Company Name: spacetype OOD
Company Registration Number: BG206100269
Operating Name: Type Forward
Location: 1574, Georgi Asparuhov Gundi, bl. 27 A, ent. V, ap. 42
Contact Email: hello@typeforward.com
Website: typeforward.com

If you have any questions about this privacy policy or wish to exercise your data protection rights, please use the email address above.

A. Information from All Website Visitors

1. Mailing List Subscriptions Data

• Data: Email address and your consent. Our email provider (Brevo) also records technical data such as time, IP address, and a consent log to manage your subscription.
• Why: To send newsletters (e.g., new font releases, sales) and manage welcome/trial font emails.
• Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw at any time via the unsubscribe link.

2. Contact form — “Type Services”

• Data: Name, email, message.
• Why and Legal Basis: To reply to your message (Legitimate Interest, Art. 6(1)(f) GDPR). If your message is about purchasing a service, we process this as a necessary step
  before entering into a contract (Art. 6(1)(b) GDPR).
• Storage: Form entries are stored in WordPress and delivered to our email inbox.

3. Technical data

• Data: Our hosting provider may process IP addresses and basic browser/device information as part of standard server operations, security, and error logs.
• Why: To operate, secure, and debug the site.
• Legal basis: Legitimate interests (site security and reliability) (Art. 6(1)(f) GDPR).

4. Cookies & Consent Logs (via CookieYes)

• Data: Anonymized IP address, your country, your consent status, and a timestamp of when you consented.
• Why: To operate our site, record your cookie preferences, and demonstrate compliance with data protection laws.

• Legal basis: Legal Obligation (Art. 6(1)(c) GDPR). For a detailed list, see our Cookie Policy.

5. Analytics data (via Google Analytics)

• Data: Pseudonymized data about pages visited, device type, and general location. We have enabled IP anonymization, so your full IP address is not stored.
• Why: To analyze website performance and improve user experience.
• Legal basis: Consent (Art. 6(1)(a) GDPR). Manageable via our cookie settings.

6. Behavior Analytics (via Hotjar & Microsoft Clarity)

• Data: User interactions such as clicks, scrolling, and mouse movements, aggregated into heatmaps and session recordings. Sensitive information in form fields is strictly not recorded.
• Why: To identify usability issues and improve website design.
• Legal basis: Consent (Art. 6(1)(a) GDPR). Manageable via our cookie settings.

7. Affiliate links. Some pages include affiliate links to external font shops (e.g., Fontspring, MyFonts). If you click a link and make a purchase, we may earn a small commission at no extra cost to you. The external website will process your data under its own privacy policy, which we do not control.

B. Information from Our Clients (E-commerce)

8. Mandatory User Accounts & Licensing

• Data: Name, email, and a secure password to create your account. We also record the specific fonts licensed and the scope of your usage (e.g., number of users, web domains).
• Why: An account is mandatory to securely deliver digital goods, correctly identify you as the official “Licensee” in the End User License Agreement (EULA), and provide long-term access to your font files and free updates.
• Legal basis: Performance of a Contract (Art. 6(1)(b) GDPR).

9. Billing, Tax, and Transaction Information

• Data: Billing address, company name, VAT number (if applicable), and your IP address at the exact time of purchase.
• Why: To issue legally compliant invoices and calculate the correct EU VAT rate based on your verified location (using your declared address and IP address).
• Data Minimization: During checkout, you may choose to check a box to “Save this information to my account.” This is strictly a user convenience feature to speed up future checkouts, not a marketing opt-in.
• Legal basis: Legal Obligation (Art. 6(1)(c) GDPR) for financial reporting and tax purposes.

10. Payment Processing (Stripe & Bank Transfers)

• Data: For website purchases, payment details (such as credit card numbers). For manual invoices, your name, IBAN, and bank details as they appear on our bank statements.
• Stripe (Automated Checkout): We do not request, process, or store sensitive credit card data on our servers. All website payments are securely processed directly through our payment gateway, Stripe. Please note that Stripe also acts as an independent data controller and may collect technical data strictly for fraud prevention and security purposes. For more information, please review Stripe’s Privacy Policy.
• Bank Transfers (Manual Invoices): If you pay a manual invoice via direct wire transfer to our company IBAN, the transaction is processed securely by our banking partners. We retain the resulting bank statements as part of our mandatory financial records.

