Insta2Figma - Privacy Policy
Insta2Figma - Privacy Policy
Last updated: June 20, 2026
1. Introduction
This Privacy Policy explains how MAINNET TECNOLOGIA collects, uses, stores, shares, and protects personal data when you use Insta2Figma — the Figma plugin, Framer plugin, our website, and our backend API (together, the “Service”).
Data controller
MAINNET TECNOLOGIA
CNPJ: 62.169.789/0001-66
Estrada dos Menezes, 850, Sala 1307
São Gonçalo, Rio de Janeiro, Brazil
Email: marcus@mainnet.design
Website: https://mainnet.design
We process personal data under the Lei Geral de Proteção de Dados (LGPD — Law No. 13.709/2018). Where applicable, we also respect GDPR (EEA/UK) and disclose relevant US practices below.
2. Summary
Topic | Our practice |
|---|---|
Instagram data | We fetch public profile/post data to fulfill your preview/import request. Primary path: our scraper infrastructure; Apify is used as a fallback when direct fetch fails. |
Long-term Instagram storage | Short-lived Redis cache (~15 minutes) for previews. Import images are stored temporarily on object storage to deliver signed URLs. Catalog write-through and catalog-first read are disabled by default ( |
Analytics | No session recording or third-party analytics in the plugins. Future analytics will be anonymous/aggregated where possible, with consent when required. |
Pseudonymization | Guest users get synthetic internal emails. Scrape telemetry stores HMAC-hashed pseudonymous account IDs (not raw user UUIDs), public Instagram usernames/URLs, and technical metrics — never your email or platform display name. |
Payments | Handled by Polar — we do not store card numbers. |
Deletion | You can request account deletion by email; we respond within 15 days (LGPD). |
3. Who This Policy Applies To
Service users — Figma/Framer plugin users (guest or signed-in)
Website visitors — mainnet.design
Customers — paid subscribers
Support / feedback contacts
This policy also covers public Instagram usernames and URLs you choose to preview or import. Those may relate to third parties (Instagram account holders), not just you.
4. Data We Collect
4.1 Your account data (Service users)
Data | When | Purpose |
|---|---|---|
Internal user ID (UUID) | First use | Account, quotas, billing |
Figma user ID / Framer user ID | Guest auth | Pseudonymous guest account |
Synthetic guest email ( | Guest auth | Internal record only — not your real inbox |
Email address | Magic link, Google OAuth, feedback | Auth, communication, billing |
Google account ID | Google OAuth | Auth |
Email verified flag | After verified login | Security |
Plan tier, quota usage, quota period | Ongoing | Enforce Free / Pro / Max |
Polar customer ID, subscription status | Checkout / webhooks | Billing |
We do not receive your personal email from Figma or Framer unless you sign in.
Optional platform display name may be sent during guest auth and passed to Polar at checkout only.
4.2 Import & usage data
Data | When | Purpose |
|---|---|---|
Import jobs (status, timestamps, errors) | Preview / import | Operate the Service |
Job input — Instagram username, post selection, carousel options | Your request | Fulfill preview/import |
Platform ( | Job creation | Product analytics by platform |
Signed URLs to import images | Successful jobs | Temporary access for your plugin |
Idempotency keys | Repeat requests | Prevent duplicate work/charges |
4.3 Public Instagram data (on your request)
When you search or import, we process publicly available Instagram content:
Data | Typical retention | Notes |
|---|---|---|
Instagram username | Redis cache ~15 min; job records while account exists | Public identifier |
Public profile/post URLs and CDN links | Cache; job/media metadata during import | Used to fetch and deliver images |
Profile/post metadata (counts, captions, timestamps) | Redis cache ~15 min only (catalog DB write-through off by default) | Not collected from private accounts you cannot access |
Image bytes | Temporary object storage for import delivery; shared deduplicated store may reuse identical public posts | Deleted or orphaned per operational policy; not sold |
We do not ask for or store your Instagram password.
