Request A Demo

Privacy Policy

Fuga Technologies Ltd. Privacy Policy

Last Updated: January 2026

This Privacy Policy explains how Fuga Technologies Ltd. (“Fuga,” “we,” “us,” or “our”) collects, uses, shares, stores, transfers, and protects personal data when you use our cloud-based creative automation platform, Adobe InDesign plugin, and associated AI-powered design tools (the “Service”). This Policy also outlines your rights and describes our compliance approach under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, Swiss FADP, the Israeli Privacy Protection Law (including Amendment No. 13), and relevant U.S. state privacy laws (e.g., CCPA/CPRA). By using the Service, you acknowledge the practices described herein.

DEFINITIONS

For the purposes of this Privacy Policy, the terms “Users,” “you,” or “your” refer to:

  1. Individuals who visit our websites, request a demo, sign up for an account, or use the Service;
  2. Employees, contractors, or representatives of business customers who access the Service on behalf of their organization; and
  3. Prospective customers (leads) who engage with us through forms, email, or other communication channels.

This applies whether you use the Service as a consumer (B2C) or as a business customer (B2B).

Scope and Relationship to Terms of Service

This Policy applies to personal data processed when you access our website or platform, create an account, upload content or use Service features, purchase a subscription, or communicate with our support or sales teams.

Controller vs. Processor. Fuga acts as a Data Controller when processing account data, billing data, analytics, communications, and marketing information.

When you upload content to the platform (e.g., design files, images, text, templates, assets), the User or organization is the Data Controller, and Fuga acts as a Data Processor (including for purposes of GDPR/UK GDPR Article 28), solely to provide the Service.

Processing performed solely as a Processor is governed by our Data Processing Agreement (DPA), which may include Standard Contractual Clauses (SCCs) and other transfer mechanisms for international transfers, as applicable.

This Policy forms an integral part of our Terms & Conditions https://fuga.tech/terms/

Data Controller and Contact Details

Data Controller: 

Fuga Technologies Ltd.
Rothschild Blvd 45, Tel Aviv, Israel.

Contact (including privacy requests):
Email: [email protected].

Information We Collect

We collect the following categories of personal data, depending on how you interact with our Service:

Account and Contact Information:

Name, company, job title, email address, phone number, login credentials, and account preferences.

Content You Upload (Customer Content):

Design files, layouts, fonts, metadata, images, and templates used in the Service. Personal data within uploaded content is processed solely to provide the Service (as Processor, where applicable).

Usage Data (Cookie-Free Analytics):

We do not use cookies or similar trackers for analytics. We collect anonymized and/or aggregated usage metrics (browser type, OS, timestamps, anonymized IP, feature interactions) using Google Analytics configured in privacy-centric mode (cookie-free) and with IP anonymization enabled where applicable.

 

InDesign Plugin Telemetry and Diagnostics Data:

When you use our InDesign plugin, the plugin processes Customer InDesign files locally on the User’s device. The contents of Customer design files are not uploaded to our servers through the plugin as part of ordinary operation.

Notwithstanding the foregoing, the plugin and/or Service may transmit to Fuga:

  1. Account-linked identifiers and technical informationreasonably necessary to provide the Service and support (including troubleshooting, service operations, license enforcement, and security); and
  2. Aggregated, de-identified, or system-wide telemetry and diagnostic informationused to monitor performance and improve the Service.

This information may include size names created by Users, metadata, telemetry, error logs, and crash reports.

 

Communication and Support Data:

Information you provide when contacting us via email, chat, phone, or inquiry forms, including support tickets and related correspondence. If you provide optional diagnostic logs to support, such submission will be handled in accordance with our Terms & Conditions and only upon the applicable written consent by email.

Transactional and Billing Data:

For paid subscriptions, we collect billing name, billing address, and transaction records. Payment card data is processed only by accredited third-party payment providers (such as Stripe and/or PayPal). We do not store full credit card numbers.

Marketing and Newsletter Data:

Name, email, company, region and preferences stored in Zoho when subscribing to newsletters or marketing communications. You may unsubscribe at any time.

