Privacy Policy

Figure, Inc. ("Figure," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, store, share, and protect information when you use our mobile application (the "App") and related services (collectively, the "Services").

Company Information:
Figure, Inc.
333 Sylvan Ave, Suite 305
Englewood Cliffs, NJ 07632
Email: privacy@figure.dev
Support: legal@figure.dev

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Services.

2. Information We Collect

We collect information in three ways: directly from you, automatically through your use of the Services, and from third-party sources.

2.1 Information You Provide Directly

Account Information: When you register for an account, we collect:

Full name
Email address
Phone number
Password (stored as an encrypted hash)
Date of birth (for age verification)
Profile photo (optional)

Transaction Data: When you make a purchase:

Shipping and billing addresses
Order details (items purchased, quantities, prices)
Payment method type (e.g., Visa ending in 1234)
Note: We do not store complete credit card numbers. Payment processing is handled securely by our respective payment partners including Elavon Inc., Global Payments Inc., Fiserv, Inc., Seamless Payments, Inc., and is subject to their respective privacy policies.

Customer Support Data: When you contact us for assistance:

Support ticket content and correspondence
Chat logs and email communications
Screenshots or files you provide

User-Generated Content:

Product reviews and ratings
Photos you upload
Comments and feedback
Profile customizations

Survey and Research Data: Information you provide when participating in surveys, focus groups, or user research activities.

2.2 Information Collected Automatically

Device Information:

Device model and manufacturer
Operating system and version (iOS/Android)
Unique device identifiers (IDFA for iOS, Android Advertising ID)
IP address
Browser type and version
Screen resolution
Device language settings

Usage Data:

Pages and features accessed
Time spent on each screen
Button clicks and navigation paths
Search queries within the App
Session duration and frequency
App crashes and error logs
Performance metrics (load times, response times)

Location Data: With your explicit permission, we collect:

GPS coordinates (latitude/longitude)
Purpose: To calculate accurate shipping costs, show nearby retail locations, and provide location-based product recommendations
You can enable or disable location access at any time through your device settings

Network Information:

Mobile carrier
Connection type (WiFi, cellular)
Network performance data

2.3 Cookies and Tracking Technologies

We use the following technologies:

Cookies: Small text files stored on your device to:

Keep you logged in
Remember your preferences (language, currency)
Analyze App performance

Software Development Kits (SDKs): We integrate third-party SDKs including:

Google Firebase Analytics: App usage analytics and crash reporting
Mixpanel: User behavior analysis and feature usage tracking
Segment: Data integration and routing to analytics platforms

Analytics Tools: We use analytics services to understand how users interact with our Services and improve user experience.

Advertising Identifiers: We may collect mobile advertising IDs (IDFA/Android Advertising ID) to:

Measure ad campaign effectiveness
Provide personalized advertising (with your consent)
You can reset or opt-out of personalized ads in your device settings

2.4 Information From Third Parties

Social Media: If you connect your account via social media (Facebook, Google):

Basic profile information (name, email, profile picture)
Friend lists (if you grant permission)

Marketing Partners: We may receive demographic information and interests from third-party data providers to better understand our user base.

Fraud Prevention Services: We receive information from fraud detection services to protect against unauthorized transactions.

3. How We Use Your Information

We process your personal data for the following specific purposes, based on applicable legal grounds:

3.1 Service Delivery and Performance (Contractual Necessity)

Create and manage your account
Process orders and transactions
Deliver products to you
Provide customer support
Authenticate your identity
Enable App features and functionality

3.2 Service Improvement (Legitimate Interest)

Analyze usage patterns and trends
Identify and fix technical issues
Develop new features and products
Conduct A/B testing to improve user experience
Optimize App performance and reliability

3.3 Communication (Contractual Necessity / Consent)

Transactional Communications (no consent required):

Order confirmations and shipping notifications
Password reset emails
Account security alerts
Important policy updates
Responses to your inquiries

Marketing Communications (consent required):

Promotional emails about new products and sales
Push notifications about offers and recommendations
In-app messages about features
You can opt-out at any time using the "Unsubscribe" link or adjusting notification settings

3.4 Personalization (Consent / Legitimate Interest)

Customize content and product recommendations
Remember your preferences and settings
Provide personalized search results
Tailor the user interface based on your behavior

