Privacy Policy
How we collect, use, and protect your personal information when you use Iconfyra.
Effective date: May 8, 2026 · InkWired Technologies Pvt. Ltd.
1. Who We Are
Iconfyra is operated by InkWired Technologies Pvt. Ltd., a company registered in India.
- Address: C-101, Mahesh Nagar, Jaipur, Rajasthan, Pin Code - 302015, India
- Email: privacy@iconfyra.com
- Product: Iconfyra - an icon library and toolkit for the modern web
When we say "we", "us", or "our" in this policy, we mean InkWired Technologies Pvt. Ltd. When we say "you" or "your", we mean you as a user of Iconfyra.
2. Data We Collect
Waitlist
If you join our waitlist before registering, we collect:
- Email address - to notify you when your spot is ready and to send your invite
Waitlist emails are used solely for this purpose and are deleted once you register or request removal.
Account Information
When you create an account, we collect:
- Name - your display name
- Email address - used for login, notifications, and account recovery
- Password - stored as a one-way bcrypt hash (we never store your plain-text password)
- Registration IP address - the IP address you signed up from, stored with your account to detect and prevent fraudulent or automated registrations
Usage Data
When you use Iconfyra, we automatically collect:
- IP address - for rate limiting, security, and abuse prevention
- API usage logs - endpoint, timestamp, response status, and API key used
- API key last-used timestamp - the date and time your API key was last used, stored per key
- CDN usage - bandwidth and pageview counts for your embedded icons
- Download history - records of asset packages you have downloaded
Payment Information
We do not collect or store your credit card details. All payment processing is handled by our third-party payment providers (Stripe, Paddle, and/or PayPal). These providers may collect your payment card number, billing address, and other payment details directly. Please refer to their privacy policies for more information:
Analytics and Advertising
Iconfyra uses the following Google services to improve the product and measure the effectiveness of advertising. These services collect data about how you interact with the site:
- Google Analytics 4 - collects anonymized usage data such as pages visited, session duration, and general geographic location (country/city level).
- Google Tag Manager - a tag management system used to deploy analytics and conversion tracking scripts.
- Google Ads conversion tracking - records conversion events (such as account sign-up or purchase) when you arrive from a Google Ads campaign.
These services are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Data may be transferred to Google's servers in the United States. See Google's Privacy Policy for details. You can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.
Bot Protection
Our registration form may use Cloudflare Turnstile, a privacy-focused challenge that distinguishes real users from automated bots. When active, it processes technical data such as your IP address and limited browser signals to assess whether the request is automated. Turnstile is designed not to track users across sites or serve advertising. This processing is carried out by Cloudflare, Inc. as a service provider on our behalf, on the basis of our legitimate interest in preventing abuse and spam registrations. See the Cloudflare Privacy Policy for details.
Usage Analytics
We collect anonymised usage data to understand how visitors interact with the site and to improve our service. This includes page views, referrer information, browser type, and country-level location. No cookies are used for this purpose.
When you are logged in, your account identifier and plan tier may be associated with your session to help us understand usage patterns across different account types. This data is stored on our own servers and is never shared with third parties.
Data We Do Not Collect
- We do not use Meta Pixel or social tracking pixels
- We do not collect data from third-party social logins
- We do not sell or share your data with advertisers or ad networks
3. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Account creation and authentication | Name, email, password hash |
| Transactional emails (welcome, password reset, 2FA codes, team invites) | Email address |
| Subscription management and billing | Email, payment data (via Stripe/Paddle) |
| Enforcing plan limits (API rate limits, bandwidth, collections) | API usage logs, CDN usage data |
| Security and abuse prevention | IP address, API usage patterns |
| Product improvement and bug fixing | Aggregated, anonymized usage data |
We do not use your data for marketing, advertising, or profiling purposes. We only send transactional emails directly related to your account and usage.
4. Legal Basis for Processing
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following:
- Contract performance - processing necessary to provide you with Iconfyra services (account management, API access, CDN delivery).
- Legitimate interest - processing for security, fraud prevention, and product improvement, where our interests do not override your rights.
- Consent - where required by law, such as for optional cookies or communications.
- Legal obligation - processing required to comply with applicable laws (tax records, fraud reporting).
5. Data Sharing
We do not sell your personal data. We share data only with the following categories of service providers, and only to the extent necessary to operate Iconfyra:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe / Paddle / PayPal | Payment processing | Email, billing details (collected directly by provider) |
| Mailgun | Transactional email delivery | Email address, email content |
| Bunny CDN | CDN delivery of icon assets for embedded collections | IP address, request logs (for bandwidth accounting) |
| Google (Analytics / Ads / GTM) | Analytics and conversion tracking (when configured) | Anonymized usage data, conversion events (no personal identifiers) |
| Hosting provider | Infrastructure | All data stored on servers (encrypted at rest) |
We may also disclose data if required by law, court order, or to protect our rights and the safety of our users.
6. Cookies
Iconfyra uses essential cookies required for the service to function, and may also use optional Google services (Analytics, Ads, Tag Manager) for product improvement and conversion tracking when configured by the site operator.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
PHPSESSID |
Essential | Session management (login state, CSRF protection) | 2 hours (session) |
remember_token |
Essential | Persistent login ("Remember me" feature) | 30 days |
cookie_consent |
Essential | Records your cookie consent preference | 1 year |
_ga, _ga_* |
Analytics | Google Analytics 4 - session and pageview tracking for product improvement | 2 years / 24 hours |
_gcl_au |
Advertising | Google Ads - conversion tracking when you arrive from an ad campaign | 90 days |
Essential cookies are set with HttpOnly, Secure, and SameSite=Lax
flags. Analytics and advertising cookies are set by Google and governed by
Google's Privacy Policy.
