Privacy policy

Last updated: June 8, 2026

This privacy policy describes how inspecta ("we", "us", or "our") collects, uses, and shares information when you use our products and services, including:

Together, these are referred to as the Service. By using the Service, you agree to the collection and use of information in accordance with this privacy policy.

1. Interpretation and definitions

Interpretation

Words with initial capital letters have meanings defined below. These definitions apply whether they appear in singular or plural.

Definitions

  • Account — a unique account created for you to access parts of the Service that require sign-in.
  • Company — inspecta, operating from Israel.
  • Cookies — small files placed on your device by a website, used to remember preferences and support essential functionality.
  • Device — any device that can access the Service, such as a computer, phone, or tablet.
  • Personal Data — any information that relates to an identified or identifiable individual.
  • Service — the inspecta website, web application, Chrome extension, Figma plugin, and related features described in this policy.
  • Service Provider — a third party that processes data on our behalf to help us operate the Service.
  • Usage Data — data collected automatically about how the Service is used (for example, diagnostic or technical metadata).
  • You — the individual or entity using the Service.

2. Scope of the service

inspecta is a visual QA and CSS editing tool. Depending on how you use it, the Service may:

  • read and display information from web pages you choose to inspect
  • store your design edits locally in your browser
  • sync projects and shared links to the cloud when you are signed in
  • send data to AI providers when you configure a bring your own key (BYOK) API key and use AI features
  • read clipboard content when you paste design data from the Figma plugin

The Chrome extension runs only on pages where you activate it. It does not run in the background on sites you are not actively inspecting.

3. Information we collect

3.1 Account and profile information

When you sign in with Google through Firebase Authentication, we receive and store:

  • your Firebase user ID (uid)
  • email address
  • display name
  • profile photo URL (if provided by Google)

We use this information to identify your account, sync the extension with the web app, and associate your projects with your account. Authentication tokens may be stored in the Chrome extension's local storage so you remain signed in. Refresh tokens are encrypted before storage in the extension.

3.2 Usage and diagnostic data

We may collect technical information when you use the Service, such as:

  • IP address
  • browser type and version
  • pages of the Service you visit
  • date and time of access
  • device and operating system information
  • error and performance diagnostics

When you use AI features, we store aggregated token usage counts per account (for example, how many tokens were used for element edits or Figma compare). We do not store the content of your AI prompts or responses on our servers.

We may apply rate limits to certain features (for example, Figma compare) and store usage counters associated with your account.

3.3 Data from websites you inspect

When you activate the inspecta Chrome extension on a web page, the extension may read and process:

  • page URL, title, and hostname
  • HTML structure (tags, IDs, classes, selectors)
  • computed CSS styles
  • visible text content (trimmed and capped for performance)
  • element dimensions and layout information
  • screenshots of the visible tab (for project thumbnails, Figma compare, or visual QA)

Important: Pages you inspect may contain information belonging to third parties, including personal data visible on those pages. You are responsible for ensuring you have the right to inspect and process that content. inspecta reads page data only when you activate the extension on that page.

Most inspection data stays in your browser unless you use cloud sync, sharing, or AI features described below.

3.4 Projects, edits, and shared links

When you are signed in, inspecta may automatically save to Firebase Firestore:

  • page URL and hostname
  • CSS, text, and image edits you make
  • a page screenshot thumbnail
  • project title and timestamps
  • your user ID as the creator

If you create a share link, we store a copy of the edit data along with an optional description. Shares are public by default unless we offer and you choose a restricted visibility option. Anyone with the link may view the shared content, including the page URL and edit details. Your email or display name may appear as the sharer.

3.5 Clipboard data

When you paste design data from the inspecta Figma plugin (or other supported sources), the extension reads clipboard contents only as initiated by you. This may include serialized Figma design data or images copied from the plugin. We do not continuously monitor your clipboard.

3.6 Figma plugin data

The inspecta Figma plugin runs locally inside Figma. It serializes design information from your Figma file (such as layer names, text, styles, and bounds) and copies it to your clipboard. The plugin does not connect to inspecta servers directly and does not access your Figma account through inspecta.

inspecta does not use the Figma OAuth API to fetch your Figma files.

3.7 AI prompts and context (BYOK)

If you configure a BYOK API key and use AI features, inspecta processes:

  • your natural-language prompts and instructions
  • structured context derived from the page or design (selectors, CSS hints, element text previews, scan results, Figma node trees, DOM snapshots)
  • optional screenshots for visual comparison (Figma compare / visual QA)

This data is sent from the extension to the inspecta web application and then forwarded to your chosen AI provider using your API key. See Section 4 for details.

