Privacy Policy | Design2Liquid

1. Introduction

Welcome to Design2Liquid ("we," "us," "our," or the "Company"). Design2Liquid is a web application that converts Figma designs into Shopify Liquid section code using AI-powered analysis.

This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect your personal information when you access or use our website located at design2liquid.com and associated services (collectively, the "Service").

Effective Date: January 27, 2026

This Policy applies to all users of the Service, including visitors, free-tier users, and paid subscribers. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Service.

If you have any questions about this Policy, please contact us at support@design2liquid.com.

2. Information We Collect

We collect information necessary to provide, maintain, and improve the Service. The categories of information we collect include:

2.1 Account Data

Email address — used for account identification, authentication, and service communications.
Name — used for personalization and display within the Service.
Password hash — a one-way cryptographic hash of your password. We never store your password in plaintext.

2.2 Figma OAuth Data

Figma user ID — a unique identifier assigned by Figma to your account, used to associate your Figma connection with your Design2Liquid account.
Figma email address — the email associated with your Figma account, received during the OAuth flow.
Encrypted OAuth tokens — your Figma access token and refresh token are encrypted using AES-256 before being stored in our database. These tokens allow us to access your Figma files on your behalf.

2.3 Design Data

Figma frame JSON — the raw JSON representation of the Figma frame you select for conversion, including layer structure, properties, and styles.
Node trees — the hierarchical structure of design elements within your selected frame.

2.4 Generated Artifacts

Liquid code — the Shopify Liquid template code generated from your design.
CSS stylesheets — section-scoped CSS generated for responsive styling.
Preview HTML — an HTML preview of the generated section for visual verification.
Screenshots — rendered preview screenshots stored for reference.

2.5 Usage Data

Generation counts — the number of code generations you have performed, used for usage tracking and quota enforcement.
Timestamps — when each generation was initiated and completed.
Token usage — the number of AI tokens consumed during code generation, tracked for analytics and billing purposes.

2.6 Technical Data

IP address — collected automatically by our hosting infrastructure for security and abuse prevention.
Browser type and version — used for compatibility analysis and debugging.
Device information — operating system, screen resolution, and other device characteristics collected for service optimization.

3. How We Use Information

We use the information we collect for the following purposes:

Account management — to create, maintain, and secure your account; to authenticate your identity; and to manage your subscription plan.
Code generation — to process your Figma designs through our AI-powered pipeline and generate Shopify Liquid section code, CSS stylesheets, and preview HTML.
Usage tracking — to monitor your generation counts against your plan quota, track token consumption, and enforce usage limits.
Support communications — to respond to your inquiries, provide technical support, and send important service notifications such as policy changes or security alerts.
Service improvement — to analyze aggregated, anonymized usage patterns to improve the reliability, performance, and quality of our code generation pipeline. We do not use individual user data for this purpose; only aggregated analytics are used.

We do not sell, rent, or lease your personal information to third parties. We do not use your personal information for advertising or marketing purposes beyond service-related communications.

4. AI/Automated Processing Disclosure

Design2Liquid uses artificial intelligence (AI) to convert Figma designs into Shopify Liquid code. This section provides transparency about how your data is processed by AI systems.

AI processing — when you initiate a code generation, your Figma design data (frame JSON, node structure, and styles) is sent to OpenAI's API for one-time code generation. The data is used solely to produce the Liquid code, CSS, and preview output for that specific request.
No model training — your design data is NOT used to train, fine-tune, or improve any AI or machine learning models. This applies to both Design2Liquid's systems and OpenAI's systems.
OpenAI data retention — per OpenAI's API Data Usage Policy, API inputs and outputs may be retained by OpenAI for up to 30 days solely for abuse and misuse monitoring purposes, after which the data is deleted. OpenAI does not use API data for model training.
No human review — your design data is not reviewed by humans at OpenAI or Design2Liquid as part of the generation process. Human review would only occur in response to a direct support request you initiate.
Opt-out — you can choose not to have your data processed by AI by simply not using the code generation feature. Account management and browsing the Service do not involve AI processing.

For questions about how your data is processed by our AI systems, contact us at support@design2liquid.com.

5. Third-Party Sub-Processors

We engage the following third-party service providers ("sub-processors") to help deliver the Service. Each sub-processor processes data only as necessary for its stated purpose and is bound by contractual obligations to protect your data.

Sub-Processor	Purpose	Data Accessed
Figma	OAuth authentication, design data access	Figma user ID, email, OAuth tokens, design frame data
OpenAI	AI-powered code generation	Design frame JSON, node structures, style properties
AWS S3	File storage (screenshots, previews)	Generated preview screenshots, rendered HTML
Neon PostgreSQL	Database hosting	All persistent data (accounts, generations, usage quotas, connections)
Vercel	Application hosting, serverless functions	HTTP requests, IP addresses, server-side processing data
Resend	Transactional email delivery	Recipient email address, email content (support communications)

We maintain Data Processing Agreements (DPAs) with each sub-processor where required by applicable law. We evaluate our sub-processors regularly to ensure they maintain adequate data protection standards.

