Privacy Policy

Last Updated: October 7, 2025

About IconSprint

IconSprint is a digital service operated and managed by Coffee Break Ideas LLC (“IconSprint”, “we”, “us”, “our”). For the purposes of this Policy, references to “IconSprint” shall pertain to the digital service provided by Coffee Break Ideas LLC. All matters related to IconSprint, including this Privacy Policy, are governed by the laws of the United States and the State of Wyoming.

Controller: Coffee Break Ideas LLC, 30 N Gould St Ste R, Sheridan WY 82801, USA Contact: support@iconsprint.com Service/Website: iconsprint.com Audience/Availability: worldwide; web application; minimum age 16+

Scope and Definitions

Scope. This Privacy Policy (the “Policy”) describes IconSprint's rules for personal data processing and protection in connection with our publicly available website and services. The Policy applies to IconSprint, including IconSprint employees and contractors (“we”, “us”, “our”, “IconSprint”). The management of each entity is ultimately responsible for the implementation of this Policy, as well as to ensure, at entity level, there are adequate and effective procedures in place for its implementation and ongoing monitoring of its adherence. For the purposes of this Policy, employees and contractors are jointly referred to as the “employees”.

Privacy Manager. Privacy Manager is an employee of IconSprint responsible for personal data protection compliance within IconSprint (the “Privacy Manager”). The Privacy Manager is in charge of performing the obligations imposed by this Policy and supervising other employees, who subject to this Policy, regarding their adherence to this Policy. The Privacy Manager must be involved in all projects at an early stage in order to take personal data protection aspects into account as early as the planning phase. Users may contact us at support@iconsprint.com for privacy matters.

Competent Supervisory Authority means a public authority that is responsible for regulating and supervising personal data protection with regards to activities of IconSprint. If you are located in the EEA/UK, you may lodge a complaint with your local authority.

Data Breach means a breach of the security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. This includes but is not limited to e-mails sent to an incorrect or disclosed list of recipients, an unlawful publication of the Personal Data, loss or theft of physical records, and unauthorized access to personal information.

Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Coffee Break Ideas LLC is the controller for the processing described in this Policy.

Data Processor means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the data controller.

Data Protection Laws mean any laws and legal rules on personal data use and protection applicable to the activities of IconSprint, including, but not limited to, the GDPR, UK GDPR, and applicable U.S. state privacy laws (e.g., CPRA).

Data Subject Request (DSR) means any request from the Data Subject and concerning their personal data and/or data subject rights.

Data Subject means a natural person, whose Personal Data we process. Data Subjects include but are not limited to users and website visitors of IconSprint.

Personal Data means any information relating to an identified or identifiable Data Subject; a Data Subject can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or the combination of factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.

Processing means any operation or set of operations which is performed by IconSprint on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Standard Contractual Clauses means the European Commission's standard contractual clauses for international transfers of personal data, as adopted and updated from time to time.

Third Party means a natural or legal person, who accesses the Personal Data for further processing and is not an employee, member or corporate affiliate of IconSprint. This definition does not apply to natural persons, who provide services to IconSprint as contractors on a regular basis.

User means a Data Subject who uses our services provided on the IconSprint website.

1. Data We Process

1.1 Categories of Personal Data. We process the following categories of Personal Data, as applicable:

• Account Data: name, email address (collected directly or via third-party sign-in, where applicable).
• Billing & Payments: billing name, address, tax/VAT identifiers if provided, payment status and tokens handled by our payment providers (we do not store raw card numbers).
• Service Content: reference images and assets uploaded solely to generate icons and related exports. These files are stored temporarily for the duration of the job and sent to our AI processing provider(s) strictly to perform the requested generation, then promptly deleted from our working systems after processing completes.
• Usage & Technical Data: IP address, device and browser type, operating system, language/locale, referrer, pages viewed, feature usage, and similar diagnostics/logs generated by your use of the service.
• Support & Communications: messages you send to support@iconsprint.com, and related metadata.
• Marketing Preferences/Consents: your choices regarding communications and cookies.

1.2 Children. IconSprint is intended for individuals aged 16 and over. We do not knowingly collect Personal Data from children under 16.

2. Data Processing Principles

2.1 IconSprint's processing activities must be in line with the principles specified in this Section. The Privacy Manager must make sure that IconSprint's compliance documentation, as well as data processing activities, are compliant with the data protection principles.

2.2 We must process the Personal Data in accordance with the following principles:

2.2.1 Lawfulness, fairness and transparency. We shall always have a legal ground for the processing (described in Section 3 of this Policy), collect the amount of data adequate to the purpose and legal grounds, and we make sure the Data Subjects are aware of the processing.

2.2.2 Purpose limitation. We collect for specified, explicit and legitimate purposes and do not further process in a manner that is incompatible with those purposes.

2.2.3 Data minimization. We always make sure the data we collect is not excessive and limited by strict necessity.

2.2.4 Accuracy. We endeavor to delete inaccurate or false data and keep it updated.

2.2.5 Storage limitation. We keep Personal Data in identifiable form no longer than necessary for the purposes for which it is processed.

