audit report
Figma
Figma's privacy policy comprehensively discloses collection of PII, automatic technical data, and tracking technologies, with named third parties (Google Analytics, Stripe, Statsig, Arkose Labs, reCAPTCHA, etc.) that largely match observed domains. The policy explicitly acknowledges "sale" and "sharing" of data for cross-context behavioral advertising under CCPA and provides opt-out mechanisms. However, no cookies were actually detected in the live page load, which conflicts with the policy's claims about cookies, pixel tags, and local storage being set to collect information. The observed tech stack includes error tracking (Datadog, Sentry), feature flags (Statsig, others), and a content API (Sanity), all of which are either insufficiently explained or not mentioned in the policy's named third-party list.
claim vs. reality
“When you create a Figma account, we collect the personal information you provide to us, such as your name, email address, personal website, and picture.”
observed · html
Twitter/Xfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Twitter/X, Gravatar.
Twitter/X Gravatar - warn
Cookie collection claims not observable in page load
The privacy policy states Figma uses 'cookies, pixel tags, local storage, and other technologies to automatically collect information,' but the live page load shows zero cookies set. This suggests either cookies are set only after login/interaction, or the cookie disclosure is aspirational rather than reflective of current landing-page behavior.
Policy quote: 'We, as well as third parties that may provide content, advertising, or other functionality on or in connection with the Services, may use cookies, pixel tags, local storage, and other technologies to automatically collect information' Observation: cookies_set = [] - note
Twitter/X loaded (social)
Observed 3 time(s) on the page.
CSP: https://platform.twitter.com/js/ CSP: https://platform.twitter.com/widgets.js CSP: https://platform.twitter.com - note
Gravatar loaded (social)
Observed 1 time(s) on the page.
CSP: https://www.gravatar.com - note
Undisclosed third-party vendors in tech stack
Sanity.io (102 hits, CMS/API), Datadog RUM, Sentry, and feature-flag services (Statsig, featureassets.org, featuregates.org) are loaded but not mentioned in the named third-party list. While Statsig is named, others are material infrastructure and should be explicitly listed for transparency.
Observed third parties: sanity.io (102 hits), datadoghq.com, sentry.io, featureassets.org, featuregates.org, prodregistryv2.org Named in policy: Google Analytics, Stripe, Statsig, Arkose Labs, Akismet, Shopify, reCAPTCHA, Zendesk, app store operators - note
Content hosting and social embeds lack attribution clarity
The policy mentions YouTube, Twitter, Vimeo, and Gravatar are likely embedded or linked, but the policy doesn't explicitly state that user activity on these embeds may be tracked by those vendors. The 'inline_patterns' show Stripe and Datadog RUM are referenced, but the Datadog RUM integration (for session replay and analytics) is not addressed in the policy at all.
Observed: youtube.com (3 hits), twitter.com (3 hits), vimeo.com (3 hits), gravatar.com (1 hit), inline pattern for 'Datadog RUM' Policy does not explicitly disclose Datadog RUM usage for session replay or error tracking - info
Payment processor Stripe is disclosed but downstream data handling is generic
Stripe is both named in the policy and observed in the tech stack, but the policy does not specify what data is shared with Stripe beyond the generic 'payment and transaction processing' language, nor does it address Stripe's own data practices or PCI scope.
Named third party: Stripe Observed: stripe.com (1 hit), inline pattern 'Stripe' Policy: 'payment and transaction processing' with no detail on PCI, card data handling, or Stripe's privacy terms
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Gravatar | gravatar.com | social | 1 | not named |
| Twitter/X | twitter.com | social | 3 | not named |
| Adora | adora-cdn.com | cdn | 1 | not named |
| Data URI | data:image | other | 35 | not named |
| Datadog | datadoghq.com | error_tracking | 1 | not named |
| Feature Assets | featureassets.org | feature_flags | 1 | not named |
| Feature Gates | featuregates.org | feature_flags | 1 | not named |
| google.com | other | 5 | not named | |
| Google APIs | googleapis.com | api | 1 | not named |
| Google Static | gstatic.com | cdn | 1 | not named |
| Greenhouse | greenhouse.io | other | 1 | not named |
| Product Registry | prodregistryv2.org | api | 1 | not named |
| Sanity | sanity.io | api | 102 | not named |
| Sentry | sentry.io | error_tracking | 1 | not named |
| Statsig | statsigapi.net | feature_flags | 2 | named |
| Stripe | stripe.com | payments | 1 | named |
| Vercel | vercel.app | hosting | 1 | not named |
| Vimeo | vimeo.com | video | 3 | not named |
| Vimeo | vimeocdn.com | cdn | 1 | not named |
| WordPress.com | wp.com | hosting | 4 | not named |
| YouTube | youtube.com | video | 3 | not named |
| YouTube thumbnails | ytimg.com | cdn | 1 | not named |
policy claims
source · https://www.figma.com/legal/privacy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- yes
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (11)
Google Analytics, Stripe, Apple App Store, Google Play App Store, Amazon App Store, Zendesk, Statsig, Arkose Labs, Akismet, Shopify, reCAPTCHA
retention
Figma stores personal information for as long as you use the Services or as necessary to fulfill collection purposes, provide Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce agreements, and comply with applicable laws. When no ongoing legitimate business need exists, they delete or anonymize information, or if not possible, securely store and isolate it until deletion is possible.
user rights
Users can request access to, correction, amendment, deletion, or portability of their personal information. Users can restrict or object to processing, withdraw consent, and opt out of marketing communications. Users can also opt out of cookies and interest-based advertising, including the "sale" or "sharing" of data for cross-context behavioral advertising (California residents).
response headers
- hsts
- yes
- csp
- yes
- server
- —
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://figma.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://figma.comprovenance
This audit was generated by running
stackpeek
against https://figma.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.