11. Checkout Legal Consent

• Data: When you complete a purchase on our website, we record that you agreed to our Terms of Use, this Privacy Policy, and the applicable End User License Agreement (EULA), including your acknowledgment of immediate digital delivery, the waiver of the statutory 14-day withdrawal right where applicable, and our commercial refund guarantee. We also store the exact consent wording shown at checkout, the date and time of your consent, and your IP address at that moment.
• Why: To demonstrate compliance with consumer and e-commerce law, resolve disputes, and maintain a secure legal and accounting audit trail tied to your order.
• Legal basis: Performance of a Contract (Art. 6(1)(b) GDPR) and Legal Obligation (Art. 6(1)(c) GDPR) for record-keeping.

• Manual B2B orders: For manual B2B orders, custom quotes, or bank-transfer invoices, we may record your consent based on written communication with you, such as email confirmation, rather than through the website checkout form.

• Document versions: For website checkout, we may also record the version of the legal documents shown at checkout (this Privacy Policy, our Terms of Use, and the applicable End User License Agreement).

12. Checkout Marketing Opt-In (Optional)

• Data: Your email address and, if you opt in, a record that you chose to receive marketing communications (for example, font updates, new releases, and foundry news).
• When we use it: We send marketing emails only if you subscribe through our mailing list or trial-font signup, or if you tick the optional marketing checkbox at checkout. This is separate from the required checkout legal consent checkbox (§11 above), which you must accept to complete a purchase.
• Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw at any time using the unsubscribe link in every marketing email.

We use trusted service providers who process personal data only under our strict instructions.

1. Infrastructure & E-commerce

• Hostinger International Ltd. (Hosting Provider, Germany – EU).
• DigitalOcean Spaces (Secure cloud object storage for generating and delivering font ZIP packages, license PDFs, invoice and receipt PDFs, and related order documents in your account Vault; EU/US regions as applicable).
• Stripe (Secure checkout and payment processing, EU/US).
• Banking Partners (Secure processing of manual wire transfers, EU). They operate as independent data controllers under EU banking regulations.

2. Analytics & Compliance

• Google LLC (Google Tag Manager & Analytics, US).
• Hotjar Ltd. (Behavior Analytics, Malta – EU).
• Microsoft Corporation (Clarity Analytics, US).
• Mozilor Limited (CookieYes Consent Management, UK).

3. Marketing & Communication

• Brevo SAS (Newsletters and transactional emails, France/Germany – EU).
• Google LLC (Google Workspace email, US).

International transfers: Where providers are headquartered outside the EEA (e.g., in the US), we rely on appropriate safeguards under GDPR, such as the European Commission’s
Standard Contractual Clauses (SCCs).

• Newsletter subscribers (Brevo): Kept until you unsubscribe; minimal consent logs retained for up to 24 months afterward for compliance.
• Contact form emails: Kept until no longer needed for your request; we review annually and delete stale threads.
• Website form submissions: Kept in WordPress for 12 months, then purged.
• Server access/security logs: Typically kept up to 90 days.
• Backups: Automatic daily backups; currently ~60–90 days of restore points.
• Client & Billing Records (Mandatory): We are legally required by Bulgarian and EU tax law to keep invoices, refund credit notes, Universal Ledger records, and License Agreements for up to 10 years after a transaction, even if an order has been refunded or cancelled.
• Right to be Forgotten: If you request account deletion, your user profile and marketing data will be permanently erased. However, the mandatory tax and licensing records mentioned above are immutable and will be retained for the 10-year legal period (this applies to both successful and refunded orders).

You have the right to request access, correction, erasure, restriction, portability, and to object to processing based on our legitimate interests. Where we rely on consent, you can withdraw it at any time.

To exercise your rights, email hello@typeforward.com. We will respond without undue delay. You also have the right to lodge a complaint with your local authority. In Bulgaria, that is the Commission for Personal Data Protection (CPDP).

We use reputable hosting, industry‑standard security measures, and limited access to data. If a data breach occurs, we will investigate, mitigate risk, notify the relevant authority within 72 hours, and inform affected individuals when legally required.

Our site does not target children under 18, and we do not knowingly collect their data. If you believe we have inadvertently collected such information, please contact us at hello@typeforward.com so we can promptly take corrective action.

We may update this privacy policy when our services or the law change. We will post the updated version on this page and change the “Last update” date shown in the sidebar.