3.5 Marketing and Advertising (Consent)

Send promotional materials (with your opt-in consent)
Display targeted advertisements
Measure advertising campaign effectiveness
Conduct market research

3.6 Security and Fraud Prevention (Legitimate Interest / Legal Obligation)

Detect and prevent fraud, abuse, and unauthorized access
Investigate suspicious activity
Enforce our Terms of Service
Protect the rights and safety of our users
Maintain the security and integrity of our Services

3.7 Legal Compliance (Legal Obligation)

Comply with applicable laws and regulations
Respond to legal requests and court orders
Conduct audits and maintain records
Exercise or defend legal claims

3.8 Research and Analytics (Legitimate Interest)

Understand market trends
Conduct internal research and development
Generate aggregated, anonymized statistics

Our Legitimate Interests Explained: Where we process data based on legitimate interests, we have determined that our business interests do not override your fundamental rights and freedoms. Our legitimate interests include operating and improving our Services, preventing fraud, ensuring security, and conducting analytics to enhance user experience. You have the right to object to processing based on legitimate interests.

4. How We Share Your Information

We do not sell your personal information to third parties for monetary consideration. We share data only in the following limited circumstances:

4.1 Service Providers and Business Partners

We share data with trusted third-party companies that provide services on our behalf:

Cloud Infrastructure:

Amazon Web Services (AWS) - Data hosting and storage
Purpose: Store user data, host the App backend
Location: United States

Analytics, Logging and Performance:

Google LLC (Google Analytics)
Datadog, Inc.
Purpose: App analytics, crash reporting, user behavior analysis
Data shared: Device information, usage data, anonymized user identifiers

Customer Support:

Freshworks, Inc. - Support ticketing system
Purpose: Manage customer inquiries and support tickets
Data shared: Contact information, support correspondence

Email and Communication:

Amazon Web Services (AWS) - Email and SMS delivery service
Purpose: Send transactional and marketing emails
Data shared: Email address, name, message content

Payment Processing:

Elavon Inc., Global Payments Inc., Fiserv, Inc., Seamless Payments, Inc.
Purpose: Process payment transactions securely
Data shared: Payment method information, transaction amounts, billing information
Note: We do not store complete credit card numbers; processors handle this data directly

Shipping and Fulfillment:

FedEx, UPS, and USPS - Order fulfillment
Purpose: Deliver products to customers
Data shared: Name, shipping address, order details

Data Processing Agreements: All service providers are contractually obligated to protect your data, use it only for specified purposes, and comply with applicable privacy laws including GDPR Standard Contractual Clauses where applicable.

4.2 Business Transfers

If Figure, Inc. is involved in a merger, acquisition, asset sale, bankruptcy, or similar transaction, your personal information may be transferred to the successor entity. We will notify you via email and/or prominent notice in the App at least 30 days before your information becomes subject to a different privacy policy.

4.3 Legal Requirements and Protection

We may disclose your information when we believe in good faith that disclosure is necessary to:

Comply with applicable laws, regulations, or legal processes
Respond to subpoenas, court orders, or government requests
Enforce our Terms of Service or other agreements
Protect the rights, property, or safety of Figure, our users, or the public
Detect, prevent, or address fraud, security, or technical issues
Investigate violations of our policies

4.4 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you with:

Business partners for market research
Advertisers for campaign analytics
Researchers for industry studies

4.5 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing, such as when you:

Connect your account to social media platforms
Participate in co-branded promotions
Opt-in to data sharing with specific partners

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy and to comply with legal obligations.

Deletion Process: When retention periods expire, we securely delete or anonymize your data using industry-standard methods.

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

6.1 Access and Data Portability

Right to Access: Request a copy of the personal data we hold about you.

Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).

How to Exercise:

Email legal@figure.dev with the subject line "Data Access Request"
We will respond within 30 days (45 days in some jurisdictions)
We may verify your identity before fulfilling your request

6.2 Correction and Updates

Right to Correction: Request correction of inaccurate or incomplete data.

How to Exercise:

Update your information directly in the App: Settings > Account > Edit Profile
Email legal@figure.dev
We will respond within 30 days

6.3 Deletion

Right to Deletion (Right to be Forgotten): Request deletion of your account and personal data.

