Cart

Privacy Policy

Last updated: February 28, 2026

This Privacy Policy explains how Serpentype ("we", "us", "our") collects, uses, and protects your personal data when you visit our website serpentype.com (the "Website"). We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (nFADP/DSG), the EU General Data Protection Regulation (GDPR/DSGVO), and other applicable data protection laws.

1. Controller (Data Controller)

Serpentype
c/o Atelier Uto
Flüelastrasse 16
8048 Zürich
Switzerland

Email: hello@serpentype.com

If you have any questions about how we handle your personal data, please contact us at the address above.

2. Categories of Data We Process

Depending on your interaction, we may process:

  • Name (first and last name)
  • Email address
  • Postal address, city, postal code, and country
  • Organisation/company name (licensee)
  • Messages you send us via the contact form
  • Technical data (IP address, browser type, device information)
  • Account/login data (verification flow data, account email)
  • Transaction and order data (order identifiers, purchased items, invoice references)
  • Trial and newsletter request data (including consent status)

We do not store full payment card details on our own servers.

3. Purposes and Legal Bases

We process personal data to:

  • Provide website functionality and account access
  • Process trial requests and deliver download links
  • Process orders and deliver licensed font files
  • Provide support and transactional communication
  • Ensure security, fraud prevention, and service integrity
  • Comply with tax, accounting, and legal obligations

Legal bases (where applicable): contract performance (GDPR Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interests (Art. 6(1)(f)), and consent (Art. 6(1)(a), e.g., newsletter).

4. Payments and Paddle

We use Paddle (Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom) as our Merchant of Record for all purchases. When you purchase fonts, Paddle processes the transaction on our behalf.

  • Data collected: Email address, name, postal code, country, billing address, city, and licensee/organisation name.
  • Purpose: To process your order, create your customer account, deliver font licenses, and fulfil legal obligations (e.g. tax compliance).
  • Legal basis: Performance of a contract (GDPR Art. 6(1)(b)); compliance with legal obligations (Art. 6(1)(c)).
  • Data sharing: Your payment and billing data is transmitted directly to Paddle. We do not have access to your full payment details (e.g. credit card numbers). Paddle acts as an independent data controller for payment processing.
  • Data transfer: Paddle may process data outside of the EEA/Switzerland. Appropriate safeguards (Standard Contractual Clauses) are in place.

For more information, see Paddle's Privacy Policy.

5. User Accounts and Login

We offer passwordless login via email verification. When you log in, a one-time verification code is sent to your email address.

  • Data collected: Email address.
  • Purpose: To authenticate you and provide access to your order history and font downloads.
  • Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
  • Session cookies: We use a session cookie (kirby_session) that is strictly necessary for the functioning of your account and shopping cart. This cookie is deleted when you close your browser or after the session expires. It is httpOnly, secure, and sameSite: strict.

6. Newsletter (Brevo)

We use Brevo (formerly Sendinblue; Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany) for our newsletter service.

  • Data collected: Email address.
  • Process: We use a double opt-in process. After you subscribe, you will receive a confirmation email. Your subscription is only activated after you click the confirmation link. This ensures GDPR and Swiss data protection compliance.
  • Purpose: To send you updates about new typeface releases and foundry news.
  • Legal basis: Your explicit consent (GDPR Art. 6(1)(a)).
  • Unsubscribe: You may unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by contacting us directly. Your email address will then be removed from our mailing list.
  • Data transfer: Brevo stores data on servers in the EU (France/Germany). No third-country transfer.

For more information, see Brevo's Privacy Policy.

7. Transactional Emails (Brevo)

We also use Brevo to send transactional emails such as login verification codes and order confirmations.

  • Data collected: Email address, order details.
  • Purpose: To deliver essential communications related to your account and purchases.
  • Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).

8. Contact Form

Our contact form is processed directly on our server. Your message is forwarded to us via email (using Brevo, see Section 7).

  • Data collected: First name, last name, email address, and your message.
  • Purpose: To respond to your enquiries.
  • Legal basis: Legitimate interest in responding to customer communications (GDPR Art. 6(1)(f)); or pre-contractual measures (Art. 6(1)(b)) if your enquiry relates to a potential purchase.
  • Data retention: Contact form submissions are retained for up to 12 months after your enquiry is resolved.

9. Spam Protection (Cloudflare Turnstile)

We use Cloudflare Turnstile (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA) on our contact form to protect against automated spam submissions.

  • Data collected: Turnstile may collect your IP address and browser metadata. Unlike traditional CAPTCHAs, Turnstile does not use tracking cookies and does not require you to solve image puzzles.
  • Purpose: To distinguish between human users and automated bots.
  • Legal basis: Legitimate interest in protecting our website from abuse (GDPR Art. 6(1)(f)).
  • Data transfer: Data may be transferred to Cloudflare servers. Cloudflare participates in the EU-US Data Privacy Framework and is certified under the ISO 27001 standard.

For more information, see Cloudflare's Privacy Policy.

10. Website Analytics (Counter.dev)

We use Counter.dev for privacy-focused website analytics.

  • Data collected: Counter.dev does not use cookies, does not collect personal data, and does not track individual users. It only records aggregate, anonymous page view statistics.
  • Purpose: To understand general usage patterns and improve our website.
  • Legal basis: Legitimate interest (GDPR Art. 6(1)(f)).

For more information, see Counter.dev's Privacy Policy.

11. Content Delivery Network (jsDelivr)

We load the Alpine.js JavaScript library from jsDelivr (Prospect One Sp. z o.o., Poland), a public open-source CDN.

  • Data collected: When your browser requests a file from jsDelivr, your IP address is transmitted to jsDelivr's servers. No cookies are set.
  • Purpose: To deliver JavaScript files efficiently and reliably.
  • Legal basis: Legitimate interest in the reliable and performant operation of our website (GDPR Art. 6(1)(f)).

For more information, see jsDelivr's Privacy Policy.

12. Cookies and Local Storage

We only use strictly necessary cookies. We do not use any advertising or tracking cookies.

Cookie Purpose Duration Type
kirby_session Session management (login, cart) Session (browser close) Essential

Your shopping cart data is stored server-side within your session. No personal data is stored in your browser's local storage or session storage.

13. Data Sharing

We do not sell personal data.

We share personal data only with processors and service providers required to run the service:

  • Paddle (Paddle.com Market Limited, UK) – Payment and billing
  • Brevo (Sendinblue GmbH, Germany) – Newsletter and transactional emails
  • Cloudflare (Cloudflare, Inc., USA) – Spam protection (Turnstile)
  • Counter.dev (EU) – Privacy-focused analytics
  • jsDelivr (Prospect One Sp. z o.o., Poland) – Content delivery

Data may also be disclosed where required by law.

14. International Transfers

Some of our service providers may process data outside of Switzerland and the European Economic Area (EEA):

Service Location Safeguards
Paddle United Kingdom / International UK Adequacy Decision, Standard Contractual Clauses
Brevo EU (France, Germany) No third-country transfer
Cloudflare (Turnstile) United States / Global EU-US Data Privacy Framework, Standard Contractual Clauses
Counter.dev EU No third-country transfer
jsDelivr International (CDN) Standard Contractual Clauses

15. Retention

We retain personal data only as long as required for:

  • Customer accounts and order data: Retained for as long as your account exists and for up to 10 years thereafter to comply with Swiss and EU commercial and tax record-keeping obligations.
  • Newsletter subscribers: Retained until you unsubscribe.
  • Contact form submissions: Retained for up to 12 months after your enquiry is resolved.
  • Session data: Deleted automatically when your session expires or you close your browser.
  • Analytics data: Counter.dev retains only anonymous, aggregate statistics.

When data is no longer required, it is deleted or anonymized.

16. Your Rights

Under the GDPR, the Swiss nFADP, and other applicable laws, you have the following rights:

  • Right of access – You may request information about what personal data we hold about you (GDPR Art. 15).
  • Right to rectification – You may request that inaccurate data be corrected (Art. 16).
  • Right to erasure ("right to be forgotten") – You may request deletion of your data, subject to legal retention obligations (Art. 17).
  • Right to restriction of processing – You may request that we limit how we use your data (Art. 18).
  • Right to data portability – You may request your data in a structured, machine-readable format (Art. 20).
  • Right to object – You may object to processing based on legitimate interest at any time (Art. 21).
  • Right to withdraw consent – Where processing is based on consent (e.g. newsletter), you may withdraw your consent at any time without affecting the lawfulness of prior processing (Art. 7(3)).
  • Right to lodge a complaint – You may file a complaint with a supervisory authority:
    • Switzerland: Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch
    • EU: Your local Data Protection Authority (DPA)

To exercise any of these rights, please contact us at hello@serpentype.com.

17. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include HTTPS encryption, secure session cookies, HTTP security headers, and access controls.

18. Minors

Our Website and services are not directed at children under 16 years of age. We do not knowingly collect personal data from minors.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.