Privacy Policy

Inkbridge is currently a free, non-commercial project operated by an individual. This policy explains what personal data is processed when you use the website at inkbridge.ink, the Inkbridge Figma plugin, and any related services (the “Service”), and how your rights under the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR) are protected.

1. Who is responsible

The Service is operated by Johannes Leonhard as an individual based in Switzerland (“I”, “me”). I act as the data controller within the meaning of the revFADP and the GDPR. You can reach me at support@inkbridge.ink for any privacy-related question or request.

2. Data I process and why

Account data

If you create or use an account, I process your email address, a hashed password, and authentication metadata (sign-in timestamps, session identifiers). The purpose is to provide the Service and authenticate your sessions. The legal basis is performance of a contract (Art. 31(2)(a) revFADP / Art. 6(1)(b) GDPR).

Waitlist sign-ups

If you join the Pro waitlist, I process the email address you submit, the page you submitted from, and the time of submission. The purpose is to confirm your sign-up and to notify you if and when Pro features become available. The legal basis is your consent (Art. 31(1) revFADP / Art. 6(1)(a) GDPR). You can withdraw consent at any time by emailing me or using the unsubscribe link in any email I send.

Server logs

Both the hosting provider and the Cloudflare edge proxy record technical request logs (IP address, user agent, request path, timestamp, response status). These logs are used to operate the Service securely, debug issues, and detect abuse. The legal basis is legitimate interest (Art. 31(1) revFADP / Art. 6(1)(f) GDPR) in operating a secure and reliable service.

Figma plugin

The Inkbridge Figma plugin scans your local Storybook and project files on your own machine. The scan results are exchanged between the plugin and your local development server only — they are not transmitted to my servers as part of normal use. When you authenticate to optional features (for example, GitHub PR integration), the access tokens you provide are processed solely to perform the action you requested.

Cookies

Only strictly necessary cookies are set:

• An authentication/session cookie set by Supabase when you sign in.
• A small theme-preference cookie set when you switch themes.
• Cloudflare bot-management cookies (__cf_bm, and where applicable _cfuvid / cf_clearance) used to distinguish humans from automated traffic and protect the Service from abuse. These are short-lived and do not track you across other sites.

No advertising cookies are used. The Service uses Umami for privacy- friendly usage analytics, which operates without cookies, without cross-site tracking, and without collecting any personal data — so no consent banner is required. If a tool that uses identifying cookies is ever added, your consent will be requested first.

3. Sub-processors

A small number of trusted vendors help operate the Service. Each of them processes personal data only on my instructions and under a data processing agreement.

• Supabase — authentication and database hosting. Privacy policy.
• Resend — transactional and waitlist email delivery. Privacy policy.
• Google Cloud (Cloud Run) — application hosting in the United States (us-central1) and infrastructure logs. Privacy notice.
• Cloudflare — domain management (DNS) and edge proxy / bot protection in front of the application. Cloudflare processes request metadata and IP addresses at its global edge network and sets short-lived bot-management cookies (see Cookies above). Privacy policy.
• Figma — distribution channel for the Inkbridge plugin. Your interactions inside Figma are governed by Figma’s own privacy policy. Privacy policy.
• Umami — privacy-friendly, cookieless usage analytics. Umami does not set cookies, does not use cross-site identifiers, anonymizes IP addresses, and collects only aggregate page-view and event data. No personal data is stored. Privacy policy.

4. International transfers

Some sub-processors are located outside Switzerland, primarily in the United States. Personal data transferred to the United States is protected by the Swiss–US Data Privacy Framework (in force since 15 September 2024) and, where applicable, the EU–US Data Privacy Framework, supplemented by the Standard Contractual Clauses (SCCs) offered by the respective sub-processors.

5. How long data is kept

• Account data: for as long as your account exists. When you delete your account, the associated personal data is deleted without undue delay.
• Waitlist sign-ups: until you unsubscribe or for up to 24 months after your last interaction, whichever comes first.
• Server logs: retained for up to 30 days, then automatically purged.

6. Your rights

Under the revFADP and the GDPR you have the following rights:

• Right of access — request a copy of the personal data held about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your data. You can also delete your account directly from your account settings.
• Right to restrict or object to processing.
• Right to data portability — receive your data in a machine-readable format.
• Right to withdraw consent at any time, where processing is based on consent.
• Right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (EDÖB / FDPIC) or, if you are in the EU/EEA, with your local data protection authority.

To exercise any of these rights, email support@inkbridge.ink. I aim to respond within 30 days.

7. Security

Encryption in transit (TLS), at-rest encryption provided by sub-processors, hashed password storage, and least-privilege access controls are in use. No system is perfectly secure, so please use a unique, strong password for your account.

8. Children

The Service is not directed to children under 16, and personal data from them is not knowingly collected. If you believe a child has provided personal data, please contact me so it can be deleted.

9. Changes to this policy

This policy may be updated from time to time. Material changes will be reflected in the effective date above and, where appropriate, notified by email or in the application.

10. Contact

Questions or requests: support@inkbridge.ink.