3.8 Local browser storage

The Chrome extension stores data locally in browser storage, including:

  • encrypted BYOK API keys and model preferences
  • authentication tokens and user profile cache
  • per-site CSS edit history (when enabled)
  • UI preferences and onboarding state
  • a random analytics installation ID (installId)

This data remains on your device unless you use cloud sync, AI features, or analytics as described above.

3.9 IDE integration (local only)

If you use Send to IDE / external agent features, inspecta may send CSS changes and context to a local development tool on your machine (for example, via localhost WebSocket). That data does not pass through inspecta cloud servers.

3.10 Product and usage analytics (Chrome extension)

We use PostHog as our product analytics provider to understand how the Chrome extension is used, improve reliability, and prioritize features. The extension sends analytics to the inspecta web application API over HTTPS; our servers forward events to PostHog server-side. The extension does not load the PostHog SDK or contain a PostHog API key.

We do not use third-party advertising trackers or sell your data.

We collect product analytics to operate and improve the Service. Analytics are enabled by default in the Chrome extension. We do not provide an in-app analytics toggle; see Section 12 to object to processing or request deletion of analytics data associated with your account.

When you are not signed in (anonymous usage): We assign a random installation ID (installId) stored locally in the extension. We do not know your name or email in this mode. We may collect extension install and update events, when you open the extension or inspector panel, a once-per-day daily active signal while the panel is in use, and extension version.

When you are signed in: In addition, we associate usage with your Firebase user ID (uid), verified server-side from your authentication token. We may collect product events such as Figma compare or Scan UI runs (success or failure, not page content), share link creation, project saves, sign-in completion, and hostname only (for example, github.com) — not full page URLs, paths, or query strings.

We do not include email, display name, page HTML, CSS edits, screenshots, or AI prompt content in analytics events.

The extension sends analytics to the inspecta web application API over HTTPS. Our servers forward events to PostHog Cloud (United States by default; European hosting available depending on project configuration — see Section 10). PostHog stores events per PostHog's privacy policy . When you sign in, we may link your anonymous installId to your account uid (via PostHog alias).

4. Bring your own key (BYOK) and AI processing

inspecta offers optional AI features (such as Edit with AI, Scan UI insights, and Figma compare summaries). These features require you to supply your own API key from a supported provider: OpenAI, Anthropic, or Google Gemini.

How BYOK works

  • Your API key is stored locally in your browser, encrypted, in the Chrome extension. inspecta does not persist your API key on our servers.
  • When you use an AI feature, your key is sent to the inspecta web application in the request headers solely to forward your request to the provider you selected. The key is not logged and is not stored server-side.
  • The extension may also contact the provider directly to verify that a key is valid when you save it in Settings.
  • AI features require you to be signed in to an inspecta account.

What is sent to AI providers

When you use AI features, inspecta sends your prompt and relevant context to your chosen provider using your key. Depending on the feature, this may include page or design structure, visible text samples, CSS information, scan results, and screenshots.

If you use a vision-capable model, screenshots of the live page and/or Figma design may be included.

You are responsible for:

  • choosing your AI provider and reviewing its privacy policy and terms
  • ensuring you have the right to send page, design, and screenshot data to that provider
  • any charges incurred with your provider

Supported provider privacy policies:

inspecta stores token usage totals per account on our servers for display in your profile. We do not store prompt or response content from AI calls.

5. How we use your information

We use collected information to:

  • provide, operate, and maintain the Service
  • authenticate you and sync the extension with your account
  • save and display your projects and shared links
  • process AI requests when you configure BYOK and initiate AI features
  • monitor usage limits and aggregated token consumption
  • measure product usage and improve the Service through analytics processed via PostHog (see Section 3.10)
  • improve reliability, security, and performance
  • respond to your requests and support inquiries
  • comply with legal obligations

We do not sell your Personal Data. We do not use your BYOK API key for any purpose other than the AI features you initiate.

6. Lawful basis for processing

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process Personal Data only where we have a valid legal basis under applicable data protection law:

Processing activity Lawful basis
Account sign-in, authentication, and extension sync Contract — necessary to provide the Service you request
Projects, cloud sync, and shared links Contract — necessary to store and display your content
Product analytics (PostHog) Legitimate interests — understanding usage and improving the Service; you may object (see Section 12)
Security, abuse prevention, and usage limits Legitimate interests — protecting the Service and users
Support and correspondence Legitimate interests — responding to your requests
BYOK and AI requests you initiate Contract — necessary to fulfill the AI feature you request; you choose when to send data to your provider
Legal and regulatory compliance Legal obligation

7. How we share your information

We may share information in these situations:

  • With service providers — such as Firebase (Google), Vercel, PostHog (product analytics), and AI providers when you use BYOK features, only as needed to operate the Service.
  • Public shares — when you create a share link, the shared edit data is accessible to anyone with the link (public by default).
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice where required by law.
  • Legal requirements — when required by law, court order, or to protect rights, safety, and security.
  • With your consent — for any other purpose you authorize.

