additional notice through the Services or by email where appropriate.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at hello@getcopybara.com.

16. Regional Privacy Disclosures

This section provides additional information for residents of the EEA, UK, Switzerland, California, and other jurisdictions with specific privacy rights.

16.1 EEA, UK, and Switzerland

For users in these jurisdictions, the legal bases described in Section 5 apply. You may also have the right to complain to your local supervisory authority and to request information about international transfer safeguards.

16.2 California and Other U.S. State Privacy Laws

For California residents and, where applicable, residents of other U.S. states, the categories of personal information we collect are described in Section 3, the purposes of use are described in Section 4, and the categories of recipients are described in Section 6.

We do not use sensitive personal information to infer characteristics about you. We do not sell personal information for money and do not currently share personal information for cross-context behavioral advertising.

17. Business Customer / Administrator Notice

When the Services are provided to an organization, that organization may act as the controller of certain workspace data submitted by its users, including uploaded brand guidelines, generation activity, copy history, and organization administration data. In those cases, Copybara may process that information on the organization's behalf as a processor or service provider.

Copybara typically acts as an independent controller for information we use for our own account administration, billing, security, fraud prevention, analytics, product improvement, and legal compliance purposes.