TrueUI Privacy Policy

Effective date: 06-27-2026 Last updated: 06-27-2026

This Privacy Policy explains how the TrueUI plugin for Figma (“TrueUI”, “we”, “us”) handles information. TrueUI is a Figma Community plugin created and maintained by Tomer Gilat. It is currently in beta.

Please read this together with Figma’s own terms and privacy policy, and with the terms of the AI provider you choose to use. If you do not agree with this policy, do not use TrueUI.

Summary

TrueUI runs entirely inside Figma. It has no backend server of its own.
You bring your own AI provider key (Anthropic Claude or OpenAI). TrueUI uses that key to talk to the provider you select.
When you run TrueUI, it sends your prompt, your mapped design system inventory, and any reference attachment you provide to the provider you selected, so the provider can return instructions that TrueUI applies inside your Figma file.
Your API key, your mappings, your settings, and your run history are stored locally on your device in Figma client storage. They are not sent to any server controlled by TrueUI.
TrueUI does not collect, store, or transmit your prompts, designs, file contents, or identity to any server controlled by TrueUI. TrueUI runs no analytics and does not sell your data.
The only network destinations TrueUI can reach are the AI provider APIs you select (Anthropic and OpenAI) and Figma. This is enforced by the plugin’s declared network access.

How TrueUI works

TrueUI is a “bring your own key” (BYOK) tool. You supply your own API key for Anthropic Claude or OpenAI. TrueUI sends your request directly from the Figma plugin environment to that provider, and applies the returned result to your selected Figma frame using the standard Figma plugin APIs.

TrueUI does not operate its own servers, databases, or accounts. There is no TrueUI login, and no TrueUI-owned service sits between you and your AI provider.

Information processed when you run TrueUI

When you generate, fix, style, or analyze a design, TrueUI may send the following to the AI provider you selected:

Your written prompt and run instructions.
Your mapped design system inventory, including component names, component IDs, mapped roles, and variable names. In a connected workspace, this can include component metadata from the other files in that workspace.
Reference attachments you intentionally provide, such as screenshots, mockup images, or HTML references.
Technical context needed to place the result into the selected Figma frame.

This information is sent only so the provider can return generation instructions that TrueUI can apply inside your file. You decide what to include in each run. If you do not want a particular prompt, attachment, or piece of content sent to the provider, do not include it in the run.

AI providers (third parties)

TrueUI works with the following AI providers, which act as independent third parties:

Anthropic (Claude): https://www.anthropic.com/legal/privacy
OpenAI: https://openai.com/policies/privacy-policy

When you run TrueUI, the data described above is transmitted to the provider you selected and is then handled under that provider’s own privacy policy, data use terms, and retention practices. We do not control how the provider processes, retains, or uses that data. Please review the provider’s terms before sending sensitive or confidential material, and use the account type and settings that match your needs.

You are responsible for ensuring you have the right to send the content of your Figma file to your chosen provider, especially if it contains another party’s confidential or personal information.

Your API keys

TrueUI uses your own Anthropic Claude or OpenAI API key. Your key is stored locally in Figma client storage (figma.clientStorage) on your device, and is sent only to the provider you select, as part of the request that authenticates you to that provider.

Your key is never sent to TrueUI, and TrueUI never stores your key on any server.

Security tips:

Do not paste personal or production provider keys while screen sharing.
Remove keys from shared or temporary machines when you no longer need them.
You can remove or replace your key at any time from the TrueUI Settings tab.

Figma file access

TrueUI reads the current Figma file structure so it can index components, variables, styles, the selected frame, and your mapped design system roles. It writes generated output into the selected frame using the standard Figma plugin APIs.

TrueUI does not import external code, dynamically load remote scripts, or execute arbitrary code from outside the plugin package.

Data stored locally on your device

TrueUI saves the following in Figma client storage (figma.clientStorage) on your device, so the plugin remembers your setup between sessions:

Your API key.
Your component mappings, variant defaults, multi blocks, and custom groups.
Your style and project settings, including workspace and project configuration.
Your run history and run reports.

This data stays on your device and within Figma’s storage for the plugin. It is not transmitted to any TrueUI server. You can clear it by removing your key and mappings in the plugin, or by uninstalling the plugin.

Workspaces and connected files

TrueUI keeps mappings per Figma file. You can connect files that share a design system into a workspace so they use one combined component index. When you generate inside a workspace, component metadata from the connected files can be part of the inventory sent to your AI provider, as described in “Information processed when you run TrueUI.” Workspace and project configuration is stored locally on your device.

What TrueUI does not do

TrueUI does not collect or store your prompts on a TrueUI server.
TrueUI does not collect or store your Figma designs or file contents on a TrueUI server.
TrueUI does not collect or store your identity on a TrueUI server.
TrueUI does not run third-party analytics, tracking, or advertising.
TrueUI does not sell or rent your data.
TrueUI does not route your prompts or designs through any TrueUI-owned server.

Network access

The TrueUI plugin manifest declares the only domains it is permitted to reach:

https://api.anthropic.com
https://api.openai.com

Figma enforces this list at runtime, so the plugin cannot send your data to any other network destination. TrueUI also communicates with Figma itself, which is the platform the plugin runs in. The declared network access is visible on the TrueUI page in the Figma Community.

Data retention

TrueUI keeps no server-side copy of your data, because TrueUI has no server.
Data stored locally on your device persists until you remove it in the plugin or uninstall the plugin.
Data you send to an AI provider is retained and deleted according to that provider’s policies, not TrueUI’s.

Your privacy rights

Because TrueUI does not hold your personal data on any server, there is no TrueUI-side database from which to export or delete your information. Local data is under your control on your device, and any data you sent to an AI provider is subject to that provider’s controls and your rights with that provider.

Depending on where you live, you may have rights under laws such as the EU and UK GDPR or the California Consumer Privacy Act (CCPA/CPRA), including rights to access, correct, or delete personal data, and the right not to have personal data sold (TrueUI does not sell data). To exercise rights over data processed by an AI provider, contact that provider directly. For any questions about TrueUI itself, use the contact details at the end of this policy.

International data transfers

When you send a request to an AI provider, your data may be processed on servers located in countries other than your own, according to that provider’s infrastructure and terms. Review your provider’s policy for details on where and how it processes data.

Children’s privacy

TrueUI is a professional design tool and is not directed to children. It is not intended for use by anyone under the age required to hold an account with Figma or with the AI provider you select. Do not use TrueUI if you do not meet those age requirements.

Security

TrueUI is designed to minimize exposure: it has no backend, stores your key and settings locally in Figma client storage, communicates with providers over encrypted HTTPS connections, and limits its network access to the declared provider domains. No method of transmission or storage is completely secure, so you remain responsible for safeguarding your API keys and for deciding what content to send to your provider.

Third-party links

This policy and the plugin may link to third-party sites and services, such as the AI providers and Figma. We are not responsible for the content or privacy practices of those third parties. Their terms and policies govern your use of their services.

Beta status

TrueUI is currently a beta product. Behavior, provider support, model routing, attachment handling, and documentation may change as the plugin evolves. We will update this policy when the data flow changes in a meaningful way, and the effective date above will reflect the latest version.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected here with a new effective date. Significant updates to the plugin’s functionality may also be subject to re-review by Figma.

Contact

TrueUI is built and maintained by Tomer Gilat. For privacy questions, support, or corrections to this policy, contact:

Email: tomm.gi@gmail.com

You can also reach the latest contact details on https://trueui.app.