Privacy Policy

Last updated: November 27, 2024

1. Introduction

Design Commons ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at designcommons.app (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us:

  • Account Information: Email address, name, profile photo (if you choose to provide one)
  • Organization Data: Organization name, team names, project information
  • Content: Updates, comments, standups, rollups, and other content you create
  • Files: Images, videos, and PDFs you upload to the Service
  • Communications: Messages you send to our support team

2.2 Automatically Collected Information

When you use our Service, we automatically collect:

  • Usage Data: Pages viewed, features used, time spent, interactions
  • Device Information: Browser type, operating system, device identifiers
  • Log Data: IP address, access times, error logs
  • Cookies: Session cookies, preference cookies, analytics cookies (see Section 6)

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Create and manage your account
  • Process your transactions and send related information
  • Send you technical notices, updates, security alerts, and support messages
  • Respond to your comments, questions, and customer service requests
  • Monitor and analyze trends, usage, and activities in connection with our Service
  • Detect, prevent, and address technical issues and fraudulent activity
  • Generate AI-powered summaries and insights from your content (only when you use these features)

4. Data Storage and Security

4.1 Firebase Infrastructure

We use Google Firebase to store and process your data. Firebase is SOC 2 Type II certified and provides:

  • Encryption at Rest: All data is automatically encrypted when stored
  • Encryption in Transit: All data is transmitted over TLS 1.2 or higher
  • Access Controls: Role-based access controls and audit logging
  • Data Residency: Data is stored in the United States (us-central1 region)

4.2 Security Measures

We implement industry-standard security measures:

  • Server-side session management with HTTP-only cookies
  • Firestore Security Rules to control data access
  • File upload validation (size limits, type restrictions)
  • Input validation and sanitization
  • Regular security audits and monitoring

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

We use the following third-party services:

Google Firebase (Database & Storage)

Purpose: Data storage and authentication

Privacy Policy: firebase.google.com/support/privacy

Vercel (Hosting)

Purpose: Application hosting and delivery

Privacy Policy: vercel.com/legal/privacy-policy

Sentry (Error Tracking)

Purpose: Error monitoring and performance tracking

Privacy Policy: sentry.io/privacy

PostHog (Product Analytics)

Purpose: Usage analytics and product insights

Privacy Policy: posthog.com/privacy

Stripe (Payment Processing)

Purpose: Payment processing (we do not store credit card information)

Privacy Policy: stripe.com/privacy

OpenAI (AI Features)

Purpose: AI-powered summaries and insights

Privacy Policy: openai.com/privacy

Note: Content sent to OpenAI is not used to train their models. We send minimal context (only the content you choose to summarize).

6. Cookies and Tracking

We use cookies and similar tracking technologies:

6.1 Essential Cookies

Required for the Service to function:

  • Session Cookie: Keeps you logged in (HTTP-only, secure)
  • Preference Cookies: Remembers your settings (sidebar collapsed, view preferences)

6.2 Analytics Cookies

Optional cookies you can disable via our cookie banner:

  • PostHog Analytics: Tracks usage patterns and feature adoption
  • Vercel Speed Insights: Measures page load performance

You can control cookie preferences through our cookie consent banner or your browser settings.

7. Your Privacy Rights

Depending on your location, you may have the following rights:

7.1 GDPR Rights (EU/UK Users)

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to certain processing activities
  • Right to Withdraw Consent: Withdraw consent at any time

7.2 CCPA Rights (California Users)

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to say no to the sale of personal information (we do not sell data)
  • Right to access your personal information
  • Right to equal service and price

To exercise any of these rights, please contact us at privacy@designcommons.app

8. Data Retention

We retain your information for as long as:

  • Your account is active
  • Needed to provide you the Service
  • Required to comply with legal obligations
  • Necessary to resolve disputes and enforce agreements

When you delete your account, we will delete your personal information within 30 days, except where we are required to retain it for legal purposes.

Organization data is retained as long as the organization exists. If an organization is deleted by the owner, all associated data is permanently deleted within 30 days.

9. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

If you become aware that a child has provided us with personal information, please contact us. If we discover that a child under 16 has provided us with personal information, we will delete such information immediately.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ.

Our servers are located in the United States (us-central1 region via Google Firebase). By using the Service, you consent to the transfer of information to the United States and/or other countries.

We take steps to ensure that your data is treated securely and in accordance with this Privacy Policy, including using Standard Contractual Clauses approved by the European Commission for transfers to third countries.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date
  • Sending you an email notification for material changes

You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

← Back to Home