Privacy Policy
Last updated: 13 May 2026 · Effective: 13 May 2026 · Version 2026-05-13.
Mistri AI ("we", "us") respects your privacy. This Privacy Policy explains what personal data we collect when you use the Mistri Figma plugin and the website at mistri.ai (together, the "Service"), how we use it, with whom we share it, and the choices you have. It is written for compliance with the Digital Personal Data Protection Act, 2023 ("DPDP") and its 2025 Rules, the EU General Data Protection Regulation ("GDPR") and the United Kingdom GDPR, the California Consumer Privacy Act as amended ("CCPA"), Brazil's LGPD, and the Information Technology Act, 2000 with the Reasonable Security Practices Rules, 2011.
1. Data Fiduciary and Grievance Officer
Mistri AI is the Data Fiduciary (DPDP) and Controller (GDPR) for personal data processed through the Service.
Office: Bengaluru, Karnataka, India.
Data Protection and DSAR contact: support@mistri.ai.
Grievance Officer (DPDP §10): the Founder, Mistri AI, reachable at the same address.
2. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity | Figma user id, name, email (on sign-in), Google sub claim | You · Figma OAuth · Google OAuth |
| Account | Plan tier, credit balance, preferences, theme, returning-user flag | Service usage |
| Generation data | Prompts, mode, tier, output design, timestamps | You |
| Billing | Network token, last 4 of card, billing email, tax identifier (if provided), invoice metadata | Payment processor (tokenised) |
| Technical | IP address (truncated to /24 v4 or /48 v6 in audit logs), device type, plugin version, error logs, hashed user-agent | Automatic |
3. How We Use It
- Provide the Service: render generations, maintain history, enforce credits.
- Billing and tax: process subscriptions, issue invoices, satisfy statutory record-keeping.
- Communications: service notifications, transactional email, support replies.
- Security and abuse prevention: fraud detection, anti-abuse fingerprints, audit logs (see §7).
- Improvement: aggregate analytics. We do not use prompts or outputs for AI training.
4. Legal Basis
- DPDP §6: consent for processing your personal data for service delivery.
- GDPR Art 6(1)(b): performance of our contract with you.
- GDPR Art 6(1)(c): legal obligation for invoices, AML, tax records, and audit logs.
- GDPR Art 6(1)(f): legitimate interest for the anti-abuse fingerprint described in §7, balanced against the rights of the data subject (DPIA on file).
5. Sharing
We share personal data with the following categories of recipients on a need-to-know basis:
- Large-language-model providers, to fulfil generation requests. Prompts are transient and, under our contracts, are not used for model training.
- A Reserve-Bank-of-India-authorised payment processor, to authorise and settle subscription and top-up charges, under PCI-DSS Level 1 controls. Full card numbers, CVV, expiry, OTP, UPI PIN, and net-banking credentials are entered on the processor's hosted page and never reach our servers. We receive only a network token, the last four digits of the instrument, and the transaction metadata required for ledger and tax purposes.
- Cloud infrastructure providers, for managed database, identity, file storage, edge compute, and content delivery.
- Email service provider, for transactional and security email under EU Standard Contractual Clauses where applicable.
- Tax and statutory authorities, where required by Indian law (income tax, GST).
We do not sell personal data. The current list of named sub-processors is available on request from support@mistri.ai and is updated whenever a sub-processor changes.
6. International Transfers
Where personal data is transferred outside India, we rely on contractual safeguards equivalent to those required under the DPDP. EU-resident user data is processed in the EU. Payment data is held within India by the payment processor. Transactional email is processed under EU Standard Contractual Clauses for EU-to-non-EU transfers where applicable.
7. Anti-Abuse Fingerprints (Legitimate Interest)
When you delete your account, we retain a one-way hash of your email address, OAuth subject identifier, and (if available) Figma user id for 24 months. These hashes cannot be reversed to your original identifiers, but they let us detect when the same person re-signs up shortly after a deletion and continue to enforce our anti-abuse rules (for example, suppressing fresh trial credits for someone who paid before, deleted, and immediately re-joined within the past 12 months).
Legal basis: GDPR Art 6(1)(f) legitimate interest. A Data Protection Impact Assessment ("DPIA") is on file. If you believe this fingerprinting harms your specific rights and freedoms, you may object under GDPR Art 21 by writing to support@mistri.ai. We will weigh your objection on a case-by-case basis and respond within 30 days.
