Privacy Policy
Last updated: May 6, 2026
1. Introduction
This Privacy Policy explains how ColoRamp ("ColoRamp", "we", "us", or "our") collects, uses, and protects your personal information when you use our website, Figma plugins (Pigment Lab and Code Hub), and related services (collectively, the "Service").
We are committed to protecting your privacy and handling your data in compliance with the Swiss Federal Act on Data Protection (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
ColoRamp is the data controller responsible for the processing of your personal data. If you have any questions about how we handle your data, you can contact us at:
ColoRamp
Email: legal@coloramp.ch
3. Information We Collect
3.1 Account Information
When you sign in through Figma OAuth, we receive and store the following information from your Figma account:
- Full name
- Email address
- Profile picture (avatar URL)
- Figma user ID
3.2 Payment and Billing Information
When you subscribe to a paid plan, our payment processor Stripe collects and processes your payment information (such as credit card details and billing address). We do not store your payment card details on our servers. We store the following billing-related data:
- Stripe customer ID
- Subscription details (plan, status, billing period, cancellation status)
- Invoice records (amount, currency, status, invoice PDF link)
3.3 Automatically Collected Information
When you visit our website, we automatically collect limited technical information through essential cookies and storage (see Section 7).
With your consent, we use PostHog analytics to understand website usage and improve the Service. Analytics is optional and is not loaded unless you accept analytics cookies and storage.
3.4 Plugin Data
Our Figma plugins (Pigment Lab and Code Hub) operate primarily within Figma's environment. All plugin data — including color palettes, templates, settings, and design tokens — is stored locally in your Figma files using Figma's built-in plugin data storage. This plugin-created content is not stored on our servers. When you sign in, verify access, or use account-related features, the plugins may communicate with ColoRamp and Supabase services to exchange authentication sessions and check your subscription entitlements.
3.5 Email Communication Preferences
We store onboarding email communication preferences so we can honor unsubscribe requests for product onboarding emails. This includes the onboarding email category and the date/time when an unsubscribe request was applied.
4. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Account creation and authentication | Name, email, avatar, Figma ID | Contract performance |
| Subscription management and billing | Stripe customer ID, subscription and invoice data | Contract performance |
| Plugin authentication and entitlement checks | Session code, verifier hash, Figma ID, authentication tokens, account and subscription status | Contract performance and legitimate interest |
| Optional website analytics | Page views, usage events, technical browser data, optional account identifiers | Consent |
| Customer support and communication | Name, email | Legitimate interest |
| Product onboarding emails | Email address, name (if available), account creation timestamp, onboarding email preference status, email delivery metadata | Legitimate interest |
| Service security and fraud prevention | Account data, technical data | Legitimate interest |
| Legal compliance | All relevant data | Legal obligation |
5. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your data only with the following third-party service providers, who process data on our behalf:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication, plugin auth exchange, entitlement checks | Account data, subscription data, temporary plugin auth session data | Switzerland (Zurich) |
| Stripe | Payment processing | Payment and billing data | May involve transfers to the United States |
| Figma | Authentication (OAuth) | Name, email, avatar, Figma ID | USA |
| PostHog | Optional website analytics | Usage events, page views, technical browser data | Germany (EU) |
| Resend | Transactional and onboarding email delivery | Email address, email content, delivery and engagement metadata | United States (account data); EU sending region available |
| Vercel | Website hosting | Technical connection data | Global CDN |
We may also disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of ColoRamp, our users, or the public.
6. International Data Transfers
Your account data is primarily stored in Switzerland (Zurich) through our database provider Supabase. Our PostHog analytics setup is hosted in Germany (EU). For Resend, region selection controls where emails are dispatched from (for example, Ireland `eu-west-1`) but does not control where customer account data is stored. Resend states that account data (including email metadata, logs, and API records) is stored in the United States. Some other service providers (including Stripe, Figma, and Vercel) may also operate in the United States and other countries.