Data source: our own scraper (with server-side session infrastructure) and, when that fails, Apify actors configured in our backend. Apify processes the public URLs/usernames we send — under Apify’s terms and privacy policy.
4.4 Operational & pseudonymized telemetry
We log scrape/preview operations for reliability (table scrape_telemetry). These logs are pseudonymized:
Stored | Not stored in telemetry |
|---|---|
Public Instagram username requested | Your email |
Endpoint, HTTP status, latency, cache hit, retries, errors | Figma/Framer display name |
Plan tier (free/pro/max) | Raw internal user UUID |
HMAC-hashed pseudonymous account ID (derived from your internal user ID via server secret; not reversible without that secret) | Data sold to advertisers |
On account deletion, we remove telemetry rows matching your hashed pseudonymous ID using the same algorithm (ScrapeTelemetryService.pseudonymizeUserId).
4.5 Temporary authentication data
Data | Retention |
|---|---|
Magic link / OAuth tokens, polling IDs | Minutes (~15 min magic link, ~10 min OAuth), then deleted |
JWT in plugin storage | Until sign-out or expiry (configurable, default up to ~30 days) |
4.6 Feedback & support
If you submit feedback: name, email, message, platform, optional linked user ID — stored in our database and may be emailed to our team.
4.7 Website
The mainnet.design site may use Framer hosting cookies per Framer’s settings. See Cookies Policy.
We do not use third-party session-recording or analytics tools in the plugins.
4.8 Data on your device only
Key | Content |
|---|---|
| JWT session |
| Usernames, favorites, public profile pic URLs |
| Theme |
| Panel size (Figma) |
Clearing plugin data removes this from your device; it does not delete server-side account data.
5. How We Use Data
Provide previews and imports
Enforce plans and quotas
Process subscriptions (via Polar)
Send magic links and respond to support/feedback
Maintain reliability (pseudonymized scrape telemetry)
Protect against abuse and secure the Service
Comply with legal obligations
We do not sell personal data or use it for third-party advertising.
6. Legal Bases (LGPD & GDPR)
Basis | Use |
|---|---|
Contract | Providing the Service, quotas, imports |
Consent | Optional feedback; future non-essential analytics if added |
Legitimate interest | Security, fraud prevention, pseudonymized operational logs — balanced against your rights |
Legal obligation | Tax, lawful requests |
For public Instagram data you request, we rely on contract (delivering the feature) and legitimate interest (operating a design import tool). You must ensure your use respects third-party rights and Instagram’s terms.
7. Subprocessors & International Transfers
We use service providers who process data on our behalf. We select providers with appropriate security and, where required, data processing agreements (DPAs) or equivalent contractual safeguards for international transfers.
Provider | Role | Typical location | Personal data involved |
|---|---|---|---|
Polar | Payments & subscriptions | USA / EU | Email at checkout, customer ID, subscription status |
OAuth; Gmail API (magic links) | USA | Email, OAuth tokens (temporary) | |
Railway (or equivalent) | API, worker, Postgres, Redis hosting | USA (typical) | All backend data |
Object storage (S3-compatible, e.g. storageapi.dev) | Temporary import media | Varies | Image bytes, storage keys |
Apify | Fallback public Instagram fetch | EU / USA | Public usernames/URLs we request |
Framer | Website hosting | USA / EU | Website visitor data |
Confirmation for your records: Mainnet relies on each provider’s published privacy terms and DPA/SCC programs (Polar, Google Cloud, Apify, etc.). We do not transfer data to subprocessors for their independent marketing. Contact us if you need the name of a specific DPA instrument for a provider.
Data may be transferred outside Brazil (including the USA). We use mechanisms recognized under the LGPD and GDPR (standard contractual clauses or equivalent) where applicable.
