What we collect, what we don't, and why.

UISqueezy is a workspace where teams manage design tokens. To run that workspace we collect the least amount of data we can get away with — your email, your tokens, and a few logs to keep the lights on.

We never sell your data. We don't train AI models on your tokens. We host on EU-region servers and you can export or delete everything in two clicks. The full text below is for the lawyers.

Three buckets, nothing more.

• Account data — name, email, password (hashed with Argon2), workspace and project names, billing address.
• Workspace content — your design tokens, version history, comments, and any files you upload. This is yours; we hold it in trust.
• Operational data — IP addresses, browser type, request timing, error traces. Held for 30 days, then deleted.

• To provide the service — render your tokens, sync them to Figma, run exports.
• To secure accounts — detect brute-force attempts, flag suspicious sign-ins, hash and rotate credentials.
• To send necessary email — billing receipts, security alerts, password resets. We email you about new features only if you opt in.
• To improve the product — aggregated, de-identified usage metrics. Your individual token data is never part of this.

A short list, all bound by data-processing agreements:

• Stripe — payment processing. We never see your card number.
• Postmark — transactional email delivery.
• AWS Frankfurt (eu-central-1) — primary hosting and backups.
• Sentry — error monitoring (no token contents are sent — only stack traces).

We do not share with advertisers, data brokers, or AI training companies. Period.

Wherever you live, you have the right to access, correct, export, and delete your data. From Workspace Settings → Privacy you can:

• Download a full .json export of your tokens, projects, and account.
• Delete your account and trigger a 90-day archival window (after which we hard-delete).
• Request a copy of every operational log we hold tied to your account.

EU/UK residents have GDPR rights; California residents have CCPA rights; both flow through the same controls. Email privacy@uisqueezy.com if you'd rather we handle it manually.

• Account data — for the life of your account, plus 90 days after deletion.
• Tokens & projects — same window. Exports stay valid forever once downloaded.
• Operational logs — 30 days, automatically purged.
• Billing records — 7 years, because tax authorities ask.

Tokens at rest are encrypted with AES-256. Passwords are hashed with Argon2id. All traffic is TLS 1.3. We run continuous vulnerability scans and a quarterly external pen-test. Our SOC 2 Type II report is available under NDA — ask sales.

We update this page when something material changes — new sub-processor, new region, new right. Workspace owners get an email 30 days before any change takes effect. The full revision history lives at /legal/changelog.

Privacy questions, data requests, or just curiosity — write to our DPO at privacy@uisqueezy.com. We aim to reply within two business days.