How to Exercise:

In the App: Settings > Account > Delete Account
Email support@figure.dev with the subject line "Account Deletion Request"
We will delete your data within 90 days

Limitations: We may retain certain data when:

Required by law (e.g., transaction records for tax purposes)
Necessary to complete a transaction you requested
Needed to detect and prevent fraud or security incidents
Necessary to exercise or defend legal claims

6.4 Opt-Out of Marketing

Email Marketing:

Click "Unsubscribe" at the bottom of any marketing email
Adjust preferences in Settings > Notifications > Email Preferences

Push Notifications:

Disable in the App: Settings > Notifications > Push Notifications
Or in your device settings: Settings > Notifications > Figure App

SMS/Text Messages:

Reply "STOP" to any marketing text message
Or adjust preferences in Settings > Notifications > SMS Preferences

Targeted Advertising:

Opt-out of personalized ads:

iOS: Settings > Privacy > Advertising > Limit Ad Tracking
Android: Settings > Google > Ads > Opt out of Ads Personalization

Opt-out of interest-based ads via industry tools:

NAI Opt-Out: http://optout.networkadvertising.org/
DAA Opt-Out: http://optout.aboutads.info/

6.5 Object to Processing

Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.

How to Exercise: Email legal@figure.dev with details about the processing you object to. We will cease processing unless we have compelling legitimate grounds that override your interests.

6.6 Restrict Processing

Right to Restrict: Request that we limit how we use your data in certain circumstances (e.g., while we verify accuracy of disputed data).

How to Exercise: Email legal@figure.dev with your request.

6.7 Withdraw Consent

Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

How to Exercise:

Adjust settings in the App (e.g., location permissions, marketing preferences)
Email legal@figure.dev
Note: Withdrawal does not affect the lawfulness of processing before withdrawal

6.8 Lodge a Complaint

Right to Complain: If you believe we have violated your privacy rights, you may lodge a complaint with a supervisory authority.

EU/EEA Residents: Contact your local Data Protection Authority (DPA):

List of EU DPAs: https://edpb.europa.eu/about-edpb/board/members_en

UK Residents: Information Commissioner's Office (ICO):

Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113

California Residents: California Attorney General:

Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

Other Jurisdictions: Contact your local privacy regulator or consumer protection agency.

7. Security Measures

We implement robust technical and organizational measures to protect your personal data:

Limitations: No method of transmission over the internet or electronic storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your password and account credentials.

8. Data Breach Notification

Description of the breach and data affected
Likely consequences
Measures we have taken to address the breach
Recommended actions you can take to protect yourself

How to Report Suspected Breaches: If you suspect unauthorized access to your account:

9. International Data Transfers

Figure, Inc. is based in the United States. If you access our Services from outside the US, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate.

Your Consent: By using our Services, you acknowledge and consent to the transfer of your information to the United States and other countries that may have different data protection laws than your country of residence.

Adequacy: We conduct transfer impact assessments and implement technical measures (encryption, pseudonymization) to ensure adequate protection during international transfers.

10. Children's Privacy

Our Services are not intended for individuals under the age of 13 (or 16 in the European Economic Area, or the applicable age of digital consent in your jurisdiction).

No Knowing Collection: We do not knowingly collect personal information from children under these age thresholds.

Parental Rights: If you are a parent or guardian and believe your child has provided us with personal information:

Age Verification: We use age-gating mechanisms during account registration to prevent underage users from creating accounts.

School or Educational Use: If you are an educational institution interested in using our Services for students under 18, please contact us at education@figure.dev to discuss COPPA/FERPA-compliant arrangements.

11. Region-Specific Disclosures

11.1 California Residents (CCPA/CPRA)

This section applies to California residents under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of Personal Information Collected (Last 12 Months):

Category	Examples	Collected	Business Purpose
Identifiers	Name, email, phone, IP address	Yes	Account creation, service delivery
Commercial Information	Purchase history, transaction data	Yes	Order processing, analytics
Internet Activity	Browsing history, search queries	Yes	Service improvement, analytics
Geolocation Data	Precise location coordinates	Yes (with consent)	Shipping calculations, local recommendations
Sensory Data	Profile photos, product images	Yes (voluntary)	User-generated content
Inferences	User preferences, behavioral predictions	Yes	Personalization, recommendations

Sources of Personal Information:

