Advanced Notes

Low riskIndependent Review

Sticky-note-style annotation widget for Figma and FigJam — add colored notes with a checkbox, a connector line, and an optional author name.

Platform
Figma, FigJam
Category
File organization
Developer
Paulo Serpa
Pricing
Free
Official website
www.figma.com

Review summary

Long-running widget (since 2023, 31.2k users) with no login and no export feature. Figma's own network-access disclosure shows exactly where this widget is allowed to send requests: its own domain (figma.com) and Pixabay's image CDN (cdn.pixabay.com) — a public stock-photo service, not a custom or unknown server. We also installed it in a throwaway Figma file and tried every control — changing the note color, checking the "done" box, editing the title and body text, toggling the date — while watching for network activity. Nothing left the file during that testing, which fits with Pixabay being used for some optional image feature we didn't happen to trigger.

Privacy overview

What this plugin can access and where data may go. “Unknown” means we have not verified it — not that it is safe or unsafe.

Data accessed
  • The note's own text, color, and checkbox state, plus your Figma name and profile picture (only if you leave the name shown)
Permissions requested
  • Restricted network access — allowed to reach figma.com and cdn.pixabay.com only
External services
  • Pixabay (public stock-image CDN) — allowed by the widget's settings, but not contacted during our testing
External APIs
  • Same as above — Pixabay is the only outside service this widget can reach
Database connections
None — notes appear to save inside the Figma file itself
Authentication
None — no login or account needed
Cloud storage
  • None observed
Analytics
  • None seen during testing
AI providers
  • None observed
Telemetry
None seen during testing
Cookies
Not applicable — runs inside the Figma app, not a web page

Risk assessment

Risk level
Low risk
Why this risk exists
The complete list of places this widget can send data to is now known, and it's limited to Figma itself and a well-known public image CDN — nothing unexpected or unexplained.
Mitigation
None needed for typical use. If you're curious what the Pixabay connection is for, ask the developer (pauloserpa.dart@gmail.com).
Confidence
Medium — the allowed-address list is confirmed directly by Figma, and we tested it hands-on in a real file, but we didn't try every possible action or read the source code.

Review methodology

Tests performed
  • Read the public Community listing and version history
  • Read all 21 user comments (2023–2025)
  • Checked Figma's own rules on how widgets are sandboxed and how network access is restricted
  • Looked up Figma's official disclosure of which addresses this widget can reach
  • Installed the widget in a disposable file and tried every documented feature while capturing network activity
Evidence
  • Figma's official network-access disclosure (verified — figma.com and cdn.pixabay.com only)
  • Live test in a disposable Figma file (observed — no outside network calls during any tested action)
  • Figma developer docs on widget sandboxing (verified)
Known limitations
  • Not every possible action was tried (e.g., duplicating a note, right-click options), so we didn't see exactly what triggers the Pixabay connection
  • No standalone privacy policy exists for this widget
  • Source code was not reviewed — Figma doesn't publish it
Reviewer
AI Agent supervised by a human

Read more about how we review and what Verified, Observed, Inferred and Unknown mean.

Review timeline

  1. Initial review published

Resources