Your data, your control.

Account data: your email address, name, and a password hash (we never see the plaintext). Stored when you create an account or buy a pack.

Billing data: handled entirely by Paddle, our payment processor and Merchant of Record. We never see card numbers or banking details — Paddle stores them. We receive only the order ID, amount, and your billing email.

Communication data: the contents of support emails you send us. Stored in our helpdesk for as long as your account is active plus one year, then deleted.

Usage data: anonymised page views, downloads, and search queries. Collected via privacy-preserving analytics (no cross-site tracking, no third-party cookies). We use it to fix bugs and improve the catalog — never to profile individual users.

Technical data: IP address (truncated to /24 within 24 hours), user-agent string, referrer. Used for rate-limiting and to detect fraudulent download patterns.

To deliver the product — serving downloads, granting account access, processing refunds, replying to support requests.

To send transactional emails — receipts, password resets, license renewal reminders, pack-update notifications for packs you've already downloaded. Transactional email cannot be opted out of while you have an active account.

To send marketing emails ONLY if you've explicitly opted in at registration or via the newsletter form. Every marketing email has a one-click unsubscribe link, and the opt-in state is logged with timestamp + IP.

To comply with legal obligations — tax reporting (we're required to keep purchase records for seven years under Egyptian and EU VAT rules), responding to lawful subpoenas, fraud prevention.

Contract performance: account, download, billing, and license data — necessary to deliver what you bought.

Consent: marketing emails, optional analytics. Withdraw at any time without losing product access.

Legitimate interests: fraud prevention, security logging, anonymised analytics. Balanced against your privacy — none of it is used for ad targeting.

Legal obligation: tax-record retention as required by Egyptian Tax Authority and EU One-Stop-Shop VAT rules.

We share data only with the processors required to deliver the product:

• Paddle.com — payment processing, Merchant of Record, VAT handling. Their privacy policy covers billing data.
• Amazon Web Services (S3, CloudFront) — file hosting + CDN. Stores the icon files and your account data at rest, encrypted.
• ElasticEmail — transactional email delivery (receipts, password resets).
• Google Analytics 4 — anonymised usage analytics, IP-anonymisation enabled.
• Sentry — error monitoring. We scrub email addresses from error context before transmission.

We do not sell, rent, lease, or trade your data to third parties. Ever. This includes anonymised or aggregated data.

We will only share data with law enforcement when legally compelled (subpoena, court order, statutory request), and we'll notify you when permitted by law.

Account + license data: retained for as long as your account is active plus seven years after closure (Egyptian + EU tax-record requirements).

Anonymised analytics: 26 months (GA4 default).

Email logs: 90 days for transactional, indefinite for opt-in marketing audit trail (required to prove consent in case of dispute).

Support correspondence: active account + one year, then deleted.

You have the right to: access (request a copy of all data we hold), rectify (correct anything inaccurate), erase (account deletion + data scrub, subject to legal retention), restrict (pause processing), portability (machine-readable export of your account), and object (to specific processing, e.g. marketing).

California residents: under CCPA you additionally have the right to know what categories of personal information we collect and the right to non-discrimination for exercising your privacy rights.

To exercise any right, email hello@roundicons.com from the email address on file (or include a copy of government-issued ID if requesting from another address). We process every request within 30 days.

If you're not satisfied with our response, you may lodge a complaint with your local data-protection authority — for EU residents, that's whichever country you reside in.

We use only the minimal set of cookies required for the site to work:

• rd_session — login session, HttpOnly, Secure, SameSite=Lax. Expires when you log out.
• rd_cart — cart state for in-progress purchases. Cleared after checkout.
• Google Analytics cookies (_ga, _ga_*) — anonymised usage, 13-month expiry. Can be disabled via the consent banner.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking. We do not participate in any advertising network's bidstream.

Browser "Do Not Track" and Global Privacy Control signals are honoured.

Roundicons is operated from Egypt; data may be processed in the EU (Paddle, hosting), US (CloudFront edges, Sentry), and Egypt. Transfers from the EU to outside the EEA happen under Standard Contractual Clauses with our processors. By using the site you consent to these transfers.

Roundicons is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, email hello@roundicons.com and we'll delete the account immediately.

Passwords are stored as bcrypt hashes. All connections are TLS 1.2+. Backups are encrypted at rest. We follow the OWASP Top 10 as a baseline and pen-test the site periodically. Suspected breach affecting your account is notified within 72 hours per GDPR.

Material changes to this policy will be announced via email to all account holders at least 30 days before they take effect, with a summary of what changed and why. Non-material changes (typo fixes, link updates) take effect immediately.

Data Controller: Roundicons (operating as Vectopus Studio), 222B Kawther — Metro Building #405, Hurghada, Egypt. Email hello@roundicons.com with any privacy-related question.