Sensitive Data:

We do not intentionally collect sensitive personal data. Users must avoid uploading such data unless legally permitted and strictly necessary. If you do provide sensitive information, you agree we may process it for the purpose for which you provided it, in accordance with this Policy and applicable law.

Children’s Data:

Our Services are not directed to children, and we do not knowingly collect personal data from individuals under 13 (or below the minimum age in their jurisdiction). If discovered, we delete such data promptly. If you believe that a child has provided us with personal data, please contact us at [email protected], and we will take appropriate steps to delete such information.

How We Use Personal Data (Purposes & Legal Bases)

We process personal data for the following purposes and under the following legal bases (where applicable):

 

Providing and Operating the Service:

Account creation, authentication, subscriptions, service delivery, rendering/output generation, integrations, and core platform operations.
Legal bases: performance of a contract; legitimate interests.

 

Customer Support:

Responding to inquiries, troubleshooting, and maintaining support records.
Legal bases: performance of a contract; legitimate interests.

Security and Fraud Prevention:

Monitoring, logging, intrusion detection, abuse prevention, and security investigations.
Legal bases: legitimate interests; legal obligation.

 

Product Analytics and Improvement:

Aggregated and de-identified analytics and diagnostics used to measure service performance and improve features.
Legal bases: legitimate interests.

 

 

 Optional Programs – Previews/Thumbnails and Content-Derived Materials (Opt-In):

 

If we offer a program that involves sharing previews/thumbnails or other content-derived materials for product improvement (including AI capability improvement), participation will be strictly optional and based on your explicit opt-in consent (by email), and may be subject to additional terms (for example, a discount program). You may withdraw your consent at any time. 

Legal basis: consent.

 

AI Model Training / AI Capability Improvement:

We do not use identifiable customer content, prompts, or outputs for AI model training or AI capability improvement without explicit opt-in consent (by email). We may use aggregated and de-identified technical performance metrics (for example, system-wide telemetry and diagnostics) to improve service reliability and performance.
Legal bases: legitimate interests (for aggregated/de-identified metrics); consent (for optional content-based programs).

 

Marketing Communications:

Sending product updates, newsletters, and promotional messages.
Legal bases: consent (B2C); legitimate interests where permitted (certain B2B communications); legal obligation (mandatory notices).

Compliance and Protecting Rights:

Enforcing our Terms, complying with laws, responding to lawful requests, and protecting rights and safety.
Legal bases: legal obligation; legitimate interests.

 

Corporate Transactions:

Mergers, acquisitions, restructuring, or asset transfers under appropriate safeguards.

Legal basis: Legitimate Interests.

 

Sharing of Personal Data and Subprocessors

We do not sell or rent personal data to third parties. We share personal data only with trusted service providers who process data on our behalf, under strict contractual obligations (including DPAs where applicable), confidentiality commitments, and appropriate security measures.

 

Service Providers and Subprocessors:

We use reputable third‑party vendors to support core functions of our Service. These vendors process personal data on our behalf and under our instructions, and are contractually required to maintain confidentiality, implement strong security measures, comply with applicable data protection laws and refrain from using the data for their own purposes.

Our key subprocessors may include:

  • Cloud Infrastructure and Hosting – IBM Cloud (EU): We host and store user content and personal data on IBM Cloud servers located in the European Union.
  • Analytics- Google Analytics (Configured without cookies): Used to collect aggregated, anonymized usage statistics. Google Analytics is configured in a privacy-centric mode, without cookies and with IP anonymization enabled, where applicable.
  • Email Marketing and CRM- Zoho: We use (or may use) Zoho for CRM and marketing communications. Zoho may store contact details such as email address, name, and company for newsletters and outreach, based on our instructions.
  • Payment Processing- Stripe, PayPal, or similar providers: Payment details are submitted directly to the payment processor. We do not store full credit card numbers. These processors may act as independent controllersfor payment data and are responsible for their own compliance and security practices.
  • Customer Support Tools– We may use cloud-based support systems (ticketing tools, helpdesk platforms, live chat providers). Personal data submitted in support requests (email, name, issue description) may be processed through these tools solely to provide support.
  • Additional Subprocessors– We may use error tracking services, email delivery providers (transactional emails), and backup and redundancy services. All subprocessors are bound by appropriate privacy, security, and confidentiality obligations.