Stripe's legal terms state that providing payment services may require transfers of personal data to Stripe, LLC in the United States and to Stripe affiliates or sub-processors in other jurisdictions.
Where personal data is transferred outside of Switzerland or the EU/EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum where applicable, or reliance on recognized transfer frameworks and adequacy decisions.
7. Cookies and Local Storage
We use essential cookies that are strictly necessary for the Service to function. With your consent, we also use optional analytics cookies and local storage through PostHog to understand how the website is used.
| Cookie / Storage | Type | Set When | Duration | Purpose |
|---|---|---|---|---|
| Cookie Consent Preference | Strictly necessary | When you accept or reject analytics cookies | Until cleared by you | Stored in local storage to remember whether you accepted or rejected optional analytics. |
| PostHog Analytics | Optional analytics | Only after you accept analytics cookies and storage | Varies by PostHog setting | Helps us understand page views and product usage so we can improve the website and Service. |
| PostHog Identity Storage | Optional analytics | Only after you accept analytics cookies and sign in through a plugin flow | Up to 30 days or until cleared | Stores a Figma user identifier in local storage and a cookie so analytics events can be associated consistently after consent. |
| Supabase Auth | Strictly necessary | When you sign in to your account | Session | Stores your authentication session so you remain signed in while using the Service. |
| Supabase Auth (refresh) | Strictly necessary | When you sign in to your account | Up to 7 days | Refreshes your authentication session to keep you signed in across visits without requiring you to sign in again. |
| Currency Preference | Strictly necessary | When you first visit the website | 10 years | Stores your preferred currency (CHF or USD) so prices are displayed in the correct currency across visits. |
| Auth Redirect | Strictly necessary | When you start sign-in from a protected page | Up to 10 minutes | Stores the destination page so we can return you there after authentication. |
| Plugin Auth Code and Figma User ID | Strictly necessary | When you start sign-in from a Figma plugin | Up to 10 minutes | Temporarily connects the browser authentication callback with the plugin session that requested sign-in. |
Optional analytics is disabled by default and only starts after you accept it in the cookie banner. Strictly necessary cookies cannot be disabled without impairing the functionality of the Service.
8. Data Retention
We retain your personal data as follows:
- Account data — Retained for as long as your account is active. When you delete your account, we delete your Supabase account data and attempt to cancel and remove associated Stripe customer data, unless we are required to retain certain records for legal obligations.
- Billing and invoice data — Retained for the period required by applicable tax and accounting laws (typically 10 years under Swiss law).
- Plugin authentication sessions — Used only as a short-lived transport for sign-in and normally deleted after the plugin retrieves the session or after expiry.
- Plugin data — Stored locally in your Figma files and not on our servers. We have no control over this data.
9. Your Rights
Depending on your location, you have the following rights regarding your personal data:
Under Swiss Law (nDSG) and GDPR
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete personal data.
- Right to erasure — Request deletion of your personal data, subject to legal retention obligations.
- Right to data portability — Request a copy of your data in a structured, commonly used, machine-readable format.
- Right to restriction — Request that we limit the processing of your personal data under certain circumstances.
- Right to object — Object to processing based on legitimate interests.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.
For California Residents (CCPA/CPRA)
- Right to know — Request information about the categories and specific pieces of personal information we have collected.
- Right to delete — Request deletion of your personal information.
- Right to opt-out — We do not sell or share your personal information for targeted advertising.
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, please contact us at legal@coloramp.ch. We will respond to your request within 30 days.
You can also unsubscribe from onboarding emails at any time by using the unsubscribe link included in those emails. This does not affect essential account, security, or billing communications.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL), access controls, and secure infrastructure provided by our hosting and database providers.
However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
11. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected data from a child, please contact us at legal@coloramp.ch.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you through the Service or via email.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
13. Contact
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
ColoRamp
Email: legal@coloramp.ch
If you are located in the EU/EEA and believe that your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local data protection supervisory authority. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC).