Privacy Policy
We are committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, store, and safeguard your information in compliance with the UK GDPR and applicable data protection laws.
Data We Collect
We collect personal data that you voluntarily provide when using our services, creating an account, making a purchase, or communicating with us. The types of personal data we may collect include your name, email address, postal address, telephone number, and payment details. This information is essential for us to deliver our font generation services effectively and to maintain a professional relationship with you as our valued customer.
Personal Information
- Identity Data — Your full name, username, and account credentials used to identify you on our platform. This data enables us to personalise your experience and maintain account security.
- Contact Data — Email address, postal address, telephone number, and other contact channels you provide for communication purposes, order updates, and support interactions.
- Payment Data — Billing address, payment card details (processed securely via our payment provider), and transaction history. We never store full card numbers on our servers.
- Profile Data — Preferences, saved font configurations, design history, and any optional information you choose to share about your business or creative projects.
Automatically Collected Data
When you visit our website or use our services, we automatically collect certain technical information about your device and interaction. This data is gathered through cookies, server logs, and similar technologies, and helps us understand how our platform is being used so we can improve your experience.
| Data Type | Details | Purpose |
|---|---|---|
| Device Info | Browser type, operating system, device model, screen resolution | Optimise display and functionality |
| Usage Data | Pages visited, time spent, features used, click patterns | Improve user experience and UI |
| IP Address | Public IP, approximate location (city-level only) | Security, analytics, fraud prevention |
| Log Data | Access times, referrer URL, error logs | Debugging, server maintenance |
We only collect data that is necessary for the purposes described in this policy. We do not engage in indiscriminate data harvesting, and all collection practices are designed with data minimisation principles in mind, as required by the UK GDPR.
How We Use Your Data
We use your personal data for specific, legitimate purposes as outlined below. Each purpose has a clear legal basis under UK GDPR, and we will never process your data in a way that is incompatible with these stated purposes. Our commitment to transparency means you always know why your data is being used and can exercise your rights accordingly.
- 1Service Delivery — Providing, maintaining, and improving our font generation tools, including AI-powered font creation, real-time previews, and export functionality that forms the core of your Fontly experience.
- 2Account Management — Creating and managing your account, authenticating your identity, processing payments, and delivering purchase confirmations, invoices, and receipts for your records.
- 3Personalisation — Tailoring font recommendations, design suggestions, and content based on your preferences, usage patterns, and stated interests to make your experience more relevant and productive.
- 4Communication — Sending service updates, order confirmations, security alerts, and responding to your enquiries, support requests, and feedback through your preferred communication channels.
Additional Purposes
- Analytics & Improvement — Analysing anonymised usage data to identify trends, improve our platform, fix bugs, and develop new features that meet the evolving needs of our users.
- Security & Fraud Prevention — Detecting, preventing, and responding to fraudulent activities, unauthorised access attempts, and potential security threats to protect both our platform and our customers.
- Legal Compliance — Complying with applicable laws, regulations, legal processes, and enforceable governmental requests, as well as exercising, defending, and protecting our legal rights.
- Marketing (with consent) — Sending promotional communications about new features, special offers, and events, but only where you have explicitly opted in to receive such messages. You can unsubscribe at any time.
Cookies & Tracking Technologies
We use cookies and similar tracking technologies to enhance your browsing experience, analyse site traffic, and personalise content. Cookies are small text files stored on your device that help us remember your preferences and understand how you interact with our services. We are committed to being transparent about the cookies we use and giving you meaningful control over them.
| Cookie Type | Examples | Duration | Purpose |
|---|---|---|---|
| Essential | session_id, csrf_token, auth_cookie | Session / 30 days | Required for login, security, and core functionality |
| Functional | lang_pref, theme_mode, font_history | 1 year | Remember preferences and customise your experience |
| Analytics | _ga, _gid, hotjar_id | 2 years max | Understand usage patterns and improve performance |
| Marketing | fb_pixel, gads_id, linkedin_insight | Up to 2 years | Targeted advertising and campaign effectiveness |
You can manage your cookie preferences at any time through our Cookie Consent Banner (displayed on your first visit), your browser settings, or by contacting our support team. Please note that disabling essential cookies may affect the functionality of our services. Most browsers allow you to block or delete cookies through their settings menu.
We also use pixel tags, web beacons, and similar technologies in our emails to track open rates and click-through rates. These help us understand how effectively our communications are reaching you and allow us to improve the relevance of our messages. You can opt out of email tracking by disabling image loading in your email client.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. However, we may share your information with carefully selected partners and service providers who assist us in operating our platform, delivering our services, and communicating with you. All third-party data processors are bound by contractual obligations to protect your data and may only use it for the specific purposes we have authorised.
Categories of Recipients
- Payment Processors — We partner with PCI-DSS compliant payment providers (such as Stripe) to securely process your transactions. Your card details are tokenised and never stored in full on our systems, ensuring the highest level of financial data protection.
- Cloud Infrastructure — We use leading cloud service providers (such as AWS or Google Cloud) to host our platform and store data securely. These providers maintain industry-leading security certifications including SOC 2 Type II and ISO 27001.
- Analytics Providers — Anonymised, aggregated data may be shared with analytics tools (such as Google Analytics) to help us understand usage patterns and improve our services. Individual user data is not identifiable from these reports.
- Legal Obligations — We may disclose your data when required by law, regulation, court order, or governmental authority, or to protect our rights, property, or safety, and that of our users and the public.
Every third party that receives your personal data is subject to a data processing agreement that outlines their obligations under UK GDPR. We conduct regular audits and due diligence reviews to ensure our partners maintain the highest standards of data protection at all times.