We maintain an updated list of key subprocessors available upon request and, where applicable under our DPA, notify customers of material changes.

Transparency and Data Minimization; Internal Access:

Only the minimum data necessary is shared with each subprocessor. Access to personal data within Fuga is restricted to authorized personnel who require such access to perform their duties, and is governed by role-based access controls and confidentiality obligations.

Business Partners:

We do not share personal data with external business partners except when necessary (for example, co-hosting a webinar or joint event). In such cases, we will inform you at the time of collection and seek consent where required.

Legal and Protective Disclosures:

We may disclose personal data when required by law or if we believe in good faith that such disclosure is necessary to: (i) comply with legal obligations, law enforcement requests, or court orders; (ii) protect the rights, property, or safety of Fuga, our Users, or the public; (iii) enforce our agreements; or (iv) detect, prevent, or address fraud, abuse, security issues, or technical problems. Where legally permitted, we may attempt to notify Users before disclosing data pursuant to a legal request.

Corporate Transactions:

If Fuga undergoes a merger, acquisition, restructuring, investment, or sale of assets, personal data may be transferred to the acquiring or resulting entity under appropriate safeguards and subject to this Policy (unless you are notified otherwise).

Third-Party Links and Integrations:

Our Service may include links or integrations with third-party websites or services. Their privacy practices are not governed by this Policy. We encourage you to review their privacy policies before sharing personal data with them.

Data Storage, International Transfers and Protection

Fuga stores, processes, and protects personal data using secure cloud infrastructure, contractual safeguards, and industry‑standard technical and organizational measures. Our goal is to ensure that personal data receives a consistent, high level of protection regardless of where it is processed.

 

Data Storage Location: Personal data and customer content are hosted on IBM Cloud data centers located in the European Union. Limited remote access may occur from Israel (our headquarters, engineering and support teams) and from the United States (certain subprocessors such as Google Analytics or Zoho). Any such access is restricted, logged, and governed by applicable transfer mechanisms.

 

International Data Transfers: Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland – whether for storage, support, or sub-processing – we apply the requirements of GDPR/UK GDPR transfer rules and the Swiss FADP, as applicable.

Transfers to countries that are not recognized as providing an adequate level of protection are protected through one or more of the following safeguards, as applicable:

(a) Standard Contractual Clauses (SCCs) and UK transfer mechanisms
We may execute the European Commission’s SCCs with relevant recipients and, where applicable, the UK International Data Transfer Addendum or the UK International Data Transfer Agreement (IDTA). These mechanisms are designed to provide appropriate safeguards and require recipients to:

  • protect personal data to a level essentially equivalent to applicable EU/UK requirements;
  • process personal data only on documented instructions where required;
  • implement appropriate technical and organizational security measures; and
  • provide enforceable rights and effective legal remedies for data subjects, where applicable.

Copies of applicable SCCs/transfer mechanisms may be provided upon legitimate request, subject to redactions as permitted by law (e.g., to protect confidentiality).

(b) Adequacy decisions (where applicable)
Where a jurisdiction has been recognized by the relevant regulator as providing an adequate level of protection, we may rely on such adequacy decision for the relevant transfer.

(c) Additional safeguards and certifications
Certain subprocessors may maintain certifications and assurance frameworks (such as ISO 27001, SOC 2, or Binding Corporate Rules), which may provide additional layers of protection, depending on the subprocessor and context.

Supplemental Safeguards (Schrems II Alignment)

Where appropriate, we apply additional safeguards, which may include:

  • encryption in transit (TLS/SSL) and at rest where feasible;
  • environment separation and network segmentation;
  • access logging, monitoring, and least-privilege access controls;
  • pseudonymization or minimization where appropriate; and
  • vendor due diligence and periodic reassessment of subprocessor practices.

