Data & Privacy

A plain-English explanation of how Layout handles your design system data. What we extract, where it lives, what third parties are involved, and what we will never do.

What we extract

When you point Layout at a Figma file or website, we extract structural design data only:

Design tokens: colours, typography scales, spacing values, border radii, and effects.
Component metadata: component names, variant counts, and properties. Not the full design file.
Screenshots: small screenshots of individual components for visual reference.
The generated layout.md: a structured text file synthesised from the above.
Explorer variants: when you generate component variants in the Explorer, the generated TSX code, your prompt, and any reference images or context files you attached are stored as part of your project.

We do not extract full page designs, product content, user data from your screens, or anything beyond the structural design system.

Where data is stored

All project data is stored in a self-hosted PostgreSQL database (via Supabase) running on infrastructure we control at Hetzner in Germany. This is not a shared multi-tenant cloud service.

Your data is scoped to your account and organisation. No other user can access it.
Component screenshots are stored in private Supabase Storage buckets on the same infrastructure.
You can export your full design system bundle (layout.md, tokens, components) at any time via the Export button in Studio.
If you delete a project, its extraction data, layout.md, and screenshots are removed.

How AI generation works

Layout uses AI to synthesise your layout.md and generate component variants in the Explorer. Your extracted design tokens and component metadata are sent to the AI provider as part of these requests. There are two modes:

Mode	How it works	Credits
Managed	Layout uses our own Anthropic API key. Your data passes through our server to Claude.	Deducted from your plan allowance.
BYOK	You provide your own API key. Your data still flows through our server, but the AI call uses your key.	No credits deducted. Billed directly by the provider.

In both modes, we log token counts for billing and analytics. We never store the full AI request or response content.

Anthropic's API terms explicitly prohibit them from training on API inputs. The same applies to Google AI's API terms. Your design system data is not used to train any AI model.

API key handling

Your personal API keys (Anthropic, Google AI, Figma) are stored in your browser's localStorage. When you make a request that needs an AI provider, your key is sent to our server as a request header, used to call the provider, and then discarded. Keys are never written to our database or logged.

For more detail, see the API Keys docs page.

Sub-processors

The following third-party services process some of your data as part of Layout's functionality:

Service	Purpose	What data is shared
Anthropic	layout.md generation and Explorer variant generation	Design tokens, component metadata, screenshots (as context for AI generation). Not stored by Anthropic. Not used for training.
Google AI	AI image generation and Gemini model access	Image generation prompts and style context. Not used for training via API.
Stripe	Payment processing	Billing information only. No design data.
Hetzner	Infrastructure hosting (Germany)	All project data resides on Hetzner servers. Encrypted at rest and in transit.

What we never do

Train AI models on your data. Your design system data is never used to train, fine-tune, or improve any AI model.
Share or sell your data. Your extraction data, layout.md, and components are never shared with third parties beyond the sub-processors listed above.
Access your data for our own product development. We do not look at, aggregate, or analyse individual customers' design systems.
Store your API keys. Personal API keys exist only in your browser. They are never written to our database.
Crawl your Figma workspace. We read only the specific file you point us at. We do not access other files in your account.

Organisations and teams

If you use Layout within an organisation, all projects and components are shared with members of that organisation based on their role (owner, admin, editor, viewer). Your personal API keys and login credentials are never shared with other org members.

Data retention and deletion

Project data is retained for as long as your account is active.
Deleting a project removes its extraction data, layout.md, variants, and screenshots.
Deleting your account removes all personal data and project data within 30 days.
Anonymous, aggregated analytics (page views via self-hosted Plausible) cannot identify you and may be retained indefinitely.

Legal pages

For the full legal text, see our Privacy Policy and Terms of Service. If you have questions about how we handle your data, contact us at hello@layout.design.

Self-Hosting How Layout Compares