Your Data Protection Rights
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have a comprehensive set of rights regarding your personal data. We are fully committed to upholding these rights and making it as straightforward as possible for you to exercise them. Below is a clear explanation of each right and how you can make use of it.
Your Rights Under UK GDPR
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | Request a copy of all personal data we hold about you, along with details of how it is processed. | Email our Data Protection Officer or use the request form below. |
| Right to Rectification | Request correction of inaccurate or incomplete personal data we hold about you. | Update via your account settings or contact our support team. |
| Right to Erasure | Request deletion of your personal data where there is no legal basis for continued processing. | Submit a deletion request via email or your account dashboard. |
| Right to Restriction | Request that we limit the processing of your data in certain circumstances. | Contact our DPO with specific details of the restriction sought. |
| Right to Portability | Receive your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV). | Download from your account or request via our support team. |
| Right to Object | Object to processing based on legitimate interests or for direct marketing purposes. | Opt out of marketing emails or contact our DPO. |
| Right to Withdraw Consent | Withdraw your consent at any time where processing is based solely on your consent. | Update cookie preferences or email marketing settings. |
We will acknowledge your request within 72 hours and aim to respond fully within 30 calendar days, as required by UK GDPR. In complex cases, we may extend this by a further two months, in which case we will notify you of the delay and the reasons for it. All responses are provided free of charge.
Data Security Measures
We implement industry-leading technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security infrastructure is designed with a defence-in-depth approach, employing multiple layers of protection that are regularly tested and updated to address emerging threats. Security is not just a feature of our platform; it is foundational to everything we do.
Technical Safeguards
- Encryption — All data in transit is secured using TLS 1.3 encryption. Data at rest is encrypted using AES-256, the gold standard for data protection, ensuring your information remains unreadable even in the unlikely event of unauthorised access.
- Access Controls — Role-based access control (RBAC) ensures that only authorised personnel can access personal data, and all access is logged and monitored. Multi-factor authentication is mandatory for all administrative accounts.
- Infrastructure Security — Our platform runs on enterprise-grade cloud infrastructure with DDoS protection, web application firewalls (WAF), and regular penetration testing conducted by independent security firms.
- Monitoring & Alerts — Continuous security monitoring, real-time threat detection, and automated incident response systems ensure that any potential security event is identified and addressed promptly, 24 hours a day, 7 days a week.
Children's Privacy
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we discover that we have inadvertently collected personal data from a child under 16 without verified parental consent, we will take immediate steps to delete that data from our systems. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately and we will take appropriate action.
Parents and guardians who wish to restrict their children's access to our services should use parental control tools available through their operating system, browser, or internet service provider. We are happy to assist with any concerns about children's data and will respond promptly to any legitimate parental request.
International Data Transfers
As our operations and service providers may be located outside the United Kingdom, your personal data may be transferred to and processed in countries other than the UK. When such transfers occur, we ensure that appropriate safeguards are in place to protect your data in accordance with the UK GDPR requirements for international data transfers. These safeguards include adequacy decisions by the UK government, Standard Contractual Clauses (SCCs) adopted by the UK Secretary of State, and binding corporate rules where applicable.
- Adequacy Countries — Transfers to countries recognised by the UK government as providing adequate levels of data protection, such as EU member states, are permitted without additional safeguards.
- Standard Contractual Clauses — For transfers to countries without an adequacy decision, we use UK-approved SCCs that impose contractual obligations on the data importer to protect your personal data to standards equivalent to UK GDPR.
- Transfer Impact Assessments — We conduct TIAs to evaluate the legal framework of the destination country and implement supplementary measures where necessary to ensure adequate protection.
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements. Different categories of data may be subject to different retention periods based on their nature, the purpose of processing, and applicable legal obligations. Our retention schedules are regularly reviewed and updated to ensure we do not hold data longer than necessary.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Data | Duration of account + 2 years | Service continuity, re-engagement |
| Transaction Records | 7 years | UK tax and accounting requirements |
| Support Communications | 3 years | Quality assurance, dispute resolution |
| Marketing Consents | Until withdrawn | Consent management, compliance |
| Server Logs / Analytics | 12 months | Platform performance, security analysis |
When your data reaches the end of its retention period, it is securely deleted or anonymised in accordance with our data disposal procedures. Anonymised data cannot be linked back to you and is therefore no longer considered personal data under UK GDPR.
Legal Basis for Processing
We process your personal data only when we have a lawful basis to do so under the UK GDPR. The legal basis depends on the specific purpose for which we are processing your data and the nature of the data in question. We may rely on more than one legal basis for the same processing activity where appropriate. Understanding the legal basis helps you understand your rights and how you can exercise them.
- 1Contractual Necessity — Processing is necessary to perform our contract with you, such as delivering font generation services, managing your account, processing payments, and providing customer support.
- 2Consent — Where you have given us clear, affirmative consent to process your data for specific purposes, such as receiving marketing communications or enabling optional cookies.
- 3Legitimate Interests — Processing is necessary for our legitimate business interests (such as improving our services, fraud prevention, and security), provided these interests are not overridden by your rights and freedoms.
- 4Legal Obligation — Processing is necessary to comply with a legal obligation to which we are subject, such as tax, accounting, and data protection regulations.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised "Last Updated" date and, where appropriate, by sending you a prominent notice through email or a notification on our platform. We encourage you to review this policy periodically to stay informed about how we protect your data.
Your continued use of our services after the publication of any updated policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you may discontinue your use of our services and request the deletion of your account and data in accordance with Section 5 of this policy.
To ensure you never miss an important update, we recommend enabling notifications in your account settings. Major policy changes that affect how we handle your data will always be communicated directly to you via email at least 30 days before they take effect.
Contact Our Data Protection Team
If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal data is handled, please do not hesitate to get in touch with our Data Protection Officer.