Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Weavy.ai (now Figma Weave)

Figma (acquired Oct 2025)

PartialEU: Not AvailableOpt-out AvailableUndefinedUS Only

Business Plan Price

$19/mo (Starter) - billed in USD

Enterprise Features

Privacy policy + ToS now exist. Figma parent has EU Cloud Code of Conduct, SOC 2, DPA

Last Updated

March 23, 2026

Weavy.ai GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

⚠️ COMPLIANCE STATUS: PARTIAL - SIGNIFICANT GAPS REMAIN

UPDATE (March 2026): Weavy.ai was acquired by Figma on October 30, 2025 (~$200M) and rebranded as "Figma Weave". The standalone Weavy.ai platform continues to operate. Since acquisition, basic legal documentation has been published at weavy.com. However, critical GDPR compliance gaps remain unresolved.

Key developments since October 2025:

  • Privacy Policy and Terms of Service NOW EXIST at weavy.com
  • Per the Privacy Policy, data is not shared with third-party AI model providers for training purposes
  • Figma (parent company) holds EU Cloud Code of Conduct Level 2, SOC 2, DPA, SCCs, and EU data residency options
  • Whether Figma's compliance infrastructure extends to the standalone Weavy.ai product is UNCONFIRMED
  • No standalone DPA specifically for Weavy.ai is publicly available
  • DPO contact: info@weavy.com

This tool is NOT RECOMMENDED for EU customers processing personal data until Figma's DPA coverage of Weavy.ai is confirmed.

1 Purpose

This overview documents what is publicly known about Weavy.ai, a node-based visual AI platform that aggregates multiple generative AI models (Runway Gen-4, Flux Pro 1.1 Ultra, Stable Diffusion 3.5, Minimax, Ideogram V3, Kling, Luma Ray 2, and 15+ others) into a single workflow canvas.

Update (March 2026): Weavy.ai was acquired by Figma on October 30, 2025 for approximately $200M and is being rebranded as Figma Weave. The standalone platform continues to operate at weavy.ai. Since acquisition, basic legal documentation has appeared at weavy.com. However, the relationship between Figma's enterprise compliance infrastructure and the standalone Weavy.ai product remains partially unclear. This document reflects the state of compliance as of March 2026.

2 What We Know About Weavy.ai

Product Overview

Weavy.ai is a node-based platform for creative professionals that provides:[1]

  • Multi-model access: Text-to-image, image-to-video, video generation across 15+ models
  • Professional editing tools: Layers, masks, color grading integrated with AI generation
  • Workflow automation: Reusable node-based workflows
  • Credit-based pricing: Standardised credit system across all models

Models available (as of Oct 2025):[1]

  • Image: GPT img 1, Stable Diffusion 3.5, Flux Pro 1.1 Ultra, Ideogram V3, Recraft V3, Minimax image 01, Hunyuan, Bria
  • Video: Runway Gen-4, Veo 3, Kling, Minimax video, Luma Ray 2
  • Other: Wan, Imagen 3

Pricing Structure

Based on limited information from Weavy.ai's knowledge base:[2][3]

Tier Monthly Credits Workflows History Price
Free 150 credits Up to 5 workflows ❌ None $0/month
Starter 1,500 credits Unlimited 30 days $19/month
Collective Unknown Unknown Unknown Custom pricing
Enterprise Unknown Unknown Unknown Custom pricing

Enterprise Marketing Claims

Weavy.ai's Enterprise page makes the following unverified claims:[4]

  • "Commercial rights, privacy, security, and full indemnity"
  • "Trace every asset back to its legal source"
  • "Priority Slack support, training, and workshops for teams"

⚠️ WARNING: These claims cannot be verified without access to Terms of Service, Privacy Policy, or Data Processing Agreements.

3 What Has Changed and What Remains Unclear

Privacy Policy - NOW EXISTS ✅ (partial)

Since the Figma acquisition (October 30, 2025), a Privacy Policy is now published at weavy.com. Key findings:

  • Data is NOT shared with third-party AI model providers for training purposes (explicitly stated)
  • Basic data collection, processing, and retention information is documented
  • DPO contact: info@weavy.com

Still unclear:

  • Exact server locations and EU data residency options for Weavy.ai-specific infrastructure
  • Complete subprocessor list for the Weavy.ai platform specifically

Terms of Service - NOW EXISTS ✅ (partial)

Terms of Service are now published at weavy.com following the acquisition.