8. Retention
Data | Retention |
|---|---|
Account & subscription | While account is active + reasonable period after deletion request |
Auth tokens (server) | Minutes, then deleted |
Import jobs | While account exists; deleted on account deletion request |
Feedback | Until resolved + reasonable archive, or deleted on request |
Redis preview cache | ~15 minutes |
Import media (object storage) | Temporary — for job delivery; not kept indefinitely for marketing |
Scrape telemetry | Operational period, then deleted or aggregated; rows keyed by HMAC pseudonymous ID |
Polar billing records | Per Polar and tax law |
Catalog DB ( | Only if |
9. Security
TLS/HTTPS in transit
Access-controlled database and cloud infrastructure
JWT authentication
No payment card storage (Polar)
Pseudonymous guest accounts
Report vulnerabilities: https://mainnet.design/resources/security or marcus@mainnet.design
10. Your Rights & Data Deletion
10.1 LGPD rights (Brazil)
You may request: confirmation, access, correction, anonymization, portability, deletion, information on sharing, and revocation of consent.
Email: marcus@mainnet.design
Response time: within 15 days (LGPD), extendable where permitted.
ANPD: https://www.gov.br/anpd
PROCON: available for consumer matters under the CDC.
10.2 Account deletion
To delete your account and personal data, email marcus@mainnet.design from your registered email, or provide enough information to verify identity (including guest/platform context).
We will delete or anonymize:
User account (email, platform IDs, Polar linkage on our systems)
Jobs and usage counters tied to your account
Feedback you submitted
Scrape telemetry rows matching your HMAC pseudonymous ID (same hash algorithm used at write time)
We may retain:
Billing/tax records via Polar (contact Polar for payment data deletion)
Anonymized/aggregated statistics that cannot identify you
Data required by law or to resolve disputes
Clearing plugin local storage alone does not delete server-side account data.
10.3 GDPR (EEA/UK)
If GDPR applies, you also have rights to erasure, restriction, objection, and to lodge a complaint with your supervisory authority.
10.4 United States
We do not sell personal information as defined by CCPA/CPRA. California residents may request access, deletion, and correction by contacting us.
11. Third-Party Instagram Data
Insta2Figma processes public Instagram content because you request it. We are not Instagram/Meta. Content may be subject to copyright and privacy rights of creators and account holders.
You are responsible for lawful use. See Terms & Conditions.
Third-party account holders with data concerns may contact marcus@mainnet.design.
12. Children
The Service is not directed at children under 16 without parental consent where required. We do not knowingly collect data from children under 13 (USA).
Contact us to request removal if you believe a child provided personal data.
13. Automated Decisions
We do not make legally significant decisions based solely on automated processing. Quotas follow fixed plan rules.
14. Changes
We may update this policy. The “Last updated” date reflects the current version. Material changes will be communicated via the Service or website.
A Portuguese (PT-BR) version may be published separately; where required for consumers in Brazil, it prevails over English in case of material inconsistency.
15. Governing Law
Laws of Brazil.
Consumers (CDC): courts of your domicile (Art. 101).
Other disputes: courts of São Gonçalo, Rio de Janeiro, Brazil, unless mandatory law requires otherwise.
16. Contact
MAINNET TECNOLOGIA
CNPJ: 62.169.789/0001-66
Estrada dos Menezes, 850, Sala 1307
São Gonçalo, Rio de Janeiro, Brazil
Privacy & deletion: marcus@mainnet.design
Support: marcus@mainnet.design
Appendix — Compliance notes (internal / operator reference)
This appendix summarizes alignment with common requirements. It is not legal advice.
Area | Status / action |
|---|---|
LGPD transparency | Addressed by this policy + Terms + Cookies |
Session recording / Clarity | Removed from codebase — no consent gap for recording |
Apify | Disclosed as subprocessor; only public URLs/usernames sent |
Catalog persistence | Off by default ( |
Telemetry pseudonymization | Implemented — HMAC hash of user ID in |
Subprocessor DPAs | Confirm Polar, Google, Railway, storage, Apify DPAs/SCCs in each vendor dashboard |
PT-BR versions | Planned |
In-app legal URLs | Update to mainnet.design when CMS pages are live |