Privacy Policy

We process the data you provide directly or that arises through your use of TokenLab. This includes account data such as email address, profile information, workspace and member data, avatars, content within workspaces, design tokens, styles, documentation, prompts, exports, and integration data.

In addition, we process technical usage data such as log data, error data, device and browser information, security events, and billing-related reference data.

We use personal data and workspace data to provide TokenLab, manage accounts, store workspaces and content, execute features, provide support, ensure security, and technically advance the product.

In addition, we use data, where necessary, for billing, abuse prevention, error analysis, account-related communication, and the lawful execution of our services.

For authentication, profile and application data, and certain storage and infrastructure tasks we use Supabase. This may involve processing of login data, session information, verification data, profile information, workspace data, and stored content.

When you register or log in, we process the data necessary to enable your access, set up your profile, and operate the service securely.

For paid plans, subscriptions, and the purchase of AI Credits we use external payment providers, in particular Stripe. Payment data is processed directly by Stripe.

We do not store full card data ourselves but may process billing-related information such as customer and subscription references, invoice status, payment status, transaction identifiers, and similar metadata where required for billing, accounting, and support.

When you use AI features in TokenLab, inputs, prompts, configuration data, and generated outputs may be transmitted to and processed by the respective AI provider as required to execute the function.

Which data is involved depends on the specific feature used, the chosen model, and the integration. You should not enter sensitive content into AI features if you do not want it to be transmitted to the relevant provider for execution.

TokenLab may transmit data to third parties and external services where this is required for features you use. This includes Figma, export targets, AI providers, future integrations, and technical sub-processors.

Such transmissions occur only insofar as they are required to provide or execute the service. Processing by third parties is additionally subject to their own terms and privacy policies.

We send only service-related communications, for example regarding registration, security, billing, material product changes, or support requests. We do not use your data for advertising networks and do not sell personal data.

For the security and stability of TokenLab, we process log data, error reports, security-relevant events, and technical diagnostic data. This data helps us detect abuse, fix issues, and reliably operate the service.

For error tracking we use Sentry (operated by Functional Software Inc., processed in the EU region). Sentry receives only anonymised crash reports and stack traces from the TokenLab web application, the API server, and the Figma plugin. We have configured Sentry to omit IP addresses and user identifiers, and we do not enable Session Replay or Performance Tracing. Sentry sets no cookies on your device. The legal basis is our legitimate interest in operating a stable and secure service (Art. 6(1)(f) GDPR).

We share data only where required to provide the service, for engaged service providers, to fulfill legal obligations, or to enforce legitimate claims.

TokenLab can be used worldwide. Depending on the infrastructure used, the AI feature, or the integration, processing may also take place outside Switzerland or the European Economic Area. We take care to apply appropriate safeguards where required.

We retain data only as long as required for the respective purposes, legal obligations, or legitimate operational requirements.

You can contact us at any time at privacy@tokenlab.design if you have questions about the processing of your data or wish to request access, correction, or deletion within the legally provided framework.

We may amend this Privacy Policy for the future if the service, the legal situation, or our data processing changes. Material changes will be communicated in an appropriate form. The current version is published on this page.