Privacy Policy

Introduction

Fenly (“Fenly”, “we”, “us”, or “our”) is a design system management platform operated by Felipe Linares (“Owner”), reachable at hello@fenly.io. Fenly is accessible at fenly.io.

This Privacy Policy describes what personal data we collect when you create an account, use our Service, or visit our website; how we use that data; with whom we share it; and what rights you have over it.

By using Fenly you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

Who We Are (Data Controller)

ControllerFelipe Linares, operating as Fenly

Websitehttps://fenly.io

Contact emailhello@fenly.io

Privacy/Legal emaillegal@fenly.io

As the Data Controller, we determine the purpose and means of processing your personal data. Some processing is carried out by our sub-processors (third-party services); they are listed in Section 7.

What Data We Collect

3.1 Account and identity data

When you create a Fenly account — regardless of the method you use — we collect and store the following in our database:

Email addressRequired to create and identify your account

Display nameYour full name, imported from Google or entered manually

Profile photo URLImported from Google if you sign in with Google (stored as a URL reference, not downloaded)

Internal user IDA unique cuid() generated by us to identify you in our database

Clerk user IDA unique ID issued by Clerk, our authentication provider, linked to your account record

Sync tokenA unique random token used to authenticate our Figma plugin — optional, only generated on request

3.2 Authentication credentials

Fenly supports three authentication methods. Credential handling differs per method:

Email + Password

Your password is never stored by Fenly. It is hashed using bcrypt with a per-user salt by Clerk, our authentication provider, and stored exclusively in Clerk's infrastructure. We never have access to your plaintext or hashed password.

You authenticate directly with Google. We receive your Google account's name, email address, and profile photo URL via the OAuth 2.0 protocol. We do not receive or store your Google password or any other Google account data. Google's OAuth access token is managed by Clerk and is never stored in our own database.

Email OTP (One-Time Passcode)

A time-limited, single-use numeric code is sent to your email address. The code is generated and validated entirely by Clerk; it is never stored in our database. Codes expire automatically after 10 minutes.

3.3 Session data

After a successful login, Clerk issues a session token stored as an HTTP-only, Secure cookie (__session) in your browser. This cookie is not accessible to JavaScript and is used solely to authenticate subsequent requests. Sessions expire after a period of inactivity as configured by Clerk.

3.4 Figma Plugin session data

The Fenly Figma plugin uses a browser-based OAuth-like flow. When you connect the plugin to your account, a short-lived session record is created containing:

State tokenA random, non-guessable string to prevent CSRF attacks

Plugin auth tokenA short-lived token returned to the plugin after authorization

Expiry10 minutes — records are automatically considered expired and not used after this window

3.5 Design system data (user-generated content)

Once logged in, you create and manage design system content. We store the following on your behalf:

Teams and projectsNames, slugs (URL identifiers), and your role within each team

Figma file IDThe public file ID portion of your Figma file URL — not your Figma account credentials

Figma Personal Access Token (PAT)If you choose to connect via PAT, this token is stored encrypted in our database to enable token syncing. See Section 9 for encryption details.

Design tokensThe JSON representation of your Figma variables (colors, spacing, typography, etc.), cached from your last sync

ComponentsFigma component names, descriptions, categories, thumbnail URLs, and variant properties synced from your Figma file

Documentation pagesTitles, content (rich text / JSON), categories, and publish status of pages you create

Design guidelinesTitles, content (rich text / JSON), categories, and publish status of guidelines you create

DS Chat configurationYour public chat URL slug, access mode (public / password-protected / domain-restricted), and daily rate limit settings

3.6 AI conversation data

When you use the AI Companion or the Talk to your DS public chat feature, your messages and the design system context (tokens, component names, doc page titles) are sent to Anthropic's API for processing. We do not permanently store conversation history in our database. See Section 7 for Anthropic's data handling policies.