6. Data Retention by Tier

We retain your data for the minimum period necessary to fulfill the purposes described in this Policy. Retention periods vary by subscription tier:

Plan	Retention Period	Details
Free	30 days after last activity	All account data, generations, and artifacts are deleted 30 days after your last interaction with the Service.
Pro	1 year	Data is retained for 1 year from the date of creation. You may request earlier deletion at any time.
Enterprise	Until account deletion	Data is retained for the lifetime of your account. All data is deleted upon account deletion.
OAuth Tokens	Session lifetime	Figma OAuth tokens are stored for the duration of your active session and are deleted when you disconnect your Figma account or delete your account.

When your data reaches the end of its retention period, it is permanently deleted from our systems, including all backups, within 30 days. Generated artifacts stored in AWS S3 (such as screenshots) follow the same retention schedule as the associated generation record.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

Right of Access (Article 15) — you have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used, machine-readable format within 30 days of your request.
Right to Rectification (Article 16) — you have the right to request correction of inaccurate personal data or completion of incomplete personal data. You can update your account information directly through the Service settings, or contact us for assistance.
Right to Erasure (Article 17) — you have the right to request deletion of your personal data. When you request account deletion, we initiate a 30-day grace period during which your account is deactivated but your data is preserved. You may cancel the deletion during this period by logging in and choosing to restore your account. After the 30-day grace period, all your data is permanently and irreversibly deleted from our systems.
Right to Restriction (Article 18) — you have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.
Right to Data Portability (Article 20) — you have the right to receive your personal data in a structured, commonly used, and machine-readable format. You may request an export of your data by contacting us at support@design2liquid.com.
Right to Object (Article 21) — you have the right to object to the processing of your personal data based on legitimate interests. Upon receiving such an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

To exercise any of these rights, contact us at support@design2liquid.com. We will respond to your request within 30 days. If you believe we have not adequately addressed your request, you have the right to lodge a complaint with your local data protection supervisory authority.

8. Your Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know — you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
Right to Delete — you have the right to request deletion of your personal information. Upon receiving a verified deletion request, we will delete your personal information from our records and direct our sub-processors to do the same, subject to certain exceptions permitted by law (such as data needed to complete a transaction or for legal compliance).
Right to Opt-Out of Sale — we do NOT sell your personal information to third parties. We have not sold personal information in the preceding 12 months and have no plans to do so. As such, there is no need to opt out, but we respect your right to make this request.
Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different quality of service, or suggest that you will receive a different price or quality of service for exercising your rights.

To exercise your CCPA rights, contact us at support@design2liquid.com. We will verify your identity before processing your request and respond within 45 days.

9. Cookies

We use a minimal set of cookies that are strictly necessary for the operation of the Service. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

Session Cookies (Strictly Necessary)

We use session cookies provided by NextAuth.js for authentication. These cookies are essential for the Service to function and cannot be disabled without losing access to your account.

Cookie Name	Purpose	Duration
next-auth.session-token	Stores your encrypted session data for authentication	Session / 30 days
next-auth.callback-url	Stores the URL to redirect to after authentication	Session
next-auth.csrf-token	Protects against cross-site request forgery attacks	Session

What We Do Not Use

No tracking cookies — we do not use Google Analytics, Facebook Pixel, or any other third-party tracking technology.
No advertising cookies — we do not serve advertisements and do not use cookies for advertising purposes.
No cross-site cookies — our cookies are first-party only and are not shared with any third-party domains.

10. Children's Privacy

The Service is not directed at children under the age of 13 (as defined by the Children's Online Privacy Protection Act, or COPPA) or under the age of 16 (as defined by the GDPR). We do not knowingly collect, use, or disclose personal information from children under these ages.

If we become aware that we have collected personal information from a child under the applicable age threshold, we will take immediate steps to delete that information from our systems. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@design2liquid.com so we can take appropriate action.

Users must be at least 18 years old or the age of majority in their jurisdiction to create an account and use the Service.

11. International Data Transfers

Design2Liquid is operated from the United States. Your personal data is processed and stored on servers located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States.

For users located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we ensure that transfers of personal data to the United States are protected by appropriate safeguards:

Standard Contractual Clauses (SCCs) — we rely on the European Commission's Standard Contractual Clauses as the legal mechanism for data transfers from the EEA to the United States, as adopted under Commission Implementing Decision (EU) 2021/914.
Sub-processor DPAs — our third-party sub-processors (see Section 5) maintain their own Data Processing Agreements and comply with applicable data transfer requirements. Major providers including Vercel, AWS, OpenAI, and Neon maintain EU-approved transfer mechanisms.
Supplementary measures — where required, we implement additional technical and organizational measures to ensure an adequate level of data protection, including encryption of data in transit and at rest.