8. Retention
| Category | Window | Why |
|---|---|---|
| Account profile, sessions, generation history, design systems, artifacts | Deleted within 30 days of your request (immediately on admin-purge) | GDPR Art 17, DPDP §12, CCPA §1798.105 |
| Anti-abuse fingerprint (hashed) | 24 months from deletion | Legitimate interest, see §7 |
| Lifecycle audit log (hashed) | 7 years | Companies Act 2013 §128, AML evidence, GDPR proof-of-compliance |
| Tax invoices & GST records | 8 years | Companies Act 2013 §128, CGST Act §35 |
| Payment ledger (held by the payment processor, pseudonymised) | 5 years from last activity | Prevention of Money Laundering Act §12 |
| Chargeback evidence (held by the payment processor) | 540 days from transaction | Card network rules (Visa and Mastercard) |
| Backup snapshots | 7 days | Disaster recovery. Never used for any other purpose. See §9. |
9. Backup Residue
Our hosting provider retains daily encrypted backups for up to 7 days for disaster-recovery purposes. After you delete your account, your data may continue to exist in these encrypted backups for up to 7 days. Access is restricted to incident-response use and the backups are never queried for any other purpose. Backups are then irreversibly purged on the rolling schedule.
10. Your Rights
You have the right to:
- Access, request a copy of the personal data we hold about you. (DPDP §11; GDPR Art 15; CCPA §1798.110.)
- Rectification, correct inaccurate or outdated data. (GDPR Art 16.)
- Erasure, delete your account and have your personal data removed, subject to statutory carve-outs in §8. (GDPR Art 17; DPDP §12; CCPA §1798.105; UK GDPR Art 17; LGPD Art 18.)
- Portability, receive your data in a structured machine-readable format (JSON). (GDPR Art 20.)
- Object to processing carried out on legitimate-interest grounds, including the anti-abuse fingerprint described in §7. (GDPR Art 21.)
- Restrict processing, ask us to pause processing of your data while accuracy is contested, while an objection under Art 21 is pending resolution, or where we no longer need the data but you require it for a legal claim. In practice for Mistri, the 30-day grace window after a delete request operates as the practical realisation of this right. (GDPR Art 18.)
- Withdraw consent at any time, without affecting prior lawful processing. (DPDP §6(4); GDPR Art 7(3).)
11. How to Exercise These Rights
Two methods, equivalent in effect:
- In-product, sign in at mistri.ai/dashboard and use the "Delete account" surface. You will receive an email confirmation; you may cancel within 30 days from a link in that email or from the dashboard.
- By email, write to support@mistri.ai with the subject "Data subject request" and your registered email address.
Operational SLA: 30 days from receipt for action, consistent with GDPR Art 12(3), UK GDPR Art 12(3), and the longer-of-two statutory ceilings under DPDP §13. Where your message reaches the Grievance Officer (support@mistri.ai) and engages the DPDP §13 grievance channel specifically, the statute obliges a response within 7 days. This faster window applies in parallel to the 30-day GDPR ceiling. Where another local statute requires a faster response (for example, PIPA 10 days, LGPD 15 days), we comply with the shorter statutory period.
12. Security
We implement reasonable security practices, including TLS in transit, AES-256 at rest, role-based access controls with column-level grants for sensitive columns, write-once-read-many audit logging of account-lifecycle events, secret rotation, and least-privilege service accounts. No system is perfectly secure. We will notify affected users and the Data Protection Board within 72 hours of becoming aware of a personal-data breach, in accordance with DPDP §8(6).
13. Children
The Service is intended for users 18 years and older. By using Mistri you confirm that you are at least 18. We do not knowingly process the personal data of children under 18. If you believe a child has provided us with personal data, write to support@mistri.ai and we will delete it. (DPDP §9; GDPR Art 8.)
14. Cookies and Local Storage
The website uses essential cookies for authentication. The plugin keeps your theme and a refresh-token in Figma's local plugin storage. We do not run third-party cross-site tracking cookies.
15. Changes
We will post updated versions of this Policy on this page. For material changes (new processors, longer retention, new categories of data) we will notify you by email at least 14 days before they take effect.
16. Contact
Mistri AI, Data Protection and DSAR contact
Email: support@mistri.ai
Grievance Officer per DPDP §10: the Founder, reachable at the same email.
Postal: Bengaluru, Karnataka, India.
We will acknowledge within 48 hours and respond within 15 days for grievance matters, or the statutory window for data-subject requests.