HewnFrame — Privacy Policy

Hewnpath ("we", "us") respects your privacy. This policy explains what data the HewnFrame plugin and api.hewnframe.com service ("Service") collect, why, and what rights you have under GDPR and equivalent laws.

1. What we collect

From your Figma client (the plugin)

• License key you paste in Settings (Pro only).
• Device identifier — a SHA-256 hash of your Figma user id combined with a per-install random nonce. We never see the raw Figma user id.
• Audit metadata — categories selected, frame count, duration in milliseconds. Used for free-tier rate limiting and aggregate analytics.
• User agent string, set to figma-plugin.

From Polar (our merchant of record)

When you purchase Pro:

• License key (generated by Polar, prefixed HFR-)
• Email address (the one you use at checkout)
• Polar subscription id, customer id, benefit grant id
• Subscription status (active / cancelled / expired / refunded)

2. What we never collect

• File content, node names, node ids, file ids
• Page names or thumbnails
• Team or organization identifiers
• Image bytes
• Real IP address (logged only in short-form rate-limit counters, no persistent retention)

3. Why we collect it

• License key + device id: to enforce the three-device activation limit and to detect abuse.
• Audit metadata: to count free-tier audits against the monthly cap, and to learn which checks are most-used (in aggregate, never per-user).
• Email: to send license activation, renewal reminders, and material changes to this policy.

4. Lawful basis (GDPR Art. 6)

• License + activation tracking: necessary for performance of the contract (Art. 6(1)(b)).
• Aggregate analytics: legitimate interest in product quality (Art. 6(1)(f)). You can opt out in Settings.

5. Storage and retention

• License records: lifetime of your subscription + 30 days after cancellation, then deleted.
• Device activations: while your license is active.
• Audit metadata: 90 days rolling, then deleted.
• Webhook events (for idempotency): 12 months, then deleted.

Storage: Cloudflare D1, region EEUR (Milan).

6. Third parties

• Cloudflare — infrastructure provider. Privacy policy
• Polar Software, Inc. — merchant of record, payment and tax. Privacy policy
• Bunny.net — serves the Inter font on marketing pages only. Privacy policy

We do not sell, rent, or share your data with any other third party.

7. Your rights (GDPR)

You can at any time:

• Access — copy of all data we hold about you
• Rectification — correct inaccurate data
• Erasure — delete your account and associated records
• Portability — machine-readable export
• Objection — opt out of aggregate analytics in Settings
• Lodge a complaint with your national data protection authority

Email [email protected] with the subject "GDPR request" for rights 1-5. We respond within 30 days.

8. Children

The Service is not intended for users under 16. Contact [email protected] if you believe a child has provided data.

9. Changes

Material changes will be announced in-plugin and via your Polar customer email at least 30 days before they take effect.

10. Contact

Hewnpath
Email: [email protected]
Country: Italy