Privacy

Privacy notice.

How Nicky Laatz Creations Ltd (UK) collects, uses, and protects the personal information we hold about you. This notice applies to fontcurator.com, the FontCurator desktop app, and any related services we operate.

Version 1.0.0 · last updated 15 May 2026

1. Who we are

Nicky Laatz Creations Ltd (UK) (registered at PO Box 172, Launceston, PL150BN, United Kingdom) is the controller responsible for the personal information described in this notice. Our VAT number is GB300167163. You can reach our privacy contact by email at support@fontcurator.com .

2. Information we collect

We only collect information we need to deliver and bill for FontCurator, stay compliant with tax and consumer law, and provide support. The categories below describe what we hold and where it comes from.

  • Account & invoice details — first name, last name, email address, country, optional postal address, and (for business buyers) a VAT registration number with its country of issue. Provided by you at checkout.
  • Payment information — we do not see or store your card or bank details. PayPal handles your payment and hands back a payer reference (PayPal payer ID, billing country, masked email) plus the transaction outcome. We retain those references against your order record.
  • Order & licence records — order reference, seat count, price breakdown (subtotal, VAT, total, currency), country evidence used for VAT, invoice number, the licence key issued to you (stored as a one-way hash — we cannot recover the plain text from our records), and the email address you bought with for recovery.
  • Network metadata — IP address used when you visit the site or use the desktop client (for rate limiting, fraud protection, and approximate country detection), browser / user-agent string, referring URL, and a session identifier (HTTP cookie) used to bind your CSRF token.
  • Support correspondence — messages you send via the contact form, including any files you attach (screenshots, logs). We also keep operator-side notes against your ticket that you don’t see directly but that we use for triage.
  • Desktop application telemetry — when the FontCurator app contacts our licence-check endpoint, we log the hardware identifier prefix associated with each activation (used to enforce your seat count) and the endpoint response. We do not log the fonts you catalogue, your project contents, or any document you open.

3. Why we collect it (lawful bases)

Under UK GDPR and EU GDPR we rely on the following lawful bases:

  • Contract — to provide FontCurator to you, issue your licence, deliver your download, send your invoice, and provide support. Without this data we can’t complete the purchase.
  • Legal obligation — to keep VAT-compliant records of every sale (invoice details, country evidence, VAT collected) for the period required by HMRC and the relevant EU tax authority.
  • Legitimate interests — to protect the site against abuse (rate limiting, anti-bot CAPTCHA, IP-based geolocation), to enforce your licence terms (hardware-prefix tracking against your purchased seat count), and to debug operational issues from support correspondence.
  • Consent — we don’t use marketing cookies or send marketing emails, so we don’t rely on consent at the moment. If that ever changes we’ll ask you first and update this notice.

4. Who we share it with

We don’t sell your personal information. We share it only with the service providers we need to operate FontCurator:

  • PayPal — to take your payment and verify your billing country. PayPal is a controller in its own right for the data you give it directly; we receive only the payer reference and transaction result.
  • Mailgun — to deliver order confirmations, recovery emails, and contact-form acknowledgments. Mailgun processes your email address and message body on our behalf under a data processing agreement.
  • Google reCAPTCHA — to protect the contact form and checkout against automated abuse. reCAPTCHA sees the page you’re on, your IP address, and behaviour signals relating to that page load; it returns a score we use to allow or block the submission.
  • IP geolocation provider — to derive an approximate country from your IP address for VAT calculation and access control. We send only the IP; we do not share any other personal information with this service.
  • Hosting and infrastructure providers — the systems on which fontcurator.com and our databases run. These providers process data on our behalf under written contracts.
  • Tax authorities, banks, and lawful authorities — where required by law (e.g. HMRC for VAT records, an EU tax authority for cross-border-sales evidence, or a court order).

5. How long we keep it

  • Order, invoice, and licence records — seven years from the end of the tax year of the transaction, to meet UK and EU VAT retention requirements.
  • Account record (name, email, country, VAT number) — kept as long as your licence is active, plus the same seven-year tax window for the linked transactions.
  • Support tickets — up to three years after the ticket is closed, then anonymised or deleted.
  • Network logs and CAPTCHA records — up to 90 days, then rotated out, unless they form part of an ongoing fraud or abuse investigation.
  • Desktop client endpoint logs — up to one year, then aggregated for licence enforcement and deleted at row level.

6. International transfers

Our service providers may process your personal information outside your country — in particular, Mailgun and Google operate in the United States, and our IP geolocation provider may operate from the EU. Where personal information is transferred outside the UK or the EEA we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses, supplemented where necessary by additional safeguards.

7. Your rights

Depending on where you live, you have rights over the personal information we hold. To exercise any of them, email support@fontcurator.com from the address you used to buy — we’ll need to verify it’s really you before we act.

UK GDPR and EU GDPR

If you’re in the United Kingdom or the European Economic Area you have the right to: access a copy of the personal information we hold about you; correct anything that’s wrong; ask us to delete it (subject to our legal retention obligations above); restrict or object to how we use it; receive it in a portable format; and withdraw consent where we’ve relied on consent. You also have the right to lodge a complaint with your supervisory authority — the UK Information Commissioner’s Office (ico.org.uk) or your national EU data-protection authority.

California, Virginia, Colorado, and other US state laws

If you’re a resident of a US state with a privacy law (including California under the CCPA / CPRA, Virginia under the VCDPA, Colorado under the CPA, and similar) you have the right to: know what personal information we have collected about you; access a copy of it; correct inaccurate information; delete it (subject to our legal retention obligations); and opt out of any sale or sharing of personal information for cross-context behavioural advertising. We do not sell or share your personal information for advertising purposes. California residents can additionally request information about the categories of personal information we’ve disclosed for business purposes in the prior 12 months.

8. Cookies and similar technologies

fontcurator.com uses a small number of strictly-necessary cookies only:

  • PHPSESSID — an HTTP-only, SameSite=Lax session identifier used to bind your CSRF token, your rate-limit counters, and (during checkout) your in-flight order state. It expires when you close your browser.
  • reCAPTCHA cookies — set by Google when the reCAPTCHA widget is rendered on /contact or /buy. Google’s own cookies are described in Google’s cookie policy.

We don’t use marketing or analytics cookies in v1, so there’s no consent banner; if that ever changes, this section and the site’s consent UI will both be updated first.

9. Security

We protect your information with reasonable and appropriate technical and organisational measures. These include encryption in transit (HTTPS for the site and the desktop client’s API calls), encryption-at-rest for our configuration secrets, hashed storage of licence keys, scoped database access for operators, and process-level logging. No system is perfectly secure; we keep ours under review.

10. Children

FontCurator is a professional design tool. We don’t target children, and we don’t knowingly collect personal information from anyone under 16. If you believe we have, contact us at support@fontcurator.com and we’ll delete it.

11. Changes to this notice

We will revise this notice from time to time. When we do, we bump the version and last-updated date shown at the top and bottom of this page. Material changes that affect your rights or the data we collect will be highlighted in the next confirmation or acknowledgment email you receive from us.

12. How to contact us

For any privacy question or to exercise a right under the laws above, email support@fontcurator.com from the address you used to buy. Postal correspondence may be sent to Nicky Laatz Creations Ltd (UK), PO Box 172, Launceston, PL150BN, United Kingdom.

Privacy notice version 1.0.0 · last updated 15 May 2026

This version is manually maintained — the version + date are bumped only when the legal content is materially changed.