Privacy Policy
How we collect, use, and protect your personal information when you use Iconfyra.
Effective date: April 3, 2026 · InkWired Technologies Pvt. Ltd.
1. Who We Are
Iconfyra is operated by InkWired Technologies Pvt. Ltd., a company registered in India.
- Address: C-101, Mahesh Nagar, Jaipur, Rajasthan, Pin Code - 302015, India
- Product: Iconfyra - an icon library and toolkit for the modern web
When we say "we", "us", or "our" in this policy, we mean InkWired Technologies Pvt. Ltd. When we say "you" or "your", we mean you as a user of Iconfyra.
2. Data We Collect
Account Information
When you create an account, we collect:
- Name - your display name
- Email address - used for login, notifications, and account recovery
- Password - stored as a one-way bcrypt hash (we never store your plain-text password)
Usage Data
When you use Iconfyra, we automatically collect:
- IP address - for rate limiting, security, and abuse prevention
- API usage logs - endpoint, timestamp, response status, and API key used
- CDN usage - bandwidth and pageview counts for your embedded icons
- Download history - records of asset packages you have downloaded
Payment Information
We do not collect or store your credit card details. All payment processing is handled by our third-party payment providers (Stripe and/or Paddle). These providers may collect your payment card number, billing address, and other payment details directly. Please refer to their privacy policies for more information:
Data We Do Not Collect
- We do not use analytics trackers (no Google Analytics, no Meta Pixel)
- We do not use advertising cookies or tracking pixels
- We do not collect data from third-party social logins
- We do not sell or share your data with advertisers
3. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Account creation and authentication | Name, email, password hash |
| Transactional emails (welcome, password reset, 2FA codes, team invites) | Email address |
| Subscription management and billing | Email, payment data (via Stripe/Paddle) |
| Enforcing plan limits (API rate limits, bandwidth, collections) | API usage logs, CDN usage data |
| Security and abuse prevention | IP address, API usage patterns |
| Product improvement and bug fixing | Aggregated, anonymized usage data |
We do not use your data for marketing, advertising, or profiling purposes. We only send transactional emails directly related to your account and usage.
4. Legal Basis for Processing
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following:
- Contract performance - processing necessary to provide you with Iconfyra services (account management, API access, CDN delivery).
- Legitimate interest - processing for security, fraud prevention, and product improvement, where our interests do not override your rights.
- Consent - where required by law, such as for optional cookies or communications.
- Legal obligation - processing required to comply with applicable laws (tax records, fraud reporting).
5. Data Sharing
We do not sell your personal data. We share data only with the following categories of service providers, and only to the extent necessary to operate Iconfyra:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe / Paddle | Payment processing | Email, billing details (collected directly by provider) |
| Mailgun | Transactional email delivery | Email address, email content |
| Hosting provider | Infrastructure | All data stored on servers (encrypted at rest) |
We may also disclose data if required by law, court order, or to protect our rights and the safety of our users.
6. Cookies
Iconfyra uses only essential cookies required for the service to function. We do not use analytics, advertising, or tracking cookies.
| Cookie | Purpose | Duration |
|---|---|---|
PHPSESSID |
Session management (login state, CSRF protection) | 2 hours (session) |
remember_token |
Persistent login ("Remember me" feature) | 30 days |
cookie_consent |
Records your cookie consent preference | 1 year |
All cookies are set with HttpOnly, Secure, and SameSite=Lax flags
for security. For more details, see our Cookie Policy.
7. Data Retention
- Account data - retained while your account is active. Deleted when you delete your account.
- API usage logs - retained for 90 days for plan enforcement, then automatically purged.
- CDN usage data - aggregated monthly, raw logs purged after 90 days.
- Payment records - retained as required by tax and financial regulations (typically 7 years).
- IP addresses - retained in rate-limiting caches for up to 24 hours.
When you delete your account, we permanently remove your personal data (name, email, password hash, API keys, collections, and usage data) within 30 days. Some anonymized, aggregated data may be retained for product analytics.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access - request a copy of the personal data we hold about you.
- Rectification - correct inaccurate or incomplete data. You can update your name and email from your profile settings.
- Erasure ("Right to be Forgotten") - delete your account and all associated data. Available in your profile settings.
- Data portability - request your data in a machine-readable format.
- Restriction - request that we limit how we process your data.
- Objection - object to processing based on legitimate interest.
- Withdraw consent - where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, please contact us at the address below. We will respond within 30 days as required by applicable law.
Account deletion: You can delete your account at any time from your profile settings. This permanently removes all your personal data, API keys, collections, and usage history.
9. Data Security
We take the security of your data seriously and implement the following measures:
- Passwords are hashed using bcrypt with a strong cost factor
- All connections are encrypted via HTTPS/TLS
- Session cookies use HttpOnly, Secure, and SameSite flags
- CSRF protection on all form submissions and state-changing API calls
- Two-factor authentication (2FA) available for all accounts
- API keys are hashed before storage
- Rate limiting on authentication endpoints to prevent brute-force attacks
While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please contact us immediately.
10. International Transfers
Iconfyra is operated from India. If you are accessing the service from outside India, your data may be transferred to and processed in India or other countries where our service providers operate.
Where we transfer data internationally, we ensure appropriate safeguards are in place as required by applicable data protection laws, including standard contractual clauses where necessary.
11. Children's Privacy
Iconfyra is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by placing a notice on Iconfyra before the changes take effect. Your continued use of the service after changes are posted constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, please contact us:
- Company: InkWired Technologies Pvt. Ltd.
- Address: C-101, Mahesh Nagar, Jaipur, Rajasthan, Pin Code - 302015, India