Privacy Policy

1. Who we are

Hue Type is operated by Sunny Allan, an independent developer based in India. We are the “data controller” for the personal information described in this policy. We can be contacted at sunny.padiyar@gmail.com.

2. What we collect

We only collect the data we need to make the product work:

Account data (via Google Sign-In)

• Email address — to identify your account.
• Display name — to personalise the UI.
• Profile picture URL — to show your avatar.
• Google account ID — to match you to your session on return visits.

We do not receive your Google password, contacts, calendar, files, location, or any other Google data. The scopes we request are openid, email, and profile.

Content you create

• SVG files you upload as icon sources.
• Project metadata — names, descriptions, palette overrides, font type, build history.
• Generated font files — the WOFF2, TTF, and SBIX TTF files we build for you.

Technical data

• Session cookies issued by Supabase to keep you logged in.
• Server logs — IP address, browser user-agent, and the API endpoint hit, kept for up to 30 days for security and debugging. These are not linked to your account profile and not used for analytics.

We do not use analytics tools, advertising trackers, fingerprinting, or session-replay scripts.

3. Why we collect it

• To provide the service — store your projects, build fonts, let you download them, sign you in on return visits.
• To enforce limits — your account's subscription tier dictates how many projects/glyphs you can build.
• To prevent abuse — rate-limiting and basic anti-abuse depend on IP / session signals.
• To respond to you — when you email us for support.

We do not use your data for marketing emails, advertising, or model training.

4. Legal basis (GDPR / UK GDPR)

For users in the EU, UK, or other jurisdictions with similar laws:

• Performance of a contract — to provide the service when you create an account and use it.
• Legitimate interest — for server logs, abuse prevention, and product security. Balanced against your expectations as a user of a SaaS tool.
• Consent— you give consent when you click “Continue with Google” on the sign-in screen. You can withdraw consent at any time by deleting your account.

5. Sub-processors & sharing

We do not sell, rent, or share your personal data with third parties for their own purposes. We use a small set of sub-processors to run the service:

We may also share data when required by law (e.g. a court order from a jurisdiction we are subject to), but we will push back on overreaching requests and notify you where legally allowed.

If we ever introduce billing, we'll add a payments sub-processor (e.g. Dodo Payments or Paddle) and update this policy before activating it. You'll be notified at sign-in.

6. Cookies & local storage

We use only the cookies and storage needed for the app to function:

• Supabase auth cookies — keep you logged in across page loads. Essential. Expires when you sign out or after ~7 days of inactivity.
• LocalStorage— your auth session token (managed by Supabase's SDK) and minor UI preferences (preview size, background colour).

No third-party advertising or analytics cookies. No tracking pixels. There is nothing to opt out of — disabling our cookies simply signs you out.

7. How long we keep data

• Account & project data — kept while your account is active. If you delete a project, the SVGs and built font files are removed from storage immediately. If you delete your account, everything is removed within 30 days.
• Server logs — rotated automatically after 30 days.
• Inactive accounts— if you don't sign in for 24 months, we may email you a warning and then delete the account after a further 30 days.

8. Your rights

Depending on where you live, you have rights to:

• Access a copy of your data.
• Correct any inaccurate data.
• Delete your account and data (the dashboard has a delete-project button; for full-account deletion email us).
• Port your data — we'll export your projects and built fonts on request.
• Object to certain processing, or restrict it.
• Withdraw consent at any time.
• Lodge a complaint with a supervisory authority (your local data-protection regulator).

To exercise any of these, email sunny.padiyar@gmail.com. We'll respond within 30 days.

9. International data transfers

We are based in India; our infrastructure providers are primarily in the US. When you use Hue Type, data is transferred across borders.

For users in the EU/UK: where our sub-processors transfer data outside the EEA/UK, they rely on the European Commission's Standard Contractual Clauses and equivalent safeguards. Their respective Data Processing Agreements are publicly available.

10. Security

• HTTPS everywhere (TLS).
• Row-Level Security on the database — you can only read or write your own rows.
• File storage is private; uploaded SVGs and built fonts are served via short-lived signed URLs.
• Supabase enforces Row-Level Security and Vercel/Render enforce network-level isolation.
• OAuth tokens are never stored in plaintext on our backend.

No system is perfectly secure. If we ever discover a breach affecting your data, we'll notify you and the relevant authorities within 72 hours.

11. Children

Hue Type is not directed at children under 13 (or 16 in the EU, depending on local law). We do not knowingly collect data from children. If you believe a child has signed up, please email us and we'll delete the account.

12. Changes to this policy

If we make material changes — for example introducing payments, adding a new sub-processor, or changing what we collect — we'll update this page, change the Effective date at the top, and notify signed-in users via email or an in-app banner.

13. Contact

Questions, deletion requests, or privacy concerns — sunny.padiyar@gmail.com.

Hue Type · Operated by Sunny Allan, India.