You can opt out using the
Google Analytics Opt-out Add-on
or your browser's cookie settings.
For full details, see our Cookie Policy.
7. Data Retention
- Account data - retained while your account is active. Deleted when you delete your account.
- API usage logs - retained for 90 days for plan enforcement, then automatically purged.
- API per-minute rate limit buckets - stored in the
api_rate_limittable; individual minute-window records are purged automatically after 2 minutes. - API key last-used timestamp - updated on each API request; retained for the lifetime of the key.
- CDN usage data - aggregated monthly, raw logs purged after 90 days.
- Payment records - retained as required by tax and financial regulations (typically 7 years).
- IP addresses - transient rate-limiting records are kept for up to 24 hours. The IP address recorded at registration is stored with your account for fraud and abuse prevention and is removed when you delete your account.
When you delete your account, we permanently remove your personal data (name, email, password hash, API keys, collections, and usage data) within 30 days. Some anonymized, aggregated data may be retained for product analytics.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access - request a copy of the personal data we hold about you.
- Rectification - correct inaccurate or incomplete data. You can update your name and email from your profile settings.
- Erasure ("Right to be Forgotten") - delete your account and all associated data. Available in your profile settings.
- Data portability - request your data in a machine-readable format.
- Restriction - request that we limit how we process your data.
- Objection - object to processing based on legitimate interest.
- Withdraw consent - where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, please contact us at the address below. We will respond within 30 days as required by applicable law.
Account deletion: You can delete your account at any time from your profile settings. This permanently removes all your personal data, API keys, collections, and usage history.
9. Data Security
We take the security of your data seriously and implement the following measures:
- Passwords are hashed using bcrypt with a strong cost factor
- All connections are encrypted via HTTPS/TLS
- Session cookies use HttpOnly, Secure, and SameSite flags
- CSRF protection on all form submissions and state-changing API calls
- Two-factor authentication (2FA) available for all accounts
- API keys are hashed before storage
- Rate limiting on authentication endpoints to prevent brute-force attacks
While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please contact us immediately.
10. International Transfers
Iconfyra is operated from India. If you are accessing the service from outside India, your data may be transferred to and processed in India or other countries where our service providers operate (including the United States, where some of our infrastructure and third-party providers are located).
Where we transfer personal data of EEA, UK, or Swiss residents to countries that the European Commission has not recognized as providing adequate data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) issued by the European Commission, or equivalent mechanisms recognized under applicable law.
You may request a copy of the safeguards we have in place for international transfers by contacting us at privacy@iconfyra.com.
11. GDPR - European Union & United Kingdom
If you are in the EEA, UK, or Switzerland, the GDPR (or UK GDPR) applies to how we handle your personal data. InkWired Technologies Pvt. Ltd. is the data controller. Contact us at privacy@iconfyra.com for any GDPR requests and we will respond within 30 days.
We process your data on the following legal bases: contract performance (account, billing, service delivery), legitimate interest (security, fraud prevention, anonymized analytics), legal obligation (tax records), and consent (optional analytics cookies).
Your rights under the GDPR include access, rectification, erasure, restriction, portability, and the right to object. You also have the right to lodge a complaint with your national data protection authority if you believe we have not handled your data correctly. We ask that you contact us first so we can resolve the issue directly.
In the event of a personal data breach posing a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform affected users directly where the risk is high.
12. India DPDP Act 2023
Iconfyra is operated by InkWired Technologies Pvt. Ltd., a company registered in India. We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) enacted by the Government of India.
Your Rights Under the DPDP Act
As a Data Principal (user) under the DPDP Act, you have the following rights:
- Right to access information - you may request a summary of your personal data and the purposes for which it is being processed.
- Right to correction and erasure - you may request correction of inaccurate data or erasure of your personal data that is no longer necessary for the purpose for which it was collected.
- Right to grievance redressal - you may raise a grievance with our Grievance Officer and receive a response within a reasonable time.
- Right to nominate - you may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
Consent
Where we rely on consent as the basis for processing your personal data, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Grievance Officer
In accordance with the DPDP Act 2023 and applicable rules, you may contact our Grievance Officer for any concerns relating to the processing of your personal data:
- Name: InkWired Technologies Pvt. Ltd. (Grievance Officer)
- Email: privacy@iconfyra.com
- Address: C-101, Mahesh Nagar, Jaipur, Rajasthan, Pin Code - 302015, India
We will acknowledge your grievance within 48 hours and endeavour to resolve it within 30 days.
Data Fiduciary Obligations
As a Data Fiduciary under the DPDP Act, we are committed to:
- Processing personal data only for lawful purposes and in a fair and transparent manner
- Collecting only the personal data that is necessary for the specified purpose
- Maintaining the accuracy and completeness of personal data
- Implementing reasonable security safeguards to prevent personal data breach
- Notifying the Data Protection Board of India and affected users in the event of a personal data breach
13. Children's Privacy
Iconfyra is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly.
This minimum age is set at 18 because the DPDP Act 2023 classifies anyone under 18 as a child and requires verifiable parental consent to process their data. Rather than implement a parental-consent flow, we simply do not accept registrations from under-18s. We do not undertake processing likely to cause detrimental effects on the wellbeing of a child.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by placing a notice on Iconfyra before the changes take effect. Your continued use of the service after changes are posted constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, please contact us:
- Company: InkWired Technologies Pvt. Ltd.
- Address: C-101, Mahesh Nagar, Jaipur, Rajasthan, Pin Code - 302015, India
- Email: privacy@iconfyra.com