2.2.6 Integrity and confidentiality. We process in a manner that ensures appropriate security of Personal Data using appropriate technical and organizational measures.

2.3 Accountability.

2.3.1 We shall be able to demonstrate compliance with Data Protection Laws, including appointing a person responsible for data protection compliance; maintaining records and procedures; and training staff.

2.3.2 The Privacy Manager must maintain IconSprint's records of processing activities prepared in accordance with Article 30 GDPR, describing the purposes, legal bases, categories, retention, recipients, transfers, and security measures.

3. Legal Grounds and Purposes

3.1 Legal grounds. Each processing activity must have one of the lawful grounds specified in this Section.

3.1.1 Performance of a contract. Account creation, authentication, delivering the service (including generating and exporting icons), provision of support, and processing payments are necessary to perform our contract with you.

3.1.2 Consent. Where required (e.g., non-essential cookies/analytics in the EEA/UK; marketing emails), we obtain your consent before processing. You can withdraw consent at any time.

3.1.3 Legitimate interests. We may process Personal Data for our legitimate interests, such as ensuring security, preventing fraud/abuse, troubleshooting, service analytics to improve functionality (where consent is not required), and protecting legal rights—balanced against your interests and rights.

3.1.4 Legal obligations. We may process Personal Data to comply with applicable laws (e.g., tax and accounting).

3.2 Purposes.

• Account & Service Delivery (Contract): creating/managing accounts; generating and exporting mobile app icons and related assets; responding to requests.
• Payments & Billing (Contract/Legal Obligation): processing payments via payment providers; maintaining invoices and financial records.
• Security & Operations (Legitimate Interests): authentication logs, abuse prevention, quality assurance, diagnostics.
• Analytics (Consent in EEA/UK; otherwise Legitimate Interests): product analytics via PostHog Cloud EU to understand feature usage and improve the service (no advertising). See our Cookies document for details.
• Marketing Communications (Consent): newsletters or updates, if you opt in; unsubscribe any time.
• Legal Compliance (Legal Obligation): tax, accounting, and responding to lawful requests.

3.3 AI Processing of Reference Images. Users are able to upload reference images when they create icons; we store these images temporarily while the icon is being created and send them to our AI processing provider(s) for generation strictly to provide the service. We do not train our own AI models on your content. Where we can control vendor settings, we instruct providers to use inputs solely to perform the requested processing. See Section 4 and our Sub-Processors document for details.

4. Third Parties

4.1 Before sharing personal data with any person outside of IconSprint, the Privacy Manager must ensure that this Third Party has an adequate data protection level and provides sufficient data protection guarantees in accordance with Data Protection Laws, including, but not limited to, processorship requirements and international transfers compliance.

4.2 We share Personal Data with service providers (processors) that help us operate the service, including cloud hosting, storage/CDN, job queues, analytics, email delivery, error monitoring, payment providers, and AI processing providers. We maintain a separate Sub-Processors document listing current vendors and regions.

4.3 If we are required to delete, change, or stop the processing of the Personal Data, we will ensure that Third Parties with whom we shared the Personal Data will fulfill these obligations accordingly.

4.4 Where IconSprint acts as a processor for a customer (if applicable), the relevant data processing agreement applies and we will process personal data only in accordance with the customer's instructions.

5. International Transfers

5.1 We are based in the United States and use service providers located in the EEA and other countries. If we transfer Personal Data outside of the EEA/UK, we will take necessary and appropriate safeguards in accordance with Data Protection Laws.

5.2 Such safeguards may include the Standard Contractual Clauses and, where applicable, reliance on adequacy decisions (including the EU–US Data Privacy Framework certifications of vendors). Details are provided in our Sub-Processors document.

5.3 We inform Data Subjects that their Personal Data may be transferred to other countries and provide information about the safeguards used for the transfer as set out in this Policy.

5.4 In exceptional cases where safeguards cannot be applied, we will rely on a valid derogation (e.g., necessity for contract performance or your explicit consent) as permitted by Data Protection Laws.

6. Rights of Data Subjects

6.1 Our Responsibilities. Privacy Manager is ultimately responsible for handling DSRs. Customer support addresses user DSRs on a daily basis.

6.2 Contact for DSRs. Please contact support@iconsprint.com. We will respond within one (1) month of receipt. If we require more time (up to two additional months), we will inform you and explain why.

6.3 Verification. We will verify your identity (for example, by confirming access to your account email). If we cannot verify, we may deny the request.

6.4 Your Rights. Subject to law and certain limitations, you have the right to:

• Be informed about our processing (this Policy and the Cookies document).
• Access your Personal Data and receive a copy.
• Rectify inaccurate or incomplete Personal Data.
• Restrict processing in certain circumstances.
• Object to processing based on our legitimate interests (including direct marketing).
• Erase Personal Data (“right to be forgotten”).
• Portability of data you provided to us, where technically feasible.
• Withdraw consent at any time (where processing is based on consent).

6.5 Self-Service Controls. Users can delete their icons and account within the service. Deleting your account will remove or anonymize associated Personal Data except where retention is required by law or legitimate business purposes (see Section 8).

6.6 Complaints. If you are in the EEA/UK, you may complain to your local Supervisory Authority. We do not have an EU or UK representative appointed at this time.

7. New Data Processing Activities

7.1 Notification to Privacy Manager. Before introducing any new activity that involves the processing of personal data, an employee responsible for its implementation must inform the Privacy Manager.

7.2 DPIA. Where required by Data Protection Laws, we will conduct a Data Protection Impact Assessment and, if necessary, consult with the competent Supervisory Authority.

8. Data Retention

8.1 General Rule. We retain Personal Data for no longer than necessary for the purposes for which it is processed, and as required by law. We apply the following industry-standard retention periods unless a different period is required for legal, security, or operational reasons:

• Account Data: for the life of the account, then up to 3 years after closure.
• Billing/Invoices: 7-10 years to satisfy tax and accounting obligations.
• Security/Access Logs: 12-24 months.
• Support Tickets/Communications: up to 24 months after resolution.
• Marketing Preferences/Consents: until you withdraw consent or delete your account.
• Service Content (reference uploads): retained only for the duration of processing and promptly deleted thereafter.
• Backups: retained on a rolling basis per our backup window (typically 30-90 days).

8.2 Exemptions. Retention may be extended briefly for business continuity, technical impossibility of immediate deletion (e.g., backups), or full anonymization for statistical or service-improvement purposes.

9. Security

9.1 Each department within IconSprint shall take appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest (where applicable), least-privilege access, multi-factor authentication for staff where feasible, audit logging, regular backups, vulnerability management, and vendor due diligence. We do not claim external certifications at this time.

9.2 The employee responsible for supervision of personal data security advises IconSprint management and is involved early in projects to take security-related aspects into account as early as the planning phase.

10. Data Breach Response Procedure

10.1 Response Team. In case of a Data Breach, IconSprint will urgently form a Data Breach Response Team headed by senior management, comprised of the Privacy Manager, privacy specialist(s), and information security specialist(s). The team will provide an immediate, effective response, including mitigation and notification duties.

10.2 Notification to Authorities. Where required by law (e.g., GDPR), IconSprint shall inform the competent Supervisory Authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach.

10.3 Notifications to Data Subjects. When the Data Breach is likely to result in a high risk to the rights and freedoms of Data Subjects, we will communicate the breach to affected individuals without undue delay, including recommended steps to protect themselves.

10.4 Communication with Third Parties. If a Data Breach concerns Personal Data processed by or shared with our processors or partners, we will coordinate notifications and mitigation with those parties and document actions taken.

11. Cookies and Similar Technologies

We use cookies and similar technologies for essential operations and, where applicable, analytics. For details about types, purposes, retention, providers, and your choices (including consent in the EEA/UK), please see our Cookies document at /cookies. Analytics are provided by PostHog Cloud EU. We do not serve advertising or cross-context behavioral ads.

12. Public Galleries and Community Features

Users may opt in to share individual icons publicly. Public items may be indexed by search engines (e.g., Google) and may display the author's name (or display name) where provided. Please consider that once content is public, third parties may cache or copy it. We purge CDN caches promptly after you change visibility or delete public items; however, residual copies outside our control may persist.

We do not provide content moderation as a separate service; adult/NSFW, hateful, or otherwise inappropriate content is prohibited and may be removed.

13. U.S. State Privacy Disclosures (including California)

13.1 No “Sale” or “Sharing.” We do not “sell” or “share” Personal Information as those terms are defined under the California Privacy Rights Act (CPRA). We also do not engage in cross-context behavioral advertising.

13.2 Categories Collected. In the preceding 12 months, we collected the categories described in Section 1 (identifiers; commercial/billing information; internet or network activity; user content for processing; support communications). We collect from you directly and from your device/browser. We disclose such data to service providers strictly for business purposes.

13.3 Your Rights. Subject to exceptions, California and other applicable U.S. state laws may grant rights to know/access, correct, delete, and limit certain uses. You may exercise rights via support@iconsprint.com. We do not offer financial incentives for Personal Information.

13.4 Thresholds. We currently operate below CPRA thresholds; however, we nevertheless honor applicable rights as a matter of policy.

14. Changes to This Policy

We may update this Policy from time to time. We will post changes on this page, update the “Last Updated” date, and, where changes are material, provide additional notice (e.g., email or in-app).

15. Contact Us

If you have any questions about this Policy or our data practices, or if you wish to exercise your rights, please contact us at:

Coffee Break Ideas LLC (IconSprint) 30 N Gould St Ste R, Sheridan WY 82801, USA Email: support@iconsprint.com

Annex — Service Description (Informative)

IconSprint is an AI-powered tool that generates and exports mobile app icons and related assets for developers and software agencies. Users can upload reference images to create icons; such images are processed solely to perform the requested generation and are retained only for the duration of the job. We do not train our own AI models on your content.