Privacy Policy

Your work is your work. Your data is yours.

How vrdiff collects, uses, stores, and protects the personal information of people who use the platform — written in plain English, no dark patterns.

Last updated · May 2, 2026

1. Who we are

vrdiff (pronounced ver-diff) is a design-to-code handoff platform operated at vrdiff.com. When this policy says “we”, “us”, or “vrdiff”, we mean the team that runs that service. When it says “you”, we mean the person whose information is being processed — typically someone who has signed up for an account or whose details have been shared with us by a teammate.

2. What we collect

We collect only what we need to run the product, bill it, and keep it secure. The categories below cover everything we currently store about you.

  • Account information. Your name, email address, hashed password, and the sign-in method you used (email + password, or Google). If you sign in with Google we also store your Google account ID so we can re-link future logins.
  • Workspace and project data. Workspaces and projects you create or are invited to, your role in them, and the screens, versions, comments, replies, reviews, flows, and prototypes that you (or other workspace members) publish.
  • Design payloads. When you publish from the Figma plugin, we receive the design node tree, a preview image, and your commit message. When you upload a screen manually, we receive the image file.
  • Billing information. If your workspace is on a paid plan, our payment provider Stripe handles your card details directly — we never see them. We store the Stripe customer ID, subscription state, seat count, and invoice history that Stripe shares back with us.
  • Operational data. Per-action audit-log entries (who published what, who approved what, who removed whom), notification read state, and minimal request logs (timestamp, route, IP, user-agent) used for debugging and abuse prevention.
  • Cookies. A single signed authentication cookie (bridge_token) is set when you sign in; it lets us know who is making each request. We do not use third-party advertising or analytics cookies.

3. Why we use it

We process the data above to:

  • Provide the vrdiff product to you and your teammates.
  • Authenticate your sessions, send transactional email (verification, password reset, workspace invitations), and deliver in-product notifications.
  • Charge the right amount for paid workspaces via Stripe and keep seat counts and invoices accurate.
  • Investigate bugs, fight abuse, and improve performance and reliability of the service.
  • Comply with our legal obligations.

We do not sell your personal data.

4. Who we share it with

We only share data with service providers strictly necessary to run the product:

  • Stripe — payment processing for paid plans.
  • Cloud hosting and storage providers — to host the application and store the screens, design data, and preview images you upload.
  • Email-delivery providers — to send transactional and notification email.
  • Google — only when you choose Google sign-in, in which case we exchange a single sign-in token with Google to verify your identity.

Each of those providers is bound by their own data-processing terms. We never share your data with advertisers, data brokers, or other third parties.

5. Where it lives

Your account, workspace, and project data is stored on cloud-hosted infrastructure in regions chosen for performance and durability. Files (preview images, manually uploaded screens) are stored in object storage with at-rest encryption. Network traffic between your browser, the API, and our third-party providers is encrypted in transit with TLS.

6. How long we keep it

  • Account data — kept while your account is active. When you delete your account, we delete or anonymise it within 30 days, except where we are required to retain billing or legal records.
  • Workspace and project content — kept while the workspace exists. Deleting a workspace cancels its Stripe subscription and removes all of its projects, versions, annotations, reviews, flows, and prototypes.
  • Backups — automated database backups roll off on a 30-day cycle.
  • Audit logs — retained for 24 months, then aggregated or deleted.

7. Your rights

Depending on where you live, you may have the right to:

  • Access a copy of the personal data we hold about you.
  • Correct it if it is inaccurate.
  • Delete it (we will honour deletion requests except where law requires us to keep records).
  • Object to or restrict certain types of processing, and to withdraw consent for processing that is consent-based.
  • Receive your data in a portable format.

You can manage most of this directly from Profile in the app — including changing your email preferences, your password, and deleting workspaces you own. For anything you can’t do yourself, email support@vrdiff.com and we’ll respond within 30 days.

8. Children

vrdiff is a workplace tool. It is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.

9. Changes to this policy

We will post any updates on this page and bump the “last updated” date at the top. For material changes that affect your rights, we will also email account holders with at least 30 days’ notice before the change takes effect.

10. Contact

Questions, concerns, or requests under this policy can be sent to support@vrdiff.com.