Updated March 12, 2024
INTRODUCTION
Dribbble Holdings Limited (the “Dribbble Group”) is comprised of several companies, which together provide tools to help the world’s designers to create, develop and promote their talents (each a “Service” and collectively, the “Services”). The companies within the Dribbble Group each act as the data controller for personal data processed in respect of their Services (each a “Group Company” and together the “Group Companies”) and referred to as “our,” “we,” or “us” below. The data controllers for each Service are:
Dribbble - Dribbble Holdings Ltd
Creative Market - Creative Market Labs, Inc.
Fontspring - Creative Market Labs, Inc.
Font Squirrel - Creative Market Labs, Inc.
We know that you care about how your information is used and shared. This Privacy Policy provides details of the way in which the Group Companies process personal data in line with their obligations under relevant data protection law, including the European Union’s General Data Protection Regulation (the “GDPR”), the California Consumer Privacy Act (the “CCPA”), and other applicable laws (collectively, “Data Protection Law”).
This Privacy Policy explains what information of yours will be collected by the Group Companies when you use our Services, how the information will be used, and how you can control the collection, correction and/or deletion of information. Note that certain third parties may be able to identify you across sites and services and over time using the information they process, however, any such processing not done at the direction of us is outside the scope of this Privacy Policy. We are not responsible for the privacy policies, content or security of any linked third party websites or services. We recommend that you check the privacy and security policies of each and every website and service that you visit.
INFORMATION WE PROCESS.
The types of information we process depends on how you use our Services. Many of our Services require users to set up an account, which involves the collection and processing of your name and email address. Other Services may require the collection of additional information. For example, Dribbble helps to connect its community of designers with people and companies in need of their skills. In order to do so, Dribbble collects payments data and other information required to comply with relevant legal obligations.
The following table explains the types of information we collect and how we collect it. These categories of data may collectively be referred to as “Your Information”.
Information You Provide
In order to use our Services, Group Companies may require you to register and create an account. Depending on the Service, you will be required to provide a name and email address, and to choose an avatar and username.
People use our Services for different reasons. Some are looking for the perfect tools to help them create or share their designs. Others join our community in order to be inspired, or even to find the right designer to help them with a project.
Depending on your needs, you may provide us with additional personal information, including your area of expertise (e.g. branding and logo design) and details of any training courses you have completed for your profile.
For certain Services, such as creating a shop on Dribbble, we may also be required to collect your full name, date of birth, national identification number, photo identification and other information in order to verify your identify and to comply with applicable law.
Users can pay to gain access to specific design tools and fonts, or to attend workshops and other training events. Pro Dribbble users can unlock a range of additional features, which enable them to sell their designs online or to enhance their profiles.
Whatever our users’ individual needs, sometimes we will collect and process payments information. For instance, we collect the credit card information provided to us during checkout, for billing and payment purposes, and to process your transaction.
Additional information, includes billing contact name, postal address and telephone number may be necessary in order for us to provide a particular service.
In order to use our Services, Group Companies may require you to register and create an account. Depending on the Service, you will be required to provide a name and email address, and to choose an avatar and username.
Users can update their profiles to include custom avatars or photos, along with additional biographical information. They can create custom videos for their profile, in which they can “pitch” their talents to prospective employers. They may also upload their designs to the platform, engage in monthly playoffs and even open a shop to advertise their goods or services for sale. Certain users may also post freelance projects and other job opportunities.
We may ask you to complete surveys that we use for research purposes, or to evaluate our marketing or support efforts, and in those cases we store the answers given.
From time to time, we may offer contests or other promotions. If you choose to enter these contests or promotions, we may collect Identity Information and/or additional information.
Our Services can be used to communicate with us, other members of the community, or with prospective freelance designers or employers.
Automatically-Collected Information
We automatically collect information about the content and people you interact with, the features and add-ons you use and other actions you take, including applying to certain work opportunities advertised via our Services.
While users can provide their location or shipping address in the course of using our Services, we also automatically collect certain location information, including your IP address and location information provided by your device.
We automatically collect information from your browser or your device when accessing our Services, and record this data in log files. This includes information such as your unique device identifier, device attributes, device signals, data from device settings, networks and ads data.
When you visit a Service, we use cookies and related technologies (such as clear GIFs/web beacons) to identify the browser, to identify which page variant a visitor has seen, to determine if a visitor has clicked on a page variant, and to monitor traffic patterns and gauge popularity of service options. Please see our Cookie Policy for more information.
Information Others Provide
We might receive information about you from other sources and add it to our account information. This may include updated delivery and address information from our shippers or other sources so that we can correct our records and deliver your next purchase or communication more easily.
Some Group Companies provide an option to invite a friend to their Service, in which case the Group Company we will ask you for that person's email address and automatically send an email invitation to them.
Users can report content to us, where they feel it infringes intellectual property rights or otherwise violates out our Terms of Service.
Some Group Companies receive Your Information from social media companies such as Facebook and Twitter who may transfer Your Information to us when you interact with that social media company in connection with our Services or use an alternative sign in to our Services through a social media company.
Our Group Companies receive Your Information from ad networks, behavioural advertising vendors, market research, and social media companies or similar companies. Further, some of the Information Collected Through Cookies may be provided by third party analytic companies.
Information we Create
Some Group Companies, certain partners, social media companies, and third parties operating on our behalf create and infer Your Information based on our observations or analysis of Your Information processed under this Policy, and we may correlate this data with other data we process about you. We may combine any of Your Information about you that we receive from you and from third parties.
The Dribbble Group will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes unless we first notify you or obtain your consent, to the extent required by Data Protection Law.
Sensitive Personal Data
Data Protection Law recognises that certain types of information require additional protection. In particular, the GDPR prohibits the processing of sensitive personal data, other than in certain exceptional circumstances. Sensitive personal data in the EU includes information relating to one’s race or ethnicity, political opinions, religious or philosophical beliefs, membership of a trade union, as well as biometric data and data relating to one’s health or sexual orientation. Certain state laws in the US also have different definitions of sensitive personal data.
We do not knowingly collect or process any sensitive personal data. However, some users may make such information public through their use of our Services. For example, Dribbble permits users to add a biography to their profile. This is a free-text section that allows users to include whatever information they wish, subject to complying with the relevant Terms of Service. Users are in control of what information they share and, to the extent they choose to make sensitive personal data public, they may delete or amend this information at any time.
HOW WE PROCESS YOUR INFORMATION AND OUR LEGAL BASES FOR DOING SO
We collect and process Your Information whenever you use our Services. Consistent with relevant Data Protection Law, we are required to identify a legal basis for each of our processing activities.
Under EU law there are six different bases, which may be relied upon to enable the lawful processing of Your Information. In particular, data controllers may process personal data:
where they have received freely given, specific, informed and unambiguous consent from a data subject (“Consent”);
where processing is necessary to conclude and perform a contract (“Contractual Necessity”);
where processing is necessary to comply with a legal obligation to which they are subject (“Legal Obligation”); or
in pursuit of the data controller’s legitimate interests, except where these interests are overridden by the rights and freedoms of individuals (“Legitimate Interests”).
Under the CCPA, we must disclose the purposes for which we collect your information:
Business Purposes, which include auditing, security, debugging/repair, certain short-term uses, performing services, internal research for technical development, quality and safety maintenance and verification, as well as the use of Your Information for our operational purposes, or other notified purposes that use Your Information as reasonably necessary and proportionate to achieve the operational purpose; and
Commercial Purposes, which include use of Your Information to advance our commercial or economic interests, such as encouraging others to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
The Group Companies primarily rely on Consent, Contractual Necessity, Legal Obligation and Legitimate Interests when processing Your Information. Below we explain the purposes for which we process this information, along with the relevant categories of data we use and the legal basis we rely on to do so (for purposes of the GDPR) or other permitted reasons for processing (e.g. Business Purposes or Commercial Purposes under the CCPA).
Legal Basis: Consent
Profile Information
User-Generated Content
Consent, Business Purposes
Survey Information
Consent, Business Purposes, Commercial Purposes
Location Data
Consent, Business Purposes, Commercial Purposes
Location Data
Device Information
Analytic Information
Consent, Business Purposes, Commercial Purposes
Contest Data
User-Generated Content
Identity Information
Consent, Business Purposes, Commercial Purposes
Users have the right to withdraw their consent at any time. If they choose to exercise this right, our Group Companies will cease processing personal data on this basis. However, please note that a decision to withdraw your consent cannot affect the lawfulness of processing previously carried out on this basis.
Legal Basis: Contractual Necessity
Basic Account Information
Identity Information
Contractual Necessity, Business Purposes
The Dribbble Group offers a range of Services, some of which are free, while others require a once-off payment or a subscription.
Where a user wishes to avail of one of our paid Services, we will need to collect certain information so as to verify their identity and to process their billing. Such paid Services include subscriptions for access to fonts and template documents, upgrades to Pro Dribbble accounts which allows designers to enhance their profile and sell their creations online, or even enrolment in workshops and other training courses.
Basic Account Information
Identity Information
Payment and Billing Information
Contractual Necessity, Business Purposes
Basic Account Information
Contractual Necessity; Business Purposes
Basic Account Information
Identity Information
Profile Information
User-Generated Content
Usage Information
Location Data
Device Information
User Reports
Contractual Necessity; Business Purposes
Legal Basis: Legitimate Interests
Basic Account Information
Location Data
Usage Data
Device Information
Automatically-Collected Information
Social Media Information
Analytic and Aggregator Information
Inference Data
Business Purposes, Commercial Purposes
We process personal data in order to assess service levels, monitor traffic patterns and gauge popularity of different features on our Services with the aim of improving our Services
User-Generated Content
Survey Information
Usage Information
Automatically-Collected Information
Analytic and Aggregator Information
Business Purposes
All of Your Information
Business Purposes
Information You Provide
Usage Information
Location Data
Device Information
Business Purposes
All of Your Information
Business Purposes
Basic Account Information
Identity Information
Payment and Billing Information
Business Purposes, Commercial Purpose
Basic Account Information
Additional Account Information
User-Generated Content
Automatically-Collected Information
Business Purposes, Commercial Purpose
Legal Obligation
Basic Account Information
Identity Information
Payments and Billing Information
Legal Obligation, Business Purpose
When you exercise your rights under data protection law and make requests
All of Your Information
Legal Obligation, Business Purpose
All of Your Information
Legal Obligation, Business Purpose
WHO WE SHARE DATA WITH
The Dribbble Group Companies work together to support the delivery of our Services
Our Group Companies also work with third-party service providers who help us to provide our Services. Most of our service providers are located in the US.
For EEA residents, is your information is transferred outside of the EEA, we will adopt measures to ensure that it is protected in a manner that is consistent with our obligations under Data Protection Law, including the European Union’s General Data Protection Regulation.
Transfers to Third Parties
Your Information
We rely on cloud service providers to host user data. (Business Purposes)
USA
Customer support service providers
Basic Account Information, Payment and Billing Information, Messages and Other Communications, Location Data, Device Information and User Reports
Our third-party partners help to provide support to our customers throughout the world. (Business and Commercial Purposes)
Philippines, USA
Basic Account Information, Identity Information, Profile Information, Payment and Billing Information, User-Generated Content, Messages and Other Communications, Automatically- Collected Information
To identify and prevent fraud on our Services, to uphold our Terms of Service and to keep our users safe. (Business Purposes)
USA
Customer data platform service provider, for example Segment
Information You Provide, Automatically- Collected Information
To effectively manage customer data, including by standardising data collection and unifying our user records. (Business and Commercial Purposes)
USA
User-Generated Content, Automatically-Collected Information
To help us better track the performance of our Services. (Business Purposes)
USA
Website analytics, for example Hotjar and Google Analytics
Basic Account Information, Location Data, Usage Information, Analytic and Aggregator Information
To help us better track the performance of our Services. (Business Purposes)
Malta, USA
Paid search advertising analytics, for example Google Ads
Basic Account Information, Automatically- Collected Information, Analytic and Aggregator Information
To help our Group Companies to reach users of Google Search for the purpose of advertising our Services. (Commercial Purposes)
USA
Basic Account Information, Payment and Billing Information
To facilitate payments for our paid Services (Business Purposes)
USA
Royalty payment processing service providers, for example PayPal and Tipalti
Basic Account Information, Payment and Billing Information
To facilitate royalty payments to our designers and foundry partners. (Business Purposes)
Malta, USA
Basic Account Information, Location Data, Usage Information
To provide remote support to our customers. (Business Purposes)
USA
Email service provider, for example Mailchimp, Mandrill App
Basic Account Information
To facilitate the sending of electronic mail, both internally within the relevant Group Company and externally with our users, partners and other members of the public. (Business and Commercial Purposes)
Malta, USA
In addition to the above, some of our Services are integrated with social media networks and other platforms (e.g., Facebook, Pinterest, and LinkedIn) whereby information may be shared between us and those platforms. For instance, if you interact with our Service through a social media feature such as a plug-in, then you may be granting us on-going access to certain information from that social media account. If you do not want a social media platform to collect or share information about you, please review the privacy policy and privacy settings of the applicable social media property before using such features on our Service.
YOUR RIGHTS
Data Protection Laws around the world, including the GDPR and the CCPA, provide users with certain rights over how their personal data is used by companies. Consistent with these laws, our Group Companies enable users to access, amend and delete the Information You Provide. We also have systems in place to allow you to exercise your rights in respect of Automatically-Collected Information and Information Others Provide, including your rights to object to or restrict the processing of your personal data.
If you would like to exercise any of your rights, please contact the relevant company at the information provided below. Alternatively, you may update or correct certain information, such as your Basic Account Information and email preferences, at any time by logging in to your account settings page.
At any time you may:
Decline to Submit Information: You may, of course, decline to submit Personal Information through the Service, in which we may not be able to provide certain services to you.
Update Account Information: You may update or correct your account information and email preferences at any time by logging in to your account settings page.
Unsubscribe from marketing emails: to unsubscribe from a particular newsletter, click the "unsubscribe" link at the bottom of that email newsletter. When we send newsletters to subscribers we may allow advertisers or partners to include messages in those newsletters, or we may send dedicated newsletters and marketing messages on behalf of those advertisers or partners. We may disclose your opt-out choices to third parties so that they can honour your preferences in accordance with applicable laws.
Blocking cookies: certain browsers may be configured to notify you when you receive cookies, or allow you to restrict or disable certain cookies. If you choose to disable cookies, however, that could affect certain features of the Service that use cookies to enhance their functionality. Please see our Cookie Policy. Further, please note our Services do not respond to your browser’s do-not-track request.
Disabling local shared objects: we may use other kinds of local storage that function similarly, but are stored in different parts of your computer from ordinary browser cookies, including Flash cookies placed on your device or web browser via the Adobe flash plug-in. Your browser may allow you to disable its HTML5 local storage or delete information contained in its HTML5 local storage. For further details about deleting information contained in "local shared objects" or adjusting related preferences, please click here.
Withdraw Your Consent: Where we are processing Your Information based on your consent, you may change your mind and withdraw your consent at any time. The consequence of you withdrawing consent might be that we cannot perform certain services for you, such as linking to your device or providing certain advertising to you, that are conditioned on your consent.
EU Residents
Under the GDPR, you have the following rights which may be subject to restrictions under local law: (i) the right to withdraw consent to processing where consent is the basis of processing; (ii) the right to access your personal information and certain other supplementary information, under certain conditions; (iii) the right to object to processing that is based on our legitimate interests, under certain conditions; (iv) the right to deletion of personal information about you, under certain conditions; (v) the right to demand that we restrict processing of your personal information, under certain conditions, if you believe we have exceeded the legitimate basis for processing, processing is no longer necessary, are processing, or believe your personal information is inaccurate; (vi) the right to data portability of personal information concerning you that you provided us in a structured, commonly used, and machine-readable format, under certain conditions; (vii) the right object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you, under certain conditions; (viii) the right to lodge a complaint with a data protection authorities.
California Residents
The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
The categories of personal information we collected about you, or that we have sold, or disclosed for a Commercial Purpose.
The categories of sources for the personal information we collected about you.
Our business or commercial purpose for collecting or selling that personal information.
The categories of third parties with whom we share that personal information.
The specific pieces of personal information we collected about you (also called a data portability request).
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request we will delete (and direct our service providers to delete) your personal information from our records unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
Complete the transaction for which we collected the personal information, provide a good or service that you requested, or take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform the Services.
Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.)
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provide it.
Minors’ User Content
Individuals under the age of 18 in California can delete or remove publicly available User-Generated Content using the same deletion or removal procedures described above, or otherwise made available through the Services. If you have questions about how to remove your User-Generated Content or if you would like additional assistance with deletion you can contact us by email at [email protected]. We will work to delete your information, but we cannot guarantee comprehensive removal of that content or information posted through the Services.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights, please submit a verifiable consumer request to us by emailing us at [email protected]. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12 month period. The verifiable consumer request must:
Provide sufficient information that allows us to reasonably verify you are the person we collected personal information on.
Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us.
Response Timing and Format
We endeavour to respond to verifiable consumer requests within 45 days of receipt. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response to you by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. If applicable, we will also provide reasons we cannot comply with your request. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information. We do not charge a fee to process or respond to a verifiable consumer request unless it is excessive, repetitive, or unfounded. If we determine a fee is warranted, we will provide you with an estimate before completing your request.
Personal Information Sales Opt-Out and Opt-In Rights
For the purposes of CCPA, we do not sell Your Information.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you with a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level of quality of goods or services.
Information
California Civil Code Section §1798.83 permits users of the Site and/or Services who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected] with “Request for California Privacy Information” in the subject line and in the body of your message. We will provide the requested information to you in your email address in response.
DATA SECURITY AND DATA BREACH
We care about the integrity and security of Your Information and implement appropriate technical and organisational security measures to safeguard Your Information from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.
Our Group Companies follow generally accepted industry standards to protect the personal data provided to us, both during transmission and after it is received. Examples of our security measures include, as appropriate, physical measures such as locking access to servers, putting in place IT measures such as encryption, and restricting access to your information through approvals and passwords, so it is accessible only on a “need to know” basis.
Depending on the Group Company and the Service in question, your account information is protected by a password. You are responsible for carefully choosing and periodically changing an appropriately-strong password and for maintaining its secrecy. You are also responsible for controlling access to your email communications from our Group Companies, and for other security measures, such as signing out after using our Services.
Despite these measures, it is not possible to warrant the security of any information you transmit to our Group Companies or guarantee that your information on our Services may not be accessed, disclosed, altered, or destroyed by a breach of any of our technical or organisational safeguards. Your privacy settings may also be affected by changes to the functionality of our Group Companies’ distributors, such as social networks. We are not responsible for the functionality or security measures of any third party.
DATA RETENTION
We will keep personal data only for as long as is necessary for the purposes for which that personal data are processed, including to provide our Services. The storage periods are determined on a case-by-case basis and will depend on several factors, including:
The type of information and the purpose for which it is processed;
Any legal requirement to retain the data, including where data was processed on the basis of a Legal Obligation or until the Statute of Limitations has elapsed with respect to possible legal claims or investigations;
Whether the data is required for Trust & Safety purposes. For example, where users breach our Terms of Service, we may terminate their account and prevent them from accessing our Services, in order to protect other users. In such circumstances, it may be necessary to retain certain personal data, even after account termination.
Following termination or deactivation of your User account, we may retain the Information You Provide for a commercially reasonable time for backup, archival, contract performance and enforcement, or audit purposes but for no longer than is necessary and only where the information is accurate and relevant for our use. Furthermore, we may retain and continue to use indefinitely all information contained in your communications to other Users or posted to public or semi-public areas of the Service after termination or deactivation of your User account. However, we will only keep this information on the Services where it was posted and will not use this information for any other purpose.
ADVERTISING
This Site is affiliated with Publisher First, Inc. dba Freestar (“Freestar”) for the purposes of placing advertising on the Site, and Freestar will collect and use certain data for advertising purposes. To learn more about Freestar’s data usage, click here.
For more information about this type of online advertising, about cookies, and about how to turn this feature off, please visit this link.
PRIVACY POLICY CHANGES
As the Dribbble Group continues to grow, the manner in which we process data will evolve over time. We will update this policy from time to time to reflect changing practices and will notify you of any material changes in the following ways: i) we will send an email to the address provided to us upon sign-up to our Services, or ii) we will post a notification on the relevant Group Company’s site or app.
FURTHER INFORMATION AND COMPLAINTS
For further information about this Privacy Policy and/or the processing of your personal data by or on behalf of any members of the Dribbble Group, please contact us using the information provided below.
For users based in the EEA, you have the right to lodge a complaint with your competent