# Privacy policy > Canonical: https://goodglyph.com/en/privacy-policy How we collect, use, and protect the personal data you give us through the site, forms, and at purchase. We process data under the GDPR (EU Regulation 2016/679) and Romanian Law 190/2018. ## 1. The data controller The controller of the personal data collected through this site is: - **Company** — GOODGLYPH S.R.L. - **Tax ID (CUI)** — 50054260 - **Trade Register** — J40/9379/2024 - **Registered office** — Aleea Terasei nr. 4, bl. E2, sc. 3, et. 2, ap. 52, Sector 4, 041773 București, România - **Email** — contact@goodglyph.com - **Phone** — +40 (775) 691 859 ## 2. What data we collect - Contact details: name, email, phone, provided through forms or at order. - Project details: your brief answers and the materials you send us (text, images, files). - Billing data: what's needed to issue the fiscal invoice. - Payment data: payment is made by bank transfer based on the invoice. If you choose to pay by card, that payment is processed by Stripe; we do not collect or store your card details. - Technical data: IP address, browser type, server logs. - Analytics and marketing data, through cookies (e.g. Google Analytics, Meta Pixel): your on-site behavior, device, and traffic source, collected only with your consent. See the [Cookie Policy](doc:politica-cookies). For the materials you upload in the brief (including photos of people), you are responsible for having the right to send them to us. The interactive tools on the site, like the brief generator and the launch checklist, run entirely in your browser: you fill them in, export a PDF, and send it to us yourself, with no data reaching us automatically through them. ## 3. Purposes and legal basis - **Delivering services and project communication** — Performance of the contract, Art. 6(1)(b). - **Invoicing and tax obligations** — Legal obligation, Art. 6(1)(c). - **Newsletter and marketing communications** — Your consent, Art. 6(1)(a), withdrawable any time. - **Analytics and marketing via cookies (Google Analytics, Meta Pixel)** — Your consent, Art. 6(1)(a); these tools run only after you accept them in the cookie banner. - **Security and fraud prevention** — Our legitimate interest, Art. 6(1)(f). ## 4. How long we keep data We keep data for as long as the purpose requires: data from people who contact us without becoming clients, at most 2 years; project data, for the duration of our work together and a reasonable period after (for portfolio and support); financial documents, for the period required by law (usually 10 years). Marketing data is kept until you withdraw consent. ## 5. The providers we work with We do not sell or rent your data, and we don't share it with third parties for marketing. To run the site we work with the providers below (in use or planned for launch), as processors or service providers, under their own terms and privacy policies: - **Vercel** — Site hosting and infrastructure; keeps standard server logs (IP, requested page, timestamp). Also provides anonymous traffic and performance statistics (Vercel Web Analytics and Speed Insights) — no cookies, no personal identification. US. - **Cloudflare Turnstile** — Anti-bot verification on forms (contact, newsletter, waitlist): processes your IP address and technical browser signals to tell humans from bots. Legitimate interest — security. US. - **Stripe** — Card payment processing, only if you choose this method (payment link). Card data is handled by Stripe, not by us. US/EU. - **Google Drive** — Delivery of the final files (download links for the project deliverables). US. - **Sanity** — Content system (articles, case studies, products). Doesn't track visitors. - **FGO** — Issuing fiscal invoices and e-Factura, sent by email; payment is by bank transfer. Romania. - **Resend** — Transactional and newsletter email. US. - **Google Analytics** — Traffic statistics, anonymized where possible; sets cookies and runs only with your consent. US. - **Meta Pixel** — Measuring and optimizing ad campaigns (Facebook, Instagram); sets cookies and runs only with your consent. US. - **Calendly** — Call scheduling; processes your name, email, and chosen time when you book. US. - **WhatsApp Business** — Contact channel (Meta); if you message us, messages are processed under Meta/WhatsApp's terms. The fonts used on the site are hosted directly on our own servers (via next/font), so displaying them sends no data to Google. Calendly and WhatsApp are just links: none of their scripts load on our pages, and data only reaches them if you choose to book a call or message us. Some of these providers (Google, Meta, Vercel, Resend, Calendly) process data in the United States. These transfers rely on each provider's data-protection safeguards, including the EU Standard Contractual Clauses or the EU-US Data Privacy Framework, where the provider makes them available. We may also disclose data when the law requires it, or to protect our rights, prevent fraud, or safeguard users' safety. ## 6. Forms and newsletter The contact form asks for your name, email, phone (optional), and message so we can reply. The data-processing checkbox is required, and the marketing consent is separate, optional, and unticked by default. The Brand Kit waitlist asks only for your first name and email so we can tell you at launch — with the same email confirmation and the same unsubscribe as the newsletter. When you place an order we ask for the contact and billing details needed to issue your invoice. Our newsletter, the “Studio Journal,” lands in your inbox occasionally, with stories from behind GOODGLYPH. You subscribe only by ticking the box yourself (it isn't pre-ticked) and confirming through a verification email (double opt-in); you then get a welcome email. Every message has an unsubscribe link; if you unsubscribe, we remove you from the list. We don't sell or share the list. ## 7. Security We use reasonable technical and organizational measures (encrypted connection, restricted access) to protect your data. No system is completely secure, however, and transmitting data over the internet carries a residual risk. ## 8. Your rights You have the right to access, rectify, erase, restrict, port, and object, as well as the right to withdraw consent. Details on how to exercise them: the [GDPR](doc:gdpr) page. For any request: [contact@goodglyph.com](mailto:contact@goodglyph.com). We don't make automated decisions that produce legal effects on you, and we don't subject you to that kind of profiling. ## 9. Changes and complaints We may update this policy; the current version is the one published here. If you are unhappy with how we handle your data, you may contact the National Supervisory Authority for Personal Data Processing, [ANSPDCP](https://www.dataprotection.ro). ## 10. Custom projects: our role as processor When we carry out a custom project in which we process personal data on your behalf, for example through forms, a CRM, analytics tools, an online store, or an app we build, you remain the data controller and we act as your processor, strictly on your instructions. On request we sign a data processing agreement (DPA) setting out the purpose, duration, security measures, and any sub-processors. Some providers offer data processing agreements only on certain plans. We therefore choose hosting and tools that match the data sensitivity of each project.