We continuously evaluate whether additional technical or contractual measures are required and update our controls accordingly.

Consistent Protection Regardless of Location

No matter where data is processed, we apply the privacy and security standards described in this Policy. If you have questions about international data transfers or wish to obtain a copy of applicable safeguards, please contact us at [email protected].

Data Security:

Fuga maintains an information-security program designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, and aligned with applicable requirements (including GDPR Article 32 and applicable Israeli data security regulations).

 

Technical Security Measures- We implement technical safeguards that may include:

 

  • Encryption: All data is encrypted in transit using TLS/SSL. Personal data and customer content are encrypted at rest where applicable.
  • Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, and continuous monitoring.
  • System Hardening: Secure configuration of servers, regular patching, dependency monitoring, and vulnerability reduction practices.
  • Access Controls: Role‑based access, least‑privilege principles, Multi‑Factor Authentication (MFA), and strict credential management.
  • Logging & Monitoring: Comprehensive logging of system, administrative, and access events, continuous monitoring for anomalies, and regular audit reviews.
  • Secure Development Lifecycle (SDLC): Code reviews, secure coding standards, automated security scanning, and testing.

 

Organizational & Administrative Measures- We implement organizational safeguards that may include:

  • Employee Training: Privacy and security training for relevant personnel.
  • Confidentiality: Confidentiality obligations for staff and contractors.
  • Third‑Party Risk Management: Vetting of subprocessors, contractual security requirements, and periodic reassessment.
  • Business Continuity & Disaster Recovery: Encrypted backups, redundancy, and tested recovery procedures (including backups that may persist for a limited time as described in this Policy).
  • Physical Security: Reliance on IBM Cloud data centers certified under ISO 27001, SOC 2, and equivalent standards.

 

Incident Response & Breach Notification-

Fuga maintains procedures to detect, investigate, contain, and remediate security incidents. If a personal data breach occurs and notification is required under applicable law, we will notify affected Users and regulators in accordance with applicable legal requirements.

Data Retention:

Fuga retains personal data only for as long as necessary to fulfill the purposes described in this Policy, to comply with legal obligations, to resolve disputes, and to enforce agreements. Retention periods vary by data category, including:

  • Account & Service Data: Account information is retained for as long as the User maintains an active account. Upon account closure or a deletion request, personal data is deleted or anonymized within approximately 30 days, unless retention is legally required.
  • Customer Content: Content uploaded to the platform is retained until the User deletes it or the account is terminated. Deleted content is removed from active systems promptly. Encrypted backup copies may remain for up to 90 daysas part of our backup lifecycle.
  • Analytics Data: Anonymized usage and analytics data generated through cookie-free analytics may be retained for up to 14 months, after which it is deleted.
  • Marketing & CRM Data: Marketing data is retained while the User remains subscribed or engaged. If a User unsubscribes, we retain minimal information in a suppression list to ensure the opt-out is honored.
  • Billing & Transactional Records: Transactional and financial records (including invoices, receipts, payment confirmations, and tax documentation) are retained for at least 7 years, or longer if required by law.
  • Support Communications: Support communications may be retained for approximately 2 yearsto assist with follow-up inquiries, improve support processes, and maintain accurate service records.
  • Legal Holds & Compliance: If we are under a legal obligation to preserve data (for example, due to litigation, audits, regulatory investigations, or requests by authorities), or if the data is necessary to establish, exercise, or defend legal claims, such data will be retained for the duration of the legal hold and secured with access restrictions.

After applicable retention periods, we permanently delete or irreversibly anonymize personal data. If immediate deletion is not possible (for example, due to archived backups), the data is securely isolated until removal becomes feasible.

Your Rights and Choices

We respect and uphold the rights granted to individuals under GDPR, UK GDPR, Swiss FADP, the Israeli Privacy Protection Law, and applicable U.S. state privacy laws. The availability of these rights depends on your jurisdiction and the nature of our processing.

