Privacy Policy
Last updated: 2026-04-06
RP Digital Type Foundry ("we", "us", "our") operates https://radimpesko.com ("the Website"). This policy explains what personal data we collect, why we collect it, and your rights regarding that data.
Data Controller:
RP Digital Type Foundry
92 John Trundle Court, EC2Y 8NE London, GB
orders@radimpesko.com
1. What Data We Collect
1.1 Website Analytics (all visitors)
We collect anonymous usage statistics to understand how the Website is used and to improve it. Our analytics system is self-hosted and does not use cookies, browser fingerprinting, or any form of cross-site tracking.
Data collected per visit:
| Data | Detail |
|---|---|
| Masked IP address | Last octet removed (e.g. 192.168.1.x becomes 192.168.1.0) |
| Page viewed | URL path |
| Referrer | The page that linked to us |
| Browser & OS | Parsed from User-Agent header |
| Device type | Desktop, mobile, or tablet |
| Country / region | Derived from masked IP; no precise geolocation |
| UTM parameters | Campaign attribution if present in the URL |
What makes this privacy-friendly:
- No cookies are set for analytics purposes
- No data is stored on your device (no localStorage, sessionStorage, or similar)
- IP addresses are masked before storage (IPv4 /24, IPv6 /48)
- Visitor identifiers rotate daily and cannot be used to track you across days
- No cross-site tracking or data sharing with third parties
- All analytics data is stored on our own infrastructure (not shared with third parties)
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in understanding website usage to improve our services. Given the privacy-preserving design (no cookies, masked IPs, daily rotation), this processing does not require consent under the ePrivacy Directive.
1.2 IP Geolocation
To determine approximate visitor location (country/region level), masked IP addresses may be sent to ipinfo.io for geolocation lookup. Only already-masked IPs (with the last octet removed) are shared. See their privacy policy: https://ipinfo.io/privacy-policy
Legal basis: Legitimate interest in understanding geographic distribution of website visitors.
Account Data (registered users)
If you create an account, we store:
- Email address
- First and last name
- Hashed password (bcrypt; we never store your password in plain text)
- Assigned roles and permissions
- Sign-in history (date, masked IP address, browser)
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) or legitimate interest for administrative accounts.
Commerce Data (customers)
If you make a purchase, we additionally store:
- Billing address (name, street, city, postal code, country)
- Organization name, VAT number, company number (if provided)
- Order history, invoices, and subscription details
Payment processing is handled by Stripe (see Section 4). We do not store credit card numbers or full payment details on our servers. Card data is collected directly by Stripe via their secure payment element and never touches our backend.
Data shared with Stripe: Your email address, full name, and payment amount are sent to Stripe to process the transaction and create a customer record.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and legal obligations for tax/accounting records (Art. 6(1)(c) GDPR).
Newsletter / Mailing
If you subscribe to our newsletter, we store:
- Email address
- First and last name (if provided)
- Subscription status and date
- Unsubscription date (if applicable)
We use double opt-in: after signing up, you receive a confirmation email with a link you must click to activate your subscription. You can unsubscribe at any time using the link in every email.
Legal basis: Consent (Art. 6(1)(a) GDPR), given through the double opt-in process.
Activity Logs (administrative)
For administrative users, we log actions performed within the CMS (creating, editing, or deleting content) to maintain an audit trail. These logs contain:
- User name (at time of action)
- Action performed and what was changed
- Timestamp
Legal basis: Legitimate interest in maintaining data integrity and accountability.
2. Cookies
We use only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
session_id |
Maintains your login session (signed, HTTP-only, secure) | Persistent (until sign-out) |
| CSRF token | Protects against cross-site request forgery | Session |
We do not use:
- Tracking cookies
- Third-party cookies
- Advertising cookies
- Analytics cookies
Because we do not use non-essential cookies, no cookie consent banner is required.
Note: Stripe's payment forms may set their own strictly necessary cookies for fraud prevention. These are governed by Stripe's Cookie Policy.
3. Data Retention
| Data category | Retention period |
|---|---|
| Analytics visits & events | 365 days |
| Sign-in history | 90 days |
| Activity logs | 365 days |
| Account data | Until account deletion or upon request |
| Orders & invoices | 7 years (legal requirement) |
| Billing addresses | Until account deletion (anonymized, not deleted, for tax records) |
| Newsletter subscription | Until you unsubscribe |
| Unsubscribed contacts | 30 days after unsubscription |
4. Third-Party Services
We use the following third-party services. Each acts as a data processor under a Data Processing Agreement (DPA) where applicable.
Bunny.net (Content Delivery Network)
Static assets (images, stylesheets, scripts) may be served through Bunny.net to improve loading performance. When your browser requests these assets, Bunny.net receives your IP address and standard HTTP headers (User-Agent, Referer) as part of the request. No personal data is stored by the CDN beyond standard access logs, which are subject to their privacy policy: https://bunny.net/privacy
Legal basis: Legitimate interest in website performance and availability.
Stripe (Payment Processing)
Payment transactions are processed by Stripe, Inc. When you make a purchase:
- Your payment card details are collected directly by Stripe's secure payment element and never touch our servers
- We share your email address and name with Stripe to create a customer record and process the payment
- Stripe may set strictly necessary cookies for fraud prevention
Stripe is certified under the EU-US Data Privacy Framework. See Stripe's Privacy Policy.
Mux (Video Hosting)
Embedded videos are served from Mux. When you play a video, your browser connects directly to their servers, which receive your IP address and standard HTTP headers. The video player may collect playback analytics (play/pause events, watch duration) for service quality purposes.
See their privacy policy: https://www.mux.com/privacy
AppSignal (Error Tracking & Performance Monitoring)
We use AppSignal to monitor application errors and performance. AppSignal operates entirely server-side and is invisible to visitors — it does not set cookies, load scripts in your browser, or collect any data directly from you.
When a server error occurs, technical information (error type, server-side code location, and request URL) is sent to AppSignal for diagnosis. Request parameters containing personal data (passwords, emails) are automatically filtered before transmission. No visitor IP addresses or personal data are intentionally shared with AppSignal.
AppSignal B.V. is an EU-based company (Netherlands) operating under GDPR. See AppSignal's Privacy Policy.
Legal basis: Legitimate interest in maintaining application reliability and security.
Hosting & Infrastructure
The Website is hosted on DigitalOcean. All data is stored within EU. DigitalOcean acts as a data processor under a Data Processing Agreement.
5. Your Rights
Under GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability - receive your data in a structured format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time where consent is the legal basis (Art. 7(3))
To exercise any of these rights, contact us at orders@radimpesko.com.
We will respond within 30 days of receiving your request. If we need more time, we will inform you of the reason and extension period (up to 60 additional days).
You also have the right to lodge a complaint with your local data protection authority.
6. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Secure session cookies (HTTP-only, Secure flag, SameSite)
- Hashed passwords (bcrypt) - we never store passwords in plain text
- IP address masking before storage
- Role-based access control for administrative functions
- Audit logging of administrative actions
- Regular security updates
7. International Transfers
All data is processed and stored within the European Economic Area (EEA). No personal data is transferred outside the EEA.
8. Children's Privacy
The Website is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at orders@radimpesko.com.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify you by email or display a prominent notice on the Website.
Contact
For privacy-related questions or to exercise your rights:
RP Digital Type Foundry
92 John Trundle Court, EC2Y 8NE London, GB
Email: orders@radimpesko.com