Privacy Policy

Last updated: March 2, 2026

What This Plugin Does

Docs to Design converts Word documents (.docx) into professionally formatted design layouts. Your documents are processed entirely on your device. File contents are never uploaded to our servers.

Account & Authentication

To use Docs to Design, you activate your account with an email address. We send a one-time verification code (OTP) to confirm your email. This is the only personal data we collect.

Data We Collect

Data	Where Stored	Purpose	Legal Basis (GDPR)
Email address	Supabase (encrypted)	Account activation, usage tracking	Contractual necessity (Art. 6(1)(b))
Import count	Supabase	Enforce free tier limits	Contractual necessity
Platform type	Supabase	Analytics (Figma vs InDesign)	Legitimate interest (Art. 6(1)(f))
Figma user ID	Local (clientStorage)	Link session to account	Contractual necessity
Auth tokens	Local (clientStorage)	Maintain login session	Contractual necessity
Logo image	Local (localStorage)	Persist uploaded logo	Contractual necessity
Marketing consent	Supabase	Product updates (opt-in)	Explicit consent (Art. 6(1)(a))

Data We Do NOT Collect

• We do not transmit your document contents to any server
• We do not collect your name, company, or payment information (payments handled by LemonSqueezy)
• We do not use tracking pixels or third-party telemetry
• We do not access files outside the current document
• We do not sell or share your personal information with third parties

Website Analytics

The docstodesign.com website uses Google Analytics (GA4) to understand how visitors find and use the site. This tracking only activates after you consent via the cookie banner. GA4 collects anonymized usage data (pages viewed, referral source, device type). It does not collect personal information. You can opt out at any time by declining cookies or using a browser ad blocker.

Data Processor

Your account data is stored on Supabase (supabase.com), which provides:

• Encryption at rest: AES-256 for all database data
• Encryption in transit: TLS 1.3 for all API calls
• SOC 2 Type II certified
• GDPR compliant

Your Rights (GDPR & CCPA)

Right to Access

You can view your account data in the plugin's Settings panel. For a full data export, contact us.

Right to Delete

You can delete your account from the plugin's Settings panel. This permanently removes your email, usage history, and authentication tokens. Deletion is immediate and irreversible.

Right to Rectification

Contact us to correct any inaccurate data.

Right to Data Portability

Request a machine-readable export of your data by emailing us.

Do Not Sell (CCPA)

We do not sell your personal information. We have no advertising partners and do not share data for commercial purposes.

Data Retention

Data	Retention
Account record	Until you delete your account
Usage logs	12 months, then automatically purged
Auth tokens (local)	Until you sign out or uninstall
Logo data (local)	Until you clear browser data or uninstall

OTP Security

• 6-digit numeric codes, valid for 10 minutes
• Rate limited: 3 requests per email per hour
• Account locked after 5 failed attempts (15-minute cooldown)

How to Clear Your Data

• Account & usage: Settings > Delete Account (or contact us)
• Auth tokens: Settings > Sign Out
• Logo data: Clear your browser's localStorage
• All local data: Uninstall the plugin

Children's Privacy

Docs to Design is not directed at children under 16. We do not knowingly collect data from children.

Changes to This Policy

We may update this policy as features evolve. Updates will be noted with a revised "Last updated" date. Material changes will be communicated through the plugin's update notes.

Contact

For privacy questions or data requests:

MZM Labs Inc.