Still unclear:

  • Exact ownership terms for AI-generated content
  • How Figma's standard enterprise terms interact with standalone Weavy.ai usage

Data Processing Agreement (DPA) - UNCONFIRMED ⚠️

Figma (parent company) has:

  • ✅ A publicly available DPA with Standard Contractual Clauses (SCCs)
  • ✅ EU Cloud Code of Conduct Level 2 certification
  • ✅ SOC 2 Type II certification
  • ✅ EU data residency options

Critical gap: Whether Figma's DPA explicitly covers the standalone Weavy.ai product is UNCONFIRMED as of March 2026. EU customers cannot rely on Figma's DPA without explicit confirmation that it covers Weavy.ai services.

Compliance Certifications - INHERITED FROM FIGMA (unconfirmed coverage)

Figma holds:

  • ✅ SOC 2 Type II
  • ✅ EU Cloud Code of Conduct Level 2
  • ✅ ISO 27001 (Figma-level)

Whether these certifications extend to Weavy.ai as an integrated product vs. a standalone service is unconfirmed.

Data Retention Policy - PARTIALLY DOCUMENTED ⚠️

The Privacy Policy now addresses data retention in general terms. Starter plan mentions "30 days of workflow history." Full granular retention periods for prompts, generated outputs, and user metadata are not fully specified.

Training Policy - CLARIFIED ✅

Per the Privacy Policy: user data is not shared with underlying AI model providers for training purposes. Weavy.ai acts as an aggregation layer; it does not claim rights to train on user content.

Note: Individual model providers (Runway, Stability AI, etc.) may apply their own terms when processing requests routed through Weavy.ai. Their retention policies may still apply.

4 GDPR Compliance Assessment

Short answer (March 2026): Weavy.ai has moved from Non-Compliant to Partially Compliant following the Figma acquisition. Basic legal documentation now exists, and Figma's enterprise compliance infrastructure provides an improved baseline. However, the critical gap - a DPA explicitly covering standalone Weavy.ai - remains unconfirmed, which prevents EU business use for personal data processing.

What Has Improved

  • ✅ Privacy Policy now published (data not shared with AI model providers)
  • ✅ Terms of Service now published
  • ✅ Figma parent holds SOC 2, EU Cloud Code of Conduct Level 2, DPA, and SCCs
  • ✅ DPO contact available: info@weavy.com
  • ✅ No training on user content (explicitly stated)

Remaining Risks

GDPR Article 28 (unresolved): Controllers must only use processors with "sufficient guarantees" of GDPR compliance. Until Figma's DPA explicitly covers Weavy.ai, this requirement cannot be reliably met.[5]

GDPR Article 44-49 (partially unresolved): International data transfers require safeguards (SCCs, adequacy decisions). Figma has SCCs, but whether they apply to Weavy.ai's infrastructure specifically is unconfirmed.[5]

What This Means for EU Customers

❌ Do NOT use Weavy.ai for personal data processing until:

  • Figma's DPA is confirmed to cover standalone Weavy.ai services
  • EU data residency option for Weavy.ai is confirmed

⚠️ Proceed with caution (non-personal data) if:

  • Using only for non-personal creative workflows (no identifiable individuals, no confidential data)
  • Willing to document the compliance gap and accept residual legal risk
  • Able to monitor for DPA confirmation as Figma integration progresses

✅ Lower risk if:

  • Figma formally confirms Weavy.ai falls under its enterprise compliance umbrella (check Figma's trust center at trust.figma.com)

5 Comparison to Industry Standards

What reputable AI platforms provide (examples: OpenAI, Anthropic, Adobe, Midjourney, Stability AI):

✅ Public Privacy Policy detailing data collection, processing, and retention

✅ Terms of Service establishing legal relationship and obligations

✅ Data Processing Agreement for business customers (GDPR Article 28)

✅ Compliance certifications (SOC 2, ISO 27001, or equivalent)

✅ Training policies (usually "no training on customer data" for paid tiers)

✅ Data retention policies (30-90 days typical, with deletion options)

✅ Infrastructure disclosure (data center locations, encryption standards)

✅ Subprocessor lists (who has access to data)

What Weavy.ai provides (as of March 2026):

