Tokens Studio Plugins
Privacy Policy
Effective from: 15-12-2025
1. Who we are
Tokens Studio is a service operated by Hyma B.V., Lage Gouwe 92, 2801 LJ Gouda, the Netherlands (Chamber of Commerce No. 59750502, “we”, “our”, “us”).
Hyma B.V. acts as:
Data Controller for personal data we process for our business operations (e.g. user account management, billing, and marketing).
Data Processor on behalf of our customers when processing Client Content - Data that is uploaded, input, or created within the Tokens Studio Plugin for Figma or the Tokens Studio Apply Variables Plugin.
You can contact our privacy team at privacy@tokens.studio or by post at the address above.
Our lead supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
Scope
This Privacy Policy explains how we collect, use, share, and protect personal data when you use our plugins namely:
Tokens Studio Plugin For Figma
Tokens Studio Apply Variables Plugin
This Privacy Policy also applies when you:
Interact with us in any way, such as support, Email, or marketing
Use the contact form to contact our customer service or sales teams
We collect several types of information for to deliver services via our plugins to deliver service and manage subscriptions for the Tokens Studio Plugin for Figma (Plus).
3. What Data We Collect
Contact Information
First name and last name, email address
Source: You
Purpose: Subscription management, Customer support, optional marketing communications
Payment Data (For subscriptions)
Examples: last four digits of credit card number, billing address VAT number, transaction ID (handled via Stripe)
Source: You
Purpose: subscription fullfilment, compliance with tax obligations
Usage data
Examples: User activities within the plugins
Source: Sentry, Mixpanel
Purpose: analyzing plugin performance, detecting errors, debugging.
Subscription Details
Example: Status of subscription for Tokens Studio Starter Plus plugin
Source: Keygen, Stripe
Purpose: Providing the enhanced functionality of a Plus subscription.
Marketing and CRM
Examples: Contact history, campaign metadata, support tickets
Source: You
Purpose: Customer support (legitimate interest) and marketing (legitimate interest). We send marketing communications where legally permitted under GDPR, based on legitimate interests for B2B contacts acting in a professional capacity. Individuals may object at any time.
4. Legal Bases
Provide the service, create subscriptions, process payments: Art. 6(1)(b) contract
Fraud prevention, Art. 6(1)(f) legitimate interest
Analytics to improve tools: Art. 6(1)(f) legitimate interest
Email marketing : Art. 6(1)(f) legitimate interest
Compliance with tax & accounting duties: Art. 6(1)(c) legal obligation
Where we rely on legitimate interest, we balance our interests against your rights and reasonable expectations and allow you to object at any time (see Section 13).
5. Our Subprocessors
We use trusted third-party service providers to process data on our behalf.
Our current list of subprocessors is available here.
Any changes to the subprocessors will be updated on that page and the effective date will be revised.
6. Security Measures
We implement appropriate technical and organizational measures under Art. 32 GDPR, including:
HTTPS/TLS 1.2 (or higher) encryption in transit, AES-256 or equivalent at rest
Role-based access controls & MFA for all staff accounts with access to personal data
Continuous vulnerability scanning & periodic penetration tests
EU-based hosting with industry standard security measures (AWS, GCP). For subprocessors that process data outside the EU, appropriate contractual and technical safeguards are in place. Safeguards include EU Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework where applicable.
7. Data Retention
Transaction & invoicing records: 7 years (required by Dutch tax law)
Marketing consents (evidence for compliance)
8. Cookies & Tracking
We use:
Essential cookies (authentication, session security) – always active
Analytics cookies
9. No Sale of Personal Data
We do not sell or rent your personal data to third parties.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects under Art. 22 GDPR.
11. Government, Regulatory, and Law Enforcement Requests
We are committed to protecting your privacy while complying with valid legal obligations. When we receive requests for personal data from government agencies, regulators, or law enforcement authorities, we follow strict procedures to ensure GDPR compliance and protect your rights.
Legal Assessment: We review each request for legal validity and verify if the requesting authority has proper jurisdiction. We will assess the request against Article 6.1(c) of GDPR and consult with qualified legal counsel when necessary.
Scope Limitation: In responding to requests from government agencies, regulators, or law enforcement authorities, we will limit the scope of data disclosure to that which is specifically requested and legally required.
Data Subject Notification : In the event that we respond to a request for your data, we will notify you within 30 days, unless there is a statutory confidentiality requirement, or the requesting authority certifies that such a disclosure shall interfere with an active investigation.
12. Your Rights
You have the following rights under GDPR:
Access (Art. 15)
Rectification (Art. 16)
Erasure (“right to be forgotten”, Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Objection (Art. 21) — including the right to object to direct marketing
Withdraw consent at any time (Art. 7(3))
Contact privacy@tokens.studio to exercise these rights.
We respond within one month; if necessary, we may extend by up to two additional months for complex requests (you will be notified if so).
If you are not satisfied with the outcome, you may lodge a complaint with the Autoriteit Persoonsgegevens.
13. Data Breach Notification
If a personal data breach poses a risk to your rights and freedoms, we will notify you without undue delay, and within 72 hours of becoming aware of the breach, via email and/or in-app notification.
14. Children
The Service is not directed to children under 16. If we discover we have collected data from a child, we will delete it promptly.
15. Transfer of Business
If Tokens Studio is involved in a merger, acquisition, or asset sale, your personal data may be transferred. You will be notified before the data becomes subject to a different privacy policy.
16. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated at least 30 days in advance via email or an in-app notice.
historical Privacy policy
Find the Privacy Policy version effective prior to December 15, 2025.
