Privacy Policy

Last updated: January 1, 2025

1. Who We Are

Figur (“we”, “us”, “our”) is an AI-powered quote engine that integrates with monday.com. This Privacy Policy explains how we collect, use, store, and delete data when you install and use the Figur app.

2. Data We Collect

When you install Figur via monday.com OAuth, we collect and store the following data:

  • Account identifier — your monday.com account ID, used to uniquely identify your organisation within Figur.
  • Company name — retrieved from your monday.com profile at install time.
  • OAuth access token — encrypted at rest using AES-256-GCM; used to read board/item data and write quote results back to your monday.com boards.
  • Board and column configuration — the board IDs and column mappings you select during onboarding.
  • Discovery answers and quote data — the responses collected through the discovery flow and the AI-generated quotes produced from them.
  • Branding configuration — colours and logo uploaded during onboarding for the client portal.

We do not collect passwords, payment card data, or personal health information.

3. How We Use Your Data

  • To provide the Figur quote-generation service.
  • To write quote results back to your monday.com board columns.
  • To display your branding in the client-facing portal.
  • To improve service reliability and debug errors.

We do not sell your data to third parties, use it for advertising, or share it with any party other than the sub-processors listed below.

4. Third-Party Sub-Processors

We use the following third-party services to operate Figur:

  • Supabase (supabase.com) — PostgreSQL database hosting. All data is stored within Supabase infrastructure. Data is encrypted at rest and in transit.
  • Netlify (netlify.com) — application hosting, CDN, and scheduled background functions.
  • OpenAI (openai.com) — AI processing for quote generation. Discovery answers and scope details are sent to OpenAI's API to compute AI-adjusted pricing. OpenAI does not use API inputs to train its models by default.
  • monday.com (monday.com) — the platform Figur integrates with. Board, item, and column data is read and written via the monday.com API using your authorised OAuth token.

5. Data Retention and Deletion

When you uninstall the Figur app from your monday.com account, we receive an uninstall webhook and immediately revoke your active OAuth token. All remaining data associated with your account (including board configurations, discovery data, and quote history) is permanently deleted within 7 days of uninstall — well within monday.com's 10-day requirement.

To request immediate deletion of your data, contact us at the address below.

6. Cookies

Figur uses the following cookies:

  • figur_onboarding_session — an HttpOnly, Secure, SameSite=None session cookie set after OAuth installation. Used to authenticate onboarding API requests. Expires after 2 hours. This is an essential cookie; no consent is required.
  • monday_oauth_state — a short-lived HttpOnly cookie used solely to prevent CSRF attacks during OAuth. Expires after 10 minutes and is deleted immediately after use.

We do not use tracking, analytics, or advertising cookies.

7. Security

All data in transit is protected by TLS 1.2 or higher. All data at rest in our database is encrypted. OAuth access tokens are stored encrypted using AES-256-GCM with a key held separately from the database. We do not log access tokens or other secrets.

8. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data. To exercise any of these rights, please contact us at the address below.

9. Contact

For privacy-related questions or data deletion requests, contact us at: privacy@figur.one