Directly from you (account registration, purchases)
Automatically from your device (usage data, device information)
Third parties (social media, data brokers, fraud prevention services)

Disclosure for Business Purposes: In the last 12 months, we disclosed personal information to service providers for:

Cloud hosting and data storage
Payment processing
Analytics and performance monitoring
Customer support
Marketing and communications
Fraud prevention

Sale or Sharing of Personal Information:

We do not sell personal information for monetary consideration
We may share certain identifiers for targeted advertising purposes, which you can opt out of.
You have the right to opt-out: Email legal@figure.dev with subject line "Do Not Sell/Share My Personal Information"

Sensitive Personal Information: We collect date of birth for age verification. We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA.

Right to Limit Use of Sensitive Personal Information: Email legal@figure.dev to limit use of your sensitive personal information.

Your California Privacy Rights:

Right to Know: Request details about personal information collected, used, and shared (up to 2 requests per 12-month period)
Right to Delete: Request deletion of your personal information (subject to exceptions)
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt-out of sale/sharing of personal information
Right to Limit: Limit use and disclosure of sensitive personal information
Non-Discrimination: We will not discriminate against you for exercising your rights (no denial of service, different pricing, or reduced quality)

Authorized Agent: You may designate an authorized agent to make requests on your behalf. The agent must provide:

Written authorization signed by you
Proof of their identity
We may require you to verify your identity directly

Verification Process: To verify your identity, we may ask you to:

Confirm your email address
Provide account information
Answer security questions For deletion requests, we use a heightened verification standard.

Response Timeline: We will respond to verifiable requests within 45 days (extendable by an additional 45 days with notice).

Shine the Light Law (California Civil Code § 1798.83): California residents may request information about disclosure of personal information to third parties for direct marketing purposes. Email legal@figure.dev with "California Shine the Light Request."

Contact for California Privacy Rights:
Email: legal@figure.dev
Online Form: www.figure.dev/privacy

11.2 European Union (GDPR) and United Kingdom

This section applies to individuals in the European Economic Area (EEA), United Kingdom, and Switzerland.

Data Controller: Figure, Inc. is the data controller responsible for your personal data.

Legal Bases for Processing: We process your personal data under the following legal bases:

Contractual Necessity: To perform our contract with you (account creation, order fulfillment)
Consent: For marketing, cookies, location tracking, and other optional features
Legitimate Interests: For fraud prevention, security, analytics, and service improvement
Legal Obligation: To comply with laws and regulations

Your Rights Under GDPR:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / "right to be forgotten" (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Right to withdraw consent (Article 7)
Right to lodge a complaint with a supervisory authority (Article 77)

Automated Decision-Making: We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

International Transfers: We transfer data outside the EEA/UK using Standard Contractual Clauses (SCCs). Copies available upon request.

Data Protection Officer: For GDPR-related inquiries:
Email: legal@figure.dev
Postal Address: Data Protection Officer (Legal), Figure, Inc., 333 Sylvan Ave Suite 305, Englewood Cliffs, NJ 07632

Supervisory Authority: You have the right to lodge a complaint with your local Data Protection Authority. Find your DPA at: https://edpb.europa.eu/about-edpb/board/members_en

Data Retention: See Section 5 for detailed retention periods. Data is retained only as long as necessary for the purposes outlined in this policy.

11.3 Other Jurisdictions

Brazil (LGPD): Brazilian residents have rights similar to GDPR, including access, correction, deletion, and portability. Contact legal@figure.dev to exercise your rights.

Canada (PIPEDA): Canadian residents have rights to access and correct personal information. Contact legal@figure.dev for assistance.

Australia (Privacy Act): Australian residents can access and correct their personal information. Contact legal@figure.dev with requests.

Other Regions: If you are located in a jurisdiction with specific privacy laws, please contact legal@figure.dev and we will work with you to address your rights under applicable law.

12. Cookies and Tracking Technologies

12.1 Types of Cookies We Use

Essential Cookies:

Purpose: Enable core functionality (login, session management)
Duration: Session or up to 1 year
Cannot be disabled without affecting App functionality

Analytics Cookies:

Purpose: Understand how users interact with the App
Services: Google Analytics, Mixpanel
Duration: Up to 2 years
Can be disabled (see Section 12.2)

Marketing Cookies:

Purpose: Deliver personalized ads and measure campaign effectiveness
Services: Google Ads, Facebook Pixel
Duration: Up to 1 year
Can be disabled (see Section 12.2)

Preference Cookies:

Purpose: Remember your settings and preferences
Duration: Up to 1 year
Can be disabled (may affect user experience)

12.2 Managing Cookies

In-App Controls:

Settings > Privacy > Cookie Preferences
You can accept or reject non-essential cookies

Browser Controls:

Most browsers allow you to refuse or delete cookies
See your browser's help section for instructions
Note: Disabling cookies may limit App functionality

Third-Party Opt-Out Tools:

Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
NAI Opt-Out: http://optout.networkadvertising.org/
DAA Opt-Out: http://optout.aboutads.info/

Do Not Track (DNT):

We do not currently respond to DNT browser signals
We honor opt-out preferences set in cookie controls

EU Cookie Consent:

EU users will see a cookie consent banner upon first visit
You can manage preferences at any time in Settings > Privacy > Cookie Preferences

13. Third-Party Links and Services

Our App may contain links to third-party websites, services, or applications not operated by Figure, Inc.

No Responsibility: We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies.

Third-Party Login: If you use social media login (Google, Facebook), your information is subject to their privacy policies:

Embedded Content: Third-party content embedded in our App (e.g., YouTube videos, social media widgets) may collect data according to their own privacy policies.

14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material Changes: We will notify you at least 30 days before material changes take effect via:

Non-Material Changes: We will update the "Last Updated" date at the top of this policy

Version History: Previous versions of this policy are available upon request at legal@figure.dev.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

California Privacy Requests:
Email: legal@figure.dev (Subject: "California Privacy Request")

Postal Address:
Figure, Inc.
Attn: Figure Legal
333 Sylvan Ave, Suite 305
Englewood Cliffs, NJ 07632
United States

Response Time: We strive to respond to all inquiries within 5-10 business days, and to formal rights requests within the timeframes required by applicable law (typically 30-45 days).

16. Definitions

Personal Data/Personal Information: Information that identifies, relates to, describes, or can be reasonably linked to you.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Controller: The entity that determines the purposes and means of processing personal data (Figure, Inc.).

Processor: An entity that processes personal data on behalf of the controller (our service providers).

Consent: Freely given, specific, informed, and unambiguous agreement to processing of personal data.

Legitimate Interest: A lawful basis for processing when our interests do not override your fundamental rights and freedoms.

Acknowledgment: By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

This Privacy Policy was drafted to comply with GDPR, CCPA/CPRA, COPPA, and other applicable privacy laws. It should be reviewed by legal counsel before deployment.

Privacy Policy

1. Introduction

2. Information We Collect

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Cookies and Tracking Technologies

2.4 Information From Third Parties

3. How We Use Your Information

3.1 Service Delivery and Performance (Contractual Necessity)

3.2 Service Improvement (Legitimate Interest)

3.3 Communication (Contractual Necessity / Consent)

3.4 Personalization (Consent / Legitimate Interest)

3.5 Marketing and Advertising (Consent)

3.6 Security and Fraud Prevention (Legitimate Interest / Legal Obligation)

3.7 Legal Compliance (Legal Obligation)

3.8 Research and Analytics (Legitimate Interest)

4. How We Share Your Information

4.1 Service Providers and Business Partners

4.2 Business Transfers

4.3 Legal Requirements and Protection

4.4 Aggregated and Anonymized Data

4.5 With Your Consent

5. Data Retention

6. Your Rights and Choices

6.1 Access and Data Portability

6.2 Correction and Updates

6.3 Deletion

6.4 Opt-Out of Marketing

6.5 Object to Processing

6.6 Restrict Processing

6.7 Withdraw Consent

6.8 Lodge a Complaint

7. Security Measures

8. Data Breach Notification

9. International Data Transfers

10. Children's Privacy

11. Region-Specific Disclosures

11.1 California Residents (CCPA/CPRA)

11.2 European Union (GDPR) and United Kingdom

11.3 Other Jurisdictions

12. Cookies and Tracking Technologies

12.1 Types of Cookies We Use

12.2 Managing Cookies

13. Third-Party Links and Services

14. Updates to This Privacy Policy

15. Contact Us

16. Definitions