Privacy policy

What Navii sees, what it stores, and what it never sends anywhere. Last updated 2026-05-25.

Short version

  • Navii does not require an account. No sign-up, no tracking cookie, no analytics inside the Figma plugin.
  • Seeds you type (names, emails, IDs) are sent to api.navii.dev only when you click Insert or Fill. They are used to render the avatar and are never stored, logged with PII, or shared with third parties.
  • If you buy Navii Pro, your purchase is handled by Gumroad. Navii only receives a license key, used for verification.

What we process

Avatar requests

When the Figma plugin or any caller hits GET /avatar/:seed, our server receives:

  • The seed string in the URL path (whatever you typed — often a username or test email).
  • Standard HTTP request data: IP address, User-Agent, timestamp, requested size and palette.

Seeds are processed in-memory to generate the SVG/PNG response. The rendered image is cached at the CDN edge by URL hash. We do not log seeds together with IP addresses or any other identifier that would let us recover who requested what. Access logs are kept for up to 30 days for abuse detection and aggregate traffic counts, then rotated out.

Pro licenses

If you upgrade, payment is processed by Gumroad — see Gumroad's privacy policy. Navii receives:

  • The license key (returned by Gumroad).
  • The email you optionally enter when verifying inside the plugin.

These are sent to POST /license/verify, forwarded to Gumroad's verification API, and the result is cached for 24 hours in your local Figma clientStorage. We do not maintain a separate user database. To remove the cached license, click Sign out in the plugin's Pro modal.

Website analytics

The public marketing site at navii.dev uses self-hosted Umami for aggregate page-view counts. No cross-site tracking, no fingerprinting, no third-party ad networks. The Figma plugin itself does not load any analytics.

What we do not do

  • We do not read your Figma file beyond what you have selected when you click a button.
  • We do not upload your Figma file, layers, images, or design tokens to any server.
  • We do not sell, rent, or share data with advertisers or data brokers.
  • We do not train any machine-learning model on your seeds or requests.

Sub-processors

  • Hetzner (Germany) — hosting for api.navii.dev and navii.dev.
  • Gumroad — payment processing and license verification for Navii Pro.
  • Cloudflare — DNS and edge caching for static avatar responses.

Your rights

Because Navii does not require an account, there is typically nothing to delete. If you have purchased Pro and want your license invalidated or your email removed from verification logs, email tsormed@gmail.com and we will action it within 30 days.

Children

Navii is a developer tool and is not directed at children under 13. We do not knowingly collect data from children.

Changes

If we materially change this policy we will update the date at the top of this page and, where reasonably possible, note the change in the project changelog at github.com/uxderrick/navii.

Contact

Questions about privacy: tsormed@gmail.com.