Company Name: spacetype Ltd.
Company Registration Number: 206100269
Operating Name: Type Forward
Location: 1574, Georgi Asparuhov Gundi, bl. 27 A, ent. V, ap. 42
Contact Email: hello@typeforward.com
Website: typeforward.com

If you have any questions about this policy or wish to exercise your data protection rights, please use the email address above.

A. Information from All Website Visitors

1. Mailing List Subscriptions Data

• Data: Email address and your consent. Our email provider (Brevo) also records technical data such as time, IP address, and a consent log to manage your subscription.

• Why: To send newsletters (e.g., new font releases, sales) and manage welcome/trial font emails.

• Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw at any time via the unsubscribe link.

2. Contact form — “Type Services”

• Data: Name, email, message.

• Why and Legal Basis: To reply to your message (Legitimate Interest, Art. 6(1)(f) GDPR). If your message is about purchasing a service, we process this as a necessary step before entering into a contract (Art. 6(1)(b) GDPR).

• Storage: Form entries are stored in WordPress and delivered to our email inbox.

3. Technical data

• Data: Our hosting provider may process IP addresses and basic browser/device information as part of standard server operations, security, and error logs.

• Why: To operate, secure, and debug the site.

• Legal basis: Legitimate interests (site security and reliability) (Art. 6(1)(f) GDPR).

4. Cookies & Consent Logs (via CookieYes)

• Data: Anonymized IP address, your country, your consent status, and a timestamp of when you consented.

• Why: To operate our site, record your cookie preferences, and demonstrate compliance with data protection laws.

• Legal basis: Legal Obligation (Art. 6(1)(c) GDPR). For a detailed list, see our Cookie Policy.

5. Analytics data (via Google Analytics)

• Data: Pseudonymized data about pages visited, time spent, device type, and general location. We have enabled IP anonymization, so your full IP address is not stored.

• Why: To analyze website performance and improve user experience.

• Legal basis: Consent (Art. 6(1)(a) GDPR). Manageable via our cookie settings.

6. Behavior Analytics (via Hotjar & Microsoft Clarity)

• Data: User interactions such as clicks, scrolling, and mouse movements, aggregated into heatmaps and session recordings. Sensitive information in form fields is strictly not recorded.

• Why: To identify usability issues and improve website design.

• Legal basis: Consent (Art. 6(1)(a) GDPR). Manageable via our cookie settings.

7. Affiliate links Some pages include affiliate links to external font shops (e.g., Fontspring, MyFonts). If you click a link and make a purchase, we may earn a small commission at no extra cost to you. The external website will process your data under its own privacy policy, which we do not control.

B. Information from Our Clients (E-commerce)

8. Mandatory User Accounts & Licensing

• Data: Name, email, and a secure password to create your account. We also record the specific fonts licensed and the scope of your usage (e.g., number of users, web domains).

• Why: An account is mandatory to securely deliver digital goods, correctly identify you as the official “Licensee” in the End User License Agreement (EULA), and provide long-term access to your font files and free updates.

• Legal basis: Performance of a Contract (Art. 6(1)(b) GDPR).

9. Billing, Tax, and Transaction Information

• Data: Billing address, company name, VAT number (if applicable), and your IP address at the exact time of purchase.

• Why: To issue legally compliant invoices and calculate the correct EU VAT rate based on your verified location (using your declared address and IP address).

• Data Minimization: During checkout, you may choose to check a box to “Save this information to my account.” This is strictly a user convenience feature to speed up future checkouts, not a marketing opt-in.

• Legal basis: Legal Obligation (Art. 6(1)(c) GDPR) for financial reporting and tax purposes.

10. Payment Processing (Stripe & Bank Transfers)

• Data: For website purchases, payment details (such as credit card numbers). For manual invoices, your sender name, IBAN, and bank details as they appear on our bank statements.
• Stripe (Automated Checkout): We do not request, process, or store sensitive credit card data on our servers. All website payments are securely processed directly through our payment gateway, Stripe. Please note that Stripe also acts as an independent data controller and may collect technical data strictly for fraud prevention and security purposes. For more information, please review Stripe’s Privacy Policy.
• Bank Transfers (Manual Invoices): If you pay a manual invoice via direct wire transfer to our company IBAN, the transaction is processed securely by our banking partners. We retain the resulting bank statements as part of our mandatory financial records.

We use trusted service providers who process personal data only under our strict instructions.

1. Infrastructure & E-commerce

• Hostinger International Ltd. (Hosting Provider, Germany – EU).

• DigitalOcean / AWS (Secure Cloud Storage for generating and delivering font ZIP files and PDF invoices, EU/US).

• Stripe (Secure checkout and payment processing, EU/US).

• Banking Partners (Secure processing of manual wire transfers, EU). They operate as independent data controllers under EU banking regulations.

2. Analytics & Compliance

• Google LLC (Google Tag Manager & Analytics, US).

• Hotjar Ltd. (Behavior Analytics, Malta – EU).

• Microsoft Corporation (Clarity Analytics, US).

• Mozilor Limited (CookieYes Consent Management, UK).

3. Marketing & Communication

• Brevo SAS (Newsletters and transactional emails, France/Germany – EU).

• Google LLC (Google Workspace email, US).

International transfers: Where providers are headquartered outside the EEA (e.g., in the US), we rely on appropriate safeguards under GDPR, such as the European Commission’s Standard Contractual Clauses (SCCs).

• Newsletter subscribers (Brevo): Kept until you unsubscribe; minimal consent logs retained for up to 24 months afterward for compliance.

• Contact form emails: Kept until no longer needed for your request; we review annually and delete stale threads.

• Website form submissions: Kept in WordPress for 12 months, then purged.

• Server access/security logs: Typically kept up to 90 days.

• Backups: Automatic daily backups; currently ~60–90 days of restore points.

• Client & Billing Records (Mandatory): We are legally required by Bulgarian and EU tax law to keep invoices, Universal Ledger records, and License Agreements for up to 10 years after a transaction.

• Right to be Forgotten: If you request account deletion, your user profile and marketing data will be permanently erased. However, the mandatory tax and licensing records mentioned above are immutable and will be retained for the 10-year legal period.

• You have the right to request access, correction, erasure, restriction, portability, and to object to processing based on our legitimate interests. Where we rely on consent, you can withdraw it at any time.

  To exercise your rights, email hello@typeforward.com. We will respond without undue delay. You also have the right to lodge a complaint with your local authority. In Bulgaria, that is the Commission for Personal Data Protection (CPDP).

We use reputable hosting, industry‑standard security measures, and limited access to data. If a data breach occurs, we will investigate, mitigate risk, notify the relevant authority within 72 hours, and inform affected individuals when legally required.

Our site does not target children under 18, and we do not knowingly collect their data. If you believe we have inadvertently collected such information, please contact us at hello@typeforward.com so we can promptly take corrective action.

We may update this policy when our services or the law changes. We will post the updated version here and change the “Last updated” date.