Legal
Privacy Policy
Last updated: May 2026
We keep this short and readable on purpose.
1. Who We Are
SpecPeek is a Figma plugin and web-based viewer that lets designers share design specifications with developers via encrypted, inspectable links. This policy explains what data we collect, why, and how it's protected.
Data controller: Todor Gospodinov, Sofia, Bulgaria, EU
Contact: support@specpeek.com
2. What We Collect
Account data
Your Figma user ID, retrieved via the Figma Plugin API when you use the plugin. Used to manage your subscription and trial status. We do not collect your email address in our own systems — your payment provider (Lemon Squeezy) collects it separately for billing purposes.
Payment data
Processed entirely by Lemon Squeezy. We never see or store your card details.
Encrypted design data
When you generate a spec, your design data is encrypted with XSalsa20-Poly1305 inside the Figma plugin before upload. Our servers store only the encrypted blob. The decryption key is embedded in the URL fragment (the part after the #) and is never transmitted to or stored on our servers. We have zero knowledge of your design content.
Anyone with the full spec URL can decrypt and view the design data — the URL itself serves as the access credential.
Spec metadata
File name, frame IDs, and creation timestamp are stored alongside the encrypted blob to enable spec management. These do not contain design content.
Usage data
Anonymous spec creation counts used to detect abuse and improve the product. Not linked to your identity.
Website analytics
The SpecPeek marketing website (specpeek.com) uses Google Analytics to collect anonymous traffic data such as page views, referral sources, and general geographic region. This data is not linked to your Figma identity. Analytics are only loaded after you consent via the cookie banner.
The SpecPeek viewer (view.specpeek.com) does not use analytics or tracking of any kind.
3. Why We Process Your Data
| Data | Legal basis |
|---|---|
| Figma user ID | Contract performance (account management, trial tracking) |
| Payment processing | Contract performance (subscription billing) |
| Encrypted design data | Contract performance (delivering the spec viewing service) |
| Spec metadata | Contract performance (spec management) |
| Usage data | Legitimate interest (product improvement, abuse prevention) |
| Website analytics | Consent (only collected after cookie consent) |
4. Third-Party Processors
We do not sell your data. We do not share it with advertisers.
- Lemon Squeezy — payment processing and billing email
- Cloudflare (Workers, D1, R2, Pages) — application hosting and encrypted data storage. Cloudflare processes encrypted blobs it cannot decrypt.
- Figma — plugin runtime environment
- Google Analytics — anonymous website traffic analytics (marketing site only, consent-based)
5. Data Retention
Account data is retained for the duration of your subscription. Upon receiving a deletion request, all account data is deleted within 30 days.
Encrypted spec data is retained for the duration of your subscription. Upon receiving a deletion request, all encrypted blobs are permanently deleted within 30 days.
Payment records are retained by Lemon Squeezy as required by EU tax law (7 years). We do not store payment records ourselves.
Anonymous usage data has no personal identifiers and is retained indefinitely for analytics purposes.
6. Your Rights
If your data is processed under GDPR, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (including all encrypted specs)
- Object to processing based on legitimate interest
- Request data portability
To exercise any of these rights, email support@specpeek.com. We respond within 30 days.
7. Cookies
The SpecPeek viewer (view.specpeek.com) does not use cookies or any tracking technology.
The SpecPeek marketing site (specpeek.com) uses Google Analytics cookies for anonymous traffic analysis. These cookies are only set after you give consent via the cookie banner. You can withdraw consent at any time by clearing your cookies or using your browser's cookie settings.
The Figma plugin uses Figma's clientStorage API (local to the Figma application, not browser cookies) to persist your encryption key and preferences within Figma.
No advertising or tracking cookies are used on any SpecPeek surface.
8. Changes to This Policy
We may update this policy as the product evolves. Significant changes will be communicated on the SpecPeek website and, where possible, within the Figma plugin. The "last updated" date at the top reflects the most recent revision.
9. Contact
Questions about this policy or your data:
support@specpeek.com · Sofia, Bulgaria