We do not share your BYOK API keys with third parties except forwarding them to your selected AI provider to fulfill your AI request.

8. Third-party service providers

Provider Purpose
Google Firebase Authentication, cloud database (Firestore), Cloud Functions
Vercel Web application hosting; optional caching for rate limits and usage metrics
PostHog Product analytics — event storage, DAU/WAU, and funnels (data forwarded server-side from our API)
OpenAI, Anthropic, Google Gemini AI inference when you supply a BYOK key and use AI features
Google Fonts Font catalog in the extension (no page content sent)

These providers process data according to their own privacy policies. Firebase and Cloud Functions may process data in the United States (for example, us-central1). PostHog may process analytics data in the United States (default) or European Union, depending on our PostHog project configuration.

The Chrome Web Store listing for our extension includes additional disclosures about browser permissions required by the extension.

9. Cookies and similar technologies

We use Cookies and similar technologies on the web application for essential purposes, such as:

  • keeping you signed in
  • remembering preferences
  • supporting security and session management

We do not currently use third-party advertising or analytics cookies on the web application.

The Chrome extension collects usage analytics as described in Section 3.10. This is not cookie-based; it uses extension local storage and HTTPS requests to our API, which forwards events to PostHog server-side.

If we introduce third-party marketing cookies or similar tracking on the website in the future, we will update this policy and, where required, request your consent before enabling them.

You can instruct your browser to refuse Cookies, but some parts of the Service may not function properly without them.

10. Data storage and international transfers

Your information may be processed and stored in countries other than your own, including Israel (where inspecta operates) and the United States (where Firebase, PostHog Cloud, and our hosting providers operate).

When we transfer Personal Data from the EEA, UK, or Switzerland to countries that have not been recognized as providing an adequate level of data protection (such as the United States), we rely on appropriate safeguards. These include Standard Contractual Clauses (SCCs) incorporated into our agreements with service providers such as Google (Firebase) and PostHog, where those providers make them available. We take reasonable steps to ensure your data is treated securely and in accordance with this privacy policy.

You may contact us at info@inspecta.design for more information about transfer safeguards or to request a copy of relevant SCCs where applicable.

11. Data retention

We retain Personal Data only as long as necessary for the purposes described in this policy, including:

  • Account data — while your account is active
  • Projects — until you delete them or delete your account
  • Shared links — until you delete them; when you delete your account, public shares you created are removed within 30 days
  • Usage metadata — up to 24 months for usage limits and internal analysis
  • Product analytics events — stored in PostHog according to our PostHog project retention settings (typically up to one year for raw events; aggregated counts may be kept longer)
  • Firebase users registry — while your account is active (signup metadata separate from PostHog event storage)
  • AI prompts and responses — not stored on inspecta servers; retention by your AI provider is governed by their policy

We may retain certain information when required by law or for legitimate business purposes such as dispute resolution and security.

12. Your privacy rights

Depending on your location, you may have the right to:

  • access the Personal Data we hold about you
  • correct inaccurate data
  • request deletion of your data
  • object to or restrict certain processing
  • withdraw consent where processing is based on consent
  • receive a copy of your data in a portable format

You can update some account information through the Service. You may delete your account from the web application, which triggers deletion of your projects and Firebase Authentication account.

Analytics: To object to product analytics processing or request deletion of analytics data linked to your account, contact us at info@inspecta.design or delete your account as described below.

Account deletion: When you delete your account, we remove your projects and authentication record, typically immediately. Public share links you created are removed within 30 days. We delete or anonymize analytics data associated with your user ID in PostHog within 30 days where feasible. Other associated data (such as session records, anonymous install records not linked to your account, or aggregated usage metadata) may be retained for up to 24 months as described in Section 11. Contact us if you need help with an erasure request.

To exercise your rights, contact us at info@inspecta.design.

13. Security

We use commercially reasonable measures to protect your information, including encryption of BYOK keys in local extension storage and encrypted transmission (HTTPS) for data in transit.

No method of transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

You are responsible for keeping your Google account and BYOK API keys secure and for choosing trustworthy pages to inspect.

14. Children's privacy

The Service is not directed to anyone under the age of 13. We do not knowingly collect Personal Data from children under 13. If you believe a child has provided us with Personal Data, contact us and we will take steps to remove it.

16. Changes to This privacy policy

We may update this privacy policy from time to time. We will post the updated policy on this page and change the "Last updated" date at the top.

For material changes, we may also notify you by email or through a prominent notice in the Service before the change takes effect.

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

17. Contact us

If you have questions about this privacy policy or our data practices, contact us:

Email: info@inspecta.design