✅ Privacy Policy (weavy.com) - data not shared with AI model providers ✅ Terms of Service (weavy.com) ✅ DPO contact (info@weavy.com) ⚠️ DPA - Figma parent has one, but coverage of standalone Weavy.ai unconfirmed ⚠️ SOC 2, EU Cloud Code of Conduct - Figma-level, unconfirmed for Weavy.ai specifically ⚠️ EU data residency - Figma has this option, unconfirmed for Weavy.ai ❌ No training policy disclosure beyond parent-level statement ❌ No standalone subprocessor list for Weavy.ai

6 Potential Data Flow (Unverified)

[User creates prompt in [Weavy.ai](http://Weavy.ai) node-based canvas]
  ↓
[Prompt sent to [Weavy.ai](http://Weavy.ai) backend]
  ├─ Server location: UNKNOWN
  ├─ Encryption: UNKNOWN
  ├─ Retention: UNKNOWN
  └─ Access controls: UNKNOWN
       ↓
[[Weavy.ai](http://Weavy.ai) routes request to underlying model provider]
  ├─ Runway Gen-4 (video)
  ├─ Flux Pro 1.1 Ultra (image)
  ├─ OpenAI DALL-E (image)
  ├─ Minimax (video/image)
  └─ 10+ other providers
       ├─ Data sharing terms: UNKNOWN
       ├─ Subprocessor agreements: UNKNOWN
       └─ Each provider's retention policy: LIKELY APPLIES
            ↓
[Generated output returned to user]
  ├─ Storage location: UNKNOWN
  ├─ Retention period: UNKNOWN (Starter plan: "30 days of history")
  ├─ Deletion process: UNKNOWN
  └─ Who can access: UNKNOWN

*NOTE: This entire flow is speculation based on typical platform architecture.
Without documentation, actual data handling is COMPLETELY UNKNOWN.*

7 Recommended Alternatives for EU Customers

If you need multi-model AI workflow platforms with proper GDPR compliance:

Adobe Firefly (Creative Cloud)

  • ✅ Privacy Policy, Terms, DPA available
  • ✅ SOC 2, ISO 27001 certified
  • ✅ No training on user content
  • ✅ EU data storage (Ireland)
  • ⚠️ Generative processing location not specified
  • Price: ~€65/month (Creative Cloud Pro)

Individual Model Providers with EU Compliance

  • Runway (video generation) - has privacy docs, US-based
  • Stability AI (Stable Diffusion) - has privacy docs, API terms
  • Midjourney - has privacy policy, Discord-based (US infrastructure)
  • Anthropic Claude - full GDPR compliance, EU processing available
  • OpenAI DALL-E - full GDPR compliance, EU data residency (Enterprise)

Self-Hosted Open Source Options

  • ComfyUI + local model inference (full control, EU servers)
  • Automatic1111 + Stable Diffusion (self-hosted)
  • No data leaves your infrastructure (ultimate GDPR compliance)

8 If You Must Use Weavy.ai (Not Recommended)

Minimum Due Diligence Steps

  1. Contact Weavy.ai directly via support/sales and request:
    • Privacy Policy
    • Terms of Service
    • Data Processing Agreement (DPA)
    • Standard Contractual Clauses (SCCs)
    • List of subprocessors and their locations
    • Data retention and deletion procedures
    • Infrastructure and hosting locations
    • Compliance certifications (SOC 2, ISO 27001)
  2. Conduct a Data Protection Impact Assessment (DPIA) per GDPR Article 35
  3. Document the risk in your processing records (GDPR Article 30)
  4. Obtain explicit consent from data subjects for high-risk processing
  5. Implement contractual safeguards if Weavy.ai provides documentation
  6. Monitor for data breaches and have an incident response plan
  7. Avoid processing:
    • Images of identifiable individuals
    • Proprietary or confidential designs
    • Any EU personal data
    • Sensitive personal data (health, biometric, etc.)

Legal and Financial Risks

  • GDPR fines: Up to €20 million or 4% of global annual turnover
  • Data breach liability: Unlimited damages for affected individuals
  • Regulatory investigation: Time, cost, and reputational harm
  • Contractual breach: Violation of customer agreements requiring data protection
  • IP disputes: Unclear ownership of generated content without Terms of Service

9 Procurement Quick Answers (EU)

Does Weavy.ai have a Privacy Policy?

Yes. Since the Figma acquisition (October 30, 2025), a Privacy Policy is now published at weavy.com. It confirms that user data is not shared with third-party AI model providers for training. DPO contact: info@weavy.com.

Does Weavy.ai have a Data Processing Agreement (DPA)?

