Skip to main content
Asset Importer for Figma

Privacy Policy

Asset Importer
for Figma

Last updated: April 2026

1. About this plugin

Asset Importer for Figma is a Figma plugin developed by Carl Hagerling (carl.hagerling@gmail.com). It allows users to browse Google Drive and import media assets directly onto the Figma canvas.

2. Data we collect

When you sign in with Google, the plugin accesses the following data solely to provide its core functionality:

  • Google account name, email address, and profile photo — displayed in the plugin UI so you can confirm which account is connected.
  • Google Drive file and folder names and IDs — used to populate the folder browser and let you select assets.
  • OAuth access token — stored locally in Figma's clientStorage (on your device, inside Figma). It is never sent to any server other than Google's own APIs.

3. Data we do NOT collect

  • File contents — images and videos are downloaded directly from Google Drive to Figma. No server operated by this plugin stores or processes your file contents.
  • Analytics or usage data — no analytics, telemetry, or behavioral tracking.
  • Third-party sharing — your data is never sold or shared with any third party.

4. Google OAuth scopes

The plugin requests the following Google OAuth scope:

https://www.googleapis.com/auth/drive.file

This scope grants access only to files the user explicitly selects via the Google Picker — not to your entire Google Drive.

5. Data storage and the OAuth relay server

OAuth tokens are stored in Figma's clientStorage — a local, per-user storage mechanism built into the Figma plugin runtime. Tokens are never written to any database we control.

A temporary session relay server (figma-oauth-five.vercel.app) is used only during the OAuth handshake and the Google Picker file selection flow. Any token held by this server is stored ephemerally — it is deleted immediately after being consumed by the plugin and in all cases within 5 minutes.

6. Your rights and revoking access

You can revoke the plugin's access to your Google account at any time by visiting myaccount.google.com/permissions . Revoking access immediately invalidates the stored token. You can also sign out directly inside the plugin, which clears the locally-stored token.

7. Changes to this policy

Any material changes to this privacy policy will be reflected on this page with an updated date.

8. Contact

Questions about this privacy policy? Email carl.hagerling@gmail.com .