3.7 Usage and analytics data

We use Vercel Analytics to understand how the Service is used. This collects:

Page viewsWhich pages are visited and when

ReferrerThe URL that linked to our page (if any)

Country / regionDerived from IP address (IP itself is not stored)

Device typeMobile, tablet, or desktop — derived from User-Agent header

Vercel Analytics is privacy-focused and does not use cookies or persistent identifiers for analytics. No individually identifiable records are created.

How We Use Your Data

We use collected data only for the following purposes:

Account managementCreating, maintaining, and securing your account; sending account-related emails (verification, password reset, OTP codes)

Service deliveryStoring and serving your design system data (tokens, components, docs, guidelines)

AI featuresPassing your messages and DS context to Anthropic to generate responses from the AI Companion and public DS Chat

Figma syncUsing your Figma PAT or Plugin token to fetch variables and components from the Figma API on your behalf

AnalyticsUnderstanding aggregate usage patterns to improve the product — not for advertising

SecurityDetecting and preventing abuse, unauthorized access, and policy violations

Legal complianceComplying with applicable laws, legal processes, and our Terms of Service

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

Contract performanceProcessing necessary to provide the Service you signed up for (account creation, data storage, sync, AI features)

Legitimate interestsAnalytics and security monitoring, to improve and protect the Service

Legal obligationCompliance with applicable law where required

ConsentWhere we request your specific consent (e.g., marketing communications, if introduced in the future)

Cookies and Local Storage

Fenly uses a minimal set of cookies required for authentication. We do not use advertising cookies or third-party tracking cookies.

__sessionEssential · Set by Clerk

HTTP-only, Secure, SameSite=Lax session cookie. Contains an encrypted, signed session token. Not accessible to JavaScript. Expires at end of session or after Clerk's configured idle timeout (default 7 days).

__client_uatEssential · Set by Clerk

Tracks the timestamp of the last client-side session update. Used by Clerk to sync session state across browser tabs. Does not contain personal data.

Vercel AnalyticsAnalytics · Cookie-free

Vercel Analytics does not set cookies. It uses a privacy-preserving, cookie-free approach to aggregate page view metrics without tracking individual users across sessions.

You can block or delete cookies at any time through your browser settings. Blocking the __session cookie will prevent you from staying logged in.

Third-Party Service Providers

We use the following sub-processors. Each has access only to the data necessary to perform their function:

ClerkPrivacy Policy ↗

Role: Authentication and identity management

Data accessed: Email address, hashed password (email/password auth), Google OAuth profile (name, email, photo), session tokens, OTP codes. Clerk stores and manages all authentication credentials.

SupabasePrivacy Policy ↗

Role: Cloud database hosting (PostgreSQL)

Data accessed: All application data stored in our database: user records, teams, projects, design tokens, components, documentation, guidelines, DS chat configuration. Supabase hosts our PostgreSQL instance on AWS infrastructure.

VercelPrivacy Policy ↗

Role: Application hosting, CDN, and serverless infrastructure

Data accessed: HTTP request logs (IP address, User-Agent, URL) for a limited retention period for debugging. Aggregate analytics (page views, country, device type). Vercel does not use request logs for tracking.

AnthropicPrivacy Policy ↗

Role: AI language model API (Claude)

Data accessed: Your chat messages and the design system context (token names/values, component names, doc page titles) that you include in AI Companion or DS Chat sessions. Conversations are not permanently stored in our database. Anthropic processes this data per their API usage policy.

GooglePrivacy Policy ↗

Role: OAuth 2.0 identity provider (optional)

Data accessed: Your Google account's name, email address, and profile photo URL — only when you choose 'Sign in with Google'. We do not access your Google Drive, Gmail, Calendar, or any other Google services.

FigmaPrivacy Policy ↗

Role: Design data source (user-initiated)

Data accessed: When you provide a Personal Access Token (PAT) or use the Figma plugin, we read your Figma file's variables and components via the Figma REST API. We never write to your Figma file. The PAT is stored encrypted in our database.

Data Retention

Account and profile dataRetained for as long as your account is active. Deleted within 30 days of account deletion request.