Not confirmed for standalone Weavy.ai. Figma (parent company) has a publicly available DPA with SCCs. Whether this DPA covers Weavy.ai as a standalone product is unconfirmed. Contact Figma/Weavy.ai to request explicit confirmation before relying on it for GDPR Article 28 compliance.

Where is Weavy.ai's data stored and processed?

Not fully disclosed for Weavy.ai specifically. Figma has EU data residency options, but whether these apply to Weavy.ai's infrastructure is unconfirmed.

Does Weavy.ai train AI models on user content?

No. Per the Privacy Policy, user data is not shared with third-party AI model providers. Weavy.ai does not train on user content.

How long does Weavy.ai retain user data?

Partially documented. The Privacy Policy addresses retention in general terms; Starter plan mentions "30 days of workflow history." Full granular retention schedules are not publicly specified.[3]

What compliance certifications does Weavy.ai hold?

Figma (parent) holds SOC 2 Type II, EU Cloud Code of Conduct Level 2, and ISO 27001. Whether these apply specifically to the standalone Weavy.ai product is unconfirmed. Check trust.figma.com for the latest status.

Can Weavy.ai be used for GDPR-regulated workloads?

Not yet confirmed. The situation has improved materially since the Figma acquisition, but a standalone DPA for Weavy.ai must be confirmed before using it for personal data processing under GDPR.

What does Weavy.ai's Enterprise "indemnity" claim mean?

Terms of Service now exist at weavy.com. Review the current terms for indemnification scope. For enterprise procurement, request Figma's enterprise agreement and confirm Weavy.ai coverage.[4]

10 Notes & Caveats

  • Research originally conducted: October 19, 2025. Updated March 2026 following the Figma acquisition and publication of legal documentation.
  • Figma acquisition context: Figma acquired Weavy.ai on October 30, 2025 for approximately $200M. The platform is being rebranded as "Figma Weave." The standalone weavy.ai platform continues to operate during integration.
  • **Weavy.com vs. Weavy.ai:** Note that Weavy.com (a separate collaboration platform by Mindroute Incentive USA) is a completely different company from Weavy.ai. The new legal docs at weavy.com are for the Weavy.ai visual AI platform, not the Weavy.com collaboration tool.
  • DPA confirmation is the key outstanding item: The most critical remaining step for EU business compliance is obtaining written confirmation that Figma's DPA covers standalone Weavy.ai services. This can be requested via info@weavy.com or Figma's enterprise sales.
  • Regulatory evolution: The EU AI Act imposes additional transparency and risk management requirements. Figma as a large technology company has resources to address these obligations; Weavy.ai's compliance trajectory is positive but still maturing.
  • Status trajectory: This assessment will be re-evaluated once Figma formally integrates Weavy.ai into its compliance infrastructure and makes an explicit DPA available for the product.

11 Disclaimer

This overview documents the current GDPR compliance status of Weavy.ai following its acquisition by Figma (October 30, 2025). The findings are based on public research conducted in October 2025 and updated in March 2026.

The situation has materially improved since the acquisition: Privacy Policy and Terms of Service now exist, data is not shared with AI model providers for training, and Figma's enterprise compliance infrastructure provides a strong baseline. However, we advise caution for EU customers processing personal data until Figma's DPA is confirmed to explicitly cover standalone Weavy.ai services.

Outstanding items required before recommending for GDPR-regulated workloads:

  1. Confirmation that Figma's DPA covers Weavy.ai (contact: info@weavy.com)
  2. EU data residency option confirmed for Weavy.ai infrastructure specifically
  3. Complete subprocessor list for Weavy.ai

WAIMAKERS B.V. applies strict privacy and security due diligence internally. We do not use tools lacking confirmed GDPR processor agreements for personal data workloads. Customers should apply the same standard.

WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • **Weavy.ai Product Page** - http://weavy.ai

  • **Weavy.ai Enterprise Claims** - http://weavy.ai/enterprise

  • **Weavy.ai Credit System (Knowledge Base)** - http://help.weavy.ai/credit-system

  • **Weavy.ai Subscription Plans (Knowledge Base)** - http://help.weavy.ai/subscription-plans

  • GDPR Official Text - http://eur-lex.europa.eu

  • Figma Trust Center - https://trust.figma.com

  • Figma Acquires Weavy.ai - TechCrunch, October 30, 2025

Note: Original research conducted October 19, 2025 found no legal documentation. Updated March 2026 following Figma acquisition and publication of Privacy Policy and Terms of Service at weavy.com.

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy