Privacy Policy

Your work is your work. Your data is yours.

How vrdiff collects, uses, stores, and protects the personal information of people who use the platform — written in plain English, no dark patterns.

Last updated · May 2, 2026

Privacy Policy

1. Who we are

vrdiff (pronounced ver-diff) is a design-to-code handoff platform at vrdiff.com. When this policy says "we", we mean the team that runs the service. When it says "you", we mean the person whose information we're processing, usually someone who has signed up for an account or whose details have been shared with us by a teammate.

2. What we collect

We collect only what we need to run the product, bill it, and keep it secure. The list below covers everything we currently store about you.

  • Account information. Your name, email, hashed password, and which sign-in method you used (email + password, or Google). If you signed in with Google, we also keep your Google account ID so we can re-link future logins.
  • Workspace and project data. The workspaces and projects you create or are invited to, your role in each, and the screens, versions, comments, replies, reviews, flows, and prototypes that you (or your teammates) publish.
  • Design payloads. When you publish from the Figma plugin, we receive the design node tree, a preview image, and your commit message. When you upload a screen manually, we just receive the image file.
  • Billing information. If your workspace is on a paid plan, our payment provider Stripe handles your card details. We never see them. We do store the Stripe customer ID, subscription state, seat count, and invoice history that Stripe shares back with us.
  • Operational data. Per-action audit-log entries (who published what, who approved what, who removed whom), notification read state, and minimal request logs (timestamp, route, IP, user-agent) we use for debugging and preventing abuse.
  • Cookies. A single signed authentication cookie (bridge_token) is set when you sign in; it tells us who's making each request. We don't use any third party advertising or analytics cookies.

3. Why we use it

We use the data above to:

  • Provide the vrdiff product to you and your teammates.
  • Authenticate your sessions, send transactional email (verification, password reset, workspace invitations), and deliver in-product notifications.
  • Charge the right amount for paid workspaces via Stripe and keep seat counts and invoices accurate.
  • Investigate bugs, fight abuse, and improve the reliability of the service.
  • Comply with our legal obligations.

We do not sell your personal data.

4. Who we share it with

We only share data with the service providers we need to run the product:

  • Stripe, for payment processing on paid plans.
  • Cloud hosting and storage providers, to host the application and store the screens, design data, and preview images you upload.
  • Email-delivery providers, to send transactional and notification email.
  • Google, only if you chose Google sign-in. In that case we exchange a sign-in token with Google to verify your identity.

Each of these providers is bound by its own data processing terms. We never share your data with advertisers, data brokers, or other third parties.

5. Where it lives

Your account, workspace, and project data lives on cloud infrastructure in regions we pick for performance and durability. Files (preview images, manually uploaded screens) sit in object storage with at-rest encryption. Traffic between your browser, our API, and the services we depend on is encrypted in transit with TLS.

6. How long we keep it

  • Account data. Kept while your account is active. When you delete your account, we delete or anonymise it within 30 days, except where we're required to keep billing or legal records.
  • Workspace and project content. Kept while the workspace exists. Deleting a workspace cancels its Stripe subscription and removes all of its projects, versions, annotations, reviews, flows, and prototypes.
  • Backups. Automated database backups roll off on a 30-day cycle.
  • Audit logs. Kept for 24 months, then aggregated or deleted.

7. Your rights

Depending on where you live, you may have the right to:

  • Get a copy of the personal data we hold about you.
  • Correct it if it's wrong.
  • Delete it (we'll honour deletion requests except where the law requires us to keep records).
  • Object to or restrict certain kinds of processing, and withdraw consent where processing was based on consent.
  • Receive your data in a portable format.

You can do most of this yourself from Profile in the app, including changing your email preferences, changing your password, and deleting workspaces you own. For anything else, email support@vrdiff.com and we'll respond within 30 days.

8. Children

vrdiff is a workplace tool. It isn't directed at children under 16, and we don't knowingly collect personal data from children. If you believe a child has signed up, contact us and we'll delete the account.

9. Changes to this policy

We'll post any updates on this page and bump the "last updated" date at the top. For material changes that affect your rights, we'll also email account holders at least 30 days before the change takes effect.

10. Contact

Questions, concerns, or requests under this policy can be sent to support@vrdiff.com.