Design system data (tokens, components, docs, guidelines)Retained until you delete the project or close your account. You can delete individual projects or all data at any time from Settings.

Figma PATStored until you disconnect your Figma connection or delete your account. You can revoke it in your Figma account settings independently.

Plugin sessionsExpire automatically after 10 minutes. Expired sessions are not used but may remain in the database for up to 7 days before cleanup.

AI conversationsNot stored in our database. Anthropic may retain API request logs per their retention policy.

Vercel request logsRetained by Vercel for up to 30 days for debugging purposes.

Backup dataDatabase backups are retained for up to 30 days, after which they are permanently deleted.

Security Measures

We implement the following technical and organizational measures to protect your data:

Encryption in transit

All communication between your browser and Fenly is encrypted using TLS 1.2 or higher (HTTPS). This is enforced by Vercel's edge network and HTTPS redirects. HTTP connections are automatically redirected to HTTPS.

Encryption at rest

Our database is hosted on Supabase (AWS), which encrypts all data at rest using AES-256 encryption. Database backups are also encrypted at rest.

Password handling

Passwords are hashed using bcrypt with a unique per-user salt and are stored exclusively within Clerk's infrastructure. Fenly application servers never receive, process, or store passwords in any form.

Figma Personal Access Token storage

If you provide a Figma PAT to enable token syncing, it is stored in our database. It is protected by database-level encryption at rest (AES-256 via Supabase) and only used server-side to make Figma API calls — it is never exposed in client-side responses.

Authentication security

All session tokens are signed JWTs managed by Clerk. Session cookies are HTTP-only and Secure, preventing client-side JavaScript access and transmission over plain HTTP. Email OTP codes are single-use and expire after 10 minutes.

Access control

Every API route requires authentication. All database queries are scoped to the authenticated user's team memberships — it is not possible to access another user's data. Database access credentials are stored as environment variables in Vercel and never exposed in source code.

API key management

Internal API keys (Anthropic API key, Clerk secret key, database URLs) are stored exclusively as encrypted environment variables in Vercel. They are never committed to source code or version control.

DDoS and edge protection

Fenly is served through Vercel's global edge network, which includes automatic DDoS mitigation, rate limiting at the edge, and WAF-level protection for all public endpoints.

While we apply industry-standard security practices, no method of electronic transmission or storage is 100% secure. We encourage you to use a strong, unique password and enable multi-factor authentication if supported.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right to accessRequest a copy of the personal data we hold about you.

Right to rectificationCorrect inaccurate or incomplete personal data. You can update your name and email directly from your account settings.

Right to erasureRequest deletion of your account and all associated personal data. Submitted via legal@fenly.io. Completed within 30 days.

Right to portabilityRequest an export of your design system data (tokens, components, docs, guidelines) in a machine-readable format (JSON). Available from your account settings.

Right to objectObject to processing based on legitimate interests. We will consider and respond to all such requests.

Right to restrict processingRequest that we restrict processing of your data in certain circumstances.

Right to withdraw consentWhere processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at legal@fenly.io. We will respond within 30 days. We may ask you to verify your identity before processing requests.

International Data Transfers

Our infrastructure involves data transfers to the United States and potentially other countries where our sub-processors operate:

ClerkUnited States (Data Processing Agreement available)

SupabaseUnited States — AWS us-east-1 (Data Processing Agreement available)

VercelUnited States and global edge nodes (DPA available)

AnthropicUnited States (API processing)

Where required by applicable law (e.g., GDPR), we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms when transferring data outside the EEA.

Children's Privacy

Fenly is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16 without appropriate consent, please contact us at legal@fenly.io and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the “Last updated” date at the top of this page and, if the changes are significant, by sending an email to the address associated with your account.

Your continued use of Fenly after changes become effective constitutes your acceptance of the revised Policy.

Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

Fenly — Privacy Team

Email: legal@fenly.io

Website: https://fenly.io

Response time: We aim to respond to all privacy requests within 5 business days.

Also read our Terms of Service for the rules governing your use of Fenly.