By using the Service, you acknowledge and consent to the transfer of your personal data to the United States as described in this section.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption at rest (AES-256) — Figma OAuth access tokens and refresh tokens are encrypted using AES-256 encryption at the application level before being stored in the database. Database storage itself is also encrypted at rest by our database provider (Neon PostgreSQL).
Encryption in transit (TLS 1.2+) — all data transmitted between your browser and our servers, and between our servers and third-party services, is encrypted using Transport Layer Security (TLS) version 1.2 or higher. HTTPS is enforced for all connections.
Access controls — access to production systems, databases, and encryption keys is restricted to authorized personnel using role-based access controls and multi-factor authentication.
Password security — user passwords are hashed using industry-standard one-way hashing algorithms before storage. We never store plaintext passwords.
Admin account protection — administrative accounts are protected by lockout mechanisms that temporarily disable access after repeated failed login attempts.
Regular security reviews — we conduct periodic reviews of our security practices, infrastructure configurations, and dependency vulnerabilities to identify and address potential risks.

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining reasonable safeguards appropriate to the sensitivity of the data we process.

13. Changes to Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the "Effective Date" at the top of this Policy.

Material changes: for material changes that significantly affect how we collect, use, or share your personal information, we will provide at least 30 days' advance notice via email to the address associated with your account. Material changes include but are not limited to: new categories of data collected, new third-party sub-processors with access to personal data, changes to data retention periods, or changes to your rights under this Policy.

Non-material changes: minor changes such as typographical corrections, formatting updates, or clarifications that do not affect the substance of the Policy may be made without advance notice.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the Service and may request deletion of your account and data as described in Sections 7 and 8.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the following information:

Email: support@design2liquid.com
Support page: design2liquid.com/support

We aim to respond to all privacy-related inquiries within 30 days. For GDPR-related requests, we will acknowledge receipt of your request within 72 hours and provide a substantive response within the legally required timeframe.

If you are located in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

15. Connecticut AI Disclosure

In proactive compliance with the Connecticut Artificial Intelligence Act (SB-2), effective July 1, 2026, we provide the following disclosures regarding our use of artificial intelligence:

AI system purpose — Design2Liquid uses AI (specifically, large language models provided by OpenAI) solely for the purpose of code generation. Our AI system analyzes Figma design data and generates Shopify Liquid template code, CSS stylesheets, and HTML previews.
No profiling or automated decision-making — our AI system does NOT engage in profiling, automated decision-making, or consequential decisions as defined by Connecticut SB-2. The AI is used exclusively as a code generation tool and does not make decisions that produce legal effects or similarly significant effects concerning individuals.
User notification — users are informed that AI processing will occur before they initiate a code generation. The code generation interface clearly indicates that designs will be processed by an AI system.
Human oversight — all AI-generated code is provided for reference and requires human review before production use. Users maintain full control over whether to use, modify, or discard the generated output.
Impact assessment — given that our AI system does not engage in high-risk use cases (profiling, consequential decisions, or processing of sensitive categories), a formal algorithmic impact assessment is not required under SB-2. However, we regularly evaluate our AI system's data handling practices to ensure compliance with all applicable privacy and AI regulations.

16. Data Processing Legal Basis

We process your personal data based on the following legal grounds under the GDPR and equivalent data protection legislation:

Consent (Article 6(1)(a) GDPR) — when you create an account and agree to this Privacy Policy, you provide consent for us to process your personal data for account management and service delivery. You may withdraw your consent at any time by deleting your account, though this will affect our ability to provide the Service.
Performance of Contract (Article 6(1)(b) GDPR) — processing of your personal data is necessary for the performance of our contract with you (the Terms of Service). This includes processing your Figma designs for code generation, managing your subscription plan and usage quotas, and delivering the generated output to you.
Legitimate Interest (Article 6(1)(f) GDPR) — we process certain data based on our legitimate interests, provided these interests are not overridden by your rights and freedoms. Our legitimate interests include:
- Security and abuse prevention — processing IP addresses, login attempts, and usage patterns to detect and prevent fraudulent or abusive use of the Service.
- Service improvement — analyzing aggregated, anonymized usage data to improve the performance, reliability, and quality of the Service.
- Usage quota enforcement — tracking generation counts per Figma account to prevent multi-account abuse and enforce fair usage limits.
Legal Obligation (Article 6(1)(c) GDPR) — we may process and retain certain personal data as required by law, including:
- Tax records — retaining transaction records as required by applicable tax laws and regulations.
- Legal requests — responding to valid legal process, such as subpoenas, court orders, or regulatory inquiries.
- Audit records — maintaining records of deleted accounts for abuse prevention as permitted by data protection authorities.

Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Where we rely on legitimate interests, you have the right to object (see Section 7).