Privacy Policy

Last updated: March 18, 2026

This Privacy Policy for Quadrate28 DMCC (doing business as Mokko) ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Visit our website at https://mokko.ai or any website of ours that links to this Privacy Policy
Use Mokko, our Figma plugin that uses artificial intelligence to automate repetitive design tasks by learning and applying your existing design system. The plugin operates within Figma and connects to external services for AI processing, image generation, and analytics.
Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Policy will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

Table of Contents

What Information Do We Collect?
How Do We Process Your Information?
What Legal Bases Do We Rely On to Process Your Information?
When and With Whom Do We Share Your Personal Information?
Third-Party Services and AI Processing
Do We Use Cookies and Other Tracking Technologies?
How Long Do We Keep Your Information?
How Do We Keep Your Information Safe?
Do We Collect Information from Minors?
What Are Your Privacy Rights?
Controls for Do-Not-Track Features
Do We Make Updates to This Policy?
How Can You Contact Us About This Policy?
How Can You Review, Update, or Delete the Data We Collect from You?

1. What Information Do We Collect?

Personal Information You Disclose to Us

In Short: We collect personal information that you voluntarily provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

Name
Email address
Password (stored in hashed form)

We do not collect IP addresses, job titles, or phone numbers through the Mokko plugin or user registration. Note that our payment processor, Stripe, may collect billing addresses as part of payment processing on our behalf (see Section 5).

Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number and the security code associated with your payment instrument. All payment data is handled and stored by Stripe. We do not store or have access to your full credit card numbers. You may find their privacy notice at https://stripe.com/privacy.

Sensitive Information. We do not process sensitive information.

Figma Design Data

  Important: When you use the Mokko Figma plugin, it accesses and processes data from your Figma files in order to learn your design system and automate design tasks. This data may include component structures, layer names, style properties, layout configurations, and other design file metadata. This data is used solely to provide and improve the Service for you.

Figma design data is:

Transmitted to our servers for processing and stored as part of your usage history
Sent to Anthropic's API for AI-powered design assistance (subject to Anthropic's commercial API terms, which prohibit using customer data for model training)
Included in telemetry data sent to LangSmith (LangChain) for service evaluation and improvement
Never sold to third parties
Never used to train general-purpose AI models

Information Automatically Collected

In Short: Some information, such as your browser and device characteristics, is collected automatically when you visit our website.

We automatically collect certain information when you visit, use, or navigate the mokko.ai website. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our website, and other technical information. This information is primarily needed to maintain the security and operation of our website and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies on our website. See our Cookie Policy for more details.

Note: The Mokko Figma plugin itself does not set cookies. Cookies are only used on the mokko.ai website.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

To facilitate account creation and authentication and otherwise manage user accounts
To deliver and facilitate the delivery of services to the user. We may process your information to provide you with the requested service, including processing your Figma design data through AI services to generate design outputs.
To respond to user inquiries and offer support. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
To evaluate and improve our Services. We may process your information when we believe it is necessary to identify usage trends and evaluate and improve our Services, products, marketing, and your experience. This includes telemetry data processed through LangSmith and analytics data processed through Mixpanel.

3. What Legal Bases Do We Rely On to Process Your Information?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill our legitimate business interests.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to analyze how our Services are used so we can improve them to engage and retain users, and to diagnose problems and/or prevent fraudulent activities.
Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.

4. When and With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

We may need to share your personal information in the following situations:

Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Service Providers (Sub-processors). We share your data with third-party service providers who perform services on our behalf, as described in Section 5 and in our Sub-processor List.

5. Third-Party Services and AI Processing

In Short: We use specific third-party services to operate Mokko. Each service processes only the data necessary for its function.

Mokko relies on the following categories of third-party services to deliver its functionality. A complete, up-to-date list of all sub-processors, including entity names and locations, is maintained at mokko.ai/sub-processors.

Confidentiality of your design data: We treat all design data you submit through the Mokko plugin as confidential. Your data is shared only with the sub-processors listed below and on our Sub-processor List, solely for the purpose of delivering the Services. Each sub-processor operates under a data protection agreement. We do not publish, sell, or use your design data for marketing, public display, or AI model training. For details on the specific legal safeguards governing each data transfer, see the Data Transfers section of our Sub-processor List.

AI Processing (Anthropic)

When you use Mokko, your design data and natural language prompts are sent to Anthropic's API for AI-powered processing. Anthropic operates under commercial API terms that explicitly prohibit using customer inputs or outputs to train their models. Anthropic retains API logs for a maximum of 30 days for safety and abuse monitoring purposes, after which they are deleted. For more information, see Anthropic's Privacy Policy.

AI Image Generation (Black Forest Labs via OpenRouter)

When you use Mokko's image generation features, your prompts are sent to Black Forest Labs' image generation model through OpenRouter. The generated images are stored in DigitalOcean Spaces (see Hosting below). OpenRouter acts as an intermediary API routing service. For more information, see OpenRouter's Privacy Policy.

Hosting and Storage (DigitalOcean)

Our application infrastructure, including user accounts and usage history, is hosted on DigitalOcean servers located in Frankfurt, Germany (EU). DigitalOcean Spaces (also in Frankfurt, Germany) is used for storing AI-generated images and user-uploaded files such as design assets and documents. All DigitalOcean infrastructure serving Mokko is located within the European Union. For more information, see DigitalOcean's Privacy Policy.

Telemetry and Evaluation (LangSmith by LangChain)

We use LangSmith to monitor, trace, and evaluate the performance of our AI features. Telemetry is configured to record all AI inputs and outputs, which means your interactions with the plugin, including Figma design data submitted as part of AI requests and the corresponding AI-generated responses, are sent to LangSmith. Telemetry data is processed on LangSmith's EU servers. This data is used solely to evaluate and improve the quality of our AI outputs. For more information, see LangChain's Privacy Policy.

Product Analytics (Mixpanel)

We use Mixpanel to understand how users interact with the Mokko plugin. Mixpanel is configured with automatic event capture (autocapture) and heatmap recording, which means it collects click events, form interactions, page views, and mouse/tap position data within the plugin interface, in addition to custom usage events such as feature usage frequency and session patterns. Mixpanel data is routed to EU servers (api-eu.mixpanel.com). Mixpanel is not sent personally identifiable Figma design content. For more information, see Mixpanel's Privacy Policy.

Website Analytics (Google Analytics)

We use Google Analytics on the mokko.ai website only (not within the Figma plugin) to understand website traffic and visitor behavior. Google Analytics uses cookies to collect this data. For more information, see Google's Privacy Policy and our Cookie Policy.

Payment Processing (Stripe)

All payment processing is handled by Stripe. We do not store or have access to your full payment card details. Stripe processes payments on the mokko.ai website, not within the Figma plugin. For more information, see Stripe's Privacy Policy.

Transactional Email (Resend)

We use Resend to send transactional emails such as account verification, password resets, subscription confirmations, and other service-related notifications. Resend processes your email address, name, and the content of these messages. Resend is located in the United States and is EU-US Data Privacy Framework certified, with Standard Contractual Clauses available as a fallback. For more information, see Resend's Privacy Policy.

For a complete list of our sub-processors including entity names, purposes, data processed, and locations, please visit our Sub-processor List.

International Data Transfers

Your data is primarily hosted within the European Union (Frankfurt, Germany). Some of our sub-processors are located in the United States. Where personal data is transferred from the European Economic Area (EEA) to the United States, we rely on legally recognized transfer mechanisms including the EU-US Data Privacy Framework (for DPF-certified providers such as Stripe, Google, and Resend) and Standard Contractual Clauses approved by the European Commission (for providers such as Anthropic and OpenRouter). The majority of our sub-processors, including DigitalOcean (hosting and storage), Mixpanel, LangSmith, and Black Forest Labs, process data within the EU, requiring no cross-border transfer. For a detailed breakdown of the specific transfer mechanism used for each sub-processor, see the Data Transfers section of our Sub-processor List.

6. Do We Use Cookies and Other Tracking Technologies?

In Short: We use cookies on our website but not in the Figma plugin.

We may use cookies and similar tracking technologies (like web beacons and pixels) on the mokko.ai website to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Policy.

The Mokko Figma plugin does not set or use cookies. Analytics within the plugin are handled by Mixpanel using event-based tracking, not cookie-based tracking.

7. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this policy will require us keeping your personal information for longer than the period of time in which users have an account with us.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Specific retention periods:

Anthropic API logs: Retained by Anthropic for up to 30 days for safety monitoring, then automatically deleted by Anthropic. No action required from us.
LangSmith telemetry: Retained for service evaluation purposes for the duration of your account. Upon account deletion, we issue a deletion request to LangSmith to remove all traces associated with your account.
Mixpanel analytics: Retained for the duration of your account. Upon account deletion, we issue a deletion request to Mixpanel via their GDPR API to remove all events and profile data associated with your identifier.
AI-generated images and user-uploaded files: Stored in DigitalOcean Spaces (Frankfurt, EU) for the duration of your account. Upon account deletion, all files in your user storage directory are permanently deleted.
Account data: Retained until you request deletion of your account.
Resend email data: Transactional email logs are retained by Resend under their standard retention policies. Upon account deletion, we cease sending emails to your address. Email delivery logs held by Resend are subject to their own data retention and deletion practices.
Stripe payment data: Managed by Stripe under their own retention policies. We do not store payment card details. Upon account deletion, we do not retain billing records beyond what is required for tax and accounting compliance.

Deletion timeline: When you delete your account or submit a deletion request, we will initiate deletion of your data from our systems and all sub-processors within 30 days. Some sub-processors may take up to an additional 30 days to complete the deletion on their end. Anthropic API logs are automatically purged within 30 days regardless of any deletion request.

8. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

9. Do We Collect Information from Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at [email protected].

10. What Are Your Privacy Rights?

In Short: Depending on your location, you may have certain rights regarding your personal information.

In some regions (like the EEA, UK, and certain US states), you have certain rights under applicable data protection laws. These may include the right to (i) request access and obtain a copy of your personal information, (ii) request rectification or erasure, (iii) restrict the processing of your personal information, (iv) data portability, and (v) not be subject to automated decision-making. In certain circumstances, you may also have the right to object to the processing of your personal information.

If you are a resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us at [email protected].

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account, or contact us at [email protected].

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases, and initiate deletion requests to all sub-processors that hold your data (including LangSmith, Mixpanel, and DigitalOcean Spaces), as described in Section 7. We aim to complete this process within 30 days of your request. We may retain limited information as required to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms, and/or comply with applicable legal requirements (such as tax records).

11. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.

12. Do We Make Updates to This Policy?

In Short: Yes, we will update this policy as necessary to stay compliant with relevant laws.

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Policy. If we make material changes to this Privacy Policy, we will notify you either by prominently posting a notice of such changes or by directly sending you a notification to the email address associated with your account. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.

Changes to our sub-processor list (available at mokko.ai/sub-processors) will be posted to that page with 30 days advance notice before new sub-processors begin processing your data. If you object to a new sub-processor, you may terminate your account before the change takes effect.

13. How Can You Contact Us About This Policy?

If you have questions or comments about this policy, you may email us at [email protected] or contact us by post at:

Quadrate28 DMCC (Mokko)

AI Centre, Uptown Tower, Jumeirah Lake Towers

Dubai, United Arab Emirates

Phone: (+971)42 837 090

Email: [email protected]

14. How Can You Review, Update, or Delete the Data We Collect from You?

Based on the applicable laws of your country or state of residence (including GDPR Article 17 for EEA residents), you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information.

When you request deletion, we will delete your personal data from our own systems and issue deletion requests to all sub-processors that hold your data, including LangSmith (telemetry traces), Mixpanel (analytics data), and DigitalOcean Spaces (stored files). See Section 7 for specific retention periods and deletion timelines per sub-processor. We will confirm completion of the deletion process to you by email.

To request to review, update, or delete your personal information, please contact us at [email protected].