Core Rights (where applicable)-

Depending on your jurisdiction, your rights may include:

  • Right of Access: Request confirmation as to whether we process your personal data and obtain a copy of such data and related information.
  • Right to Correction/Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure (“Right to be Forgotten”): Request deletion of personal data in certain circumstances, subject to applicable legal exceptions.
  • Right to Restrict Processing: Request restriction of processing in certain circumstances.
  • Right to Data Portability: Where applicable, request a copy of certain personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests in certain circumstances.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent (withdrawal does not affect the lawfulness of processing prior to withdrawal).

U.S. State Privacy Rights (where applicable)

Certain U.S. states (including California and others) grant additional rights, which we honor where legally required. We do not sell personal information for monetary consideration and do not share personal data with third-party advertisers for cross-context behavioral advertising in a manner that constitutes “sale” or “sharing” under applicable U.S. laws.

 

Right Not to Be Subject to Automated Decision-Making (where applicable)

Where applicable, you may have the right not to be subject to a decision based solely on automated processing, including profiling, where such processing produces legal effects concerning you or similarly significantly affects you. We do not use our AI tools to make binding or consequential decisions about Users without human involvement.

Limitations and Legal Exceptions: These rights may be subject to legal conditions or limitations. For example, we may be required to retain certain information, or we may decline an access request that is manifestly unfounded or excessive, as permitted by law.

How to Exercise Your Rights

You may exercise your rights by contacting us at [email protected]. To protect your security and the privacy of others, we may request additional information to verify your identity before processing requests involving access, deletion, correction, or portability.

We respond within the timeframes required by applicable law and may extend the response period where permitted due to complexity or volume, in which case we will inform you of the reason.

Supervisory Authorities and Complaints [12]

We aim to address and resolve any concerns or questions you may have regarding the processing of your personal data. If you believe that your privacy rights have not been fully respected or that we have not handled your request appropriately, you may contact us at [email protected], and we will make every reasonable effort to address your inquiry promptly and transparently.

If you remain dissatisfied after contacting us, you may lodge a complaint with the relevant supervisory authority in your jurisdiction. The appropriate authority depends on your location and the applicable data protection law.

  • European Union (EU) / European Economic Area (EEA)

Individuals located in the EU or EEA have the right to file a complaint with their local Data Protection Authority (DPA). You may contact the authority in your country of residence, place of work, or where the alleged violation occurred. Contact details for national DPAs are available on the European Commission’s website.

  • United Kingdom (UK)

Individuals in the UK may lodge a complaint with the Information Commissioner’s Office (ICO). Information and online forms are available at ico.org.uk.

  • United States (US)

While the U.S. does not have a single national data protection authority comparable to the GDPR framework, individuals may submit complaints related to privacy or deceptive data practices to the Federal Trade Commission (FTC) at ftc.gov/complaint. Depending on the subject matter, additional regulators may have jurisdiction.

  • Canada

Individuals in Canada may submit privacy-related complaints to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca. In certain provinces, complaints may alternatively be addressed to the corresponding provincial privacy commissioner.

  • Other Jurisdictions

Individuals in jurisdictions with dedicated privacy regulators may also contact their local supervisory authority in accordance with applicable law. We will cooperate with any investigation or inquiry conducted by a competent regulatory authority. We nevertheless encourage you to contact us first so we may attempt to resolve the issue directly and efficiently.

 

Updates to this Privacy Policy

We may update or amend this Privacy Policy from time to time to reflect changes in our Services, technologies, operational practices, or legal and regulatory requirements.

When we make material modifications that significantly impact your rights or the way we process personal data, we will provide clear notice through our website, by email (where we have your contact details), and/or via in-product notifications before such changes take effect.

The “Last Updated” date at the top of this Policy reflects the most recent version. Your continued use of the Service after the effective date of any update constitutes acceptance of the revised Policy, unless applicable law requires your explicit consent for specific changes.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices (including requests to exercise your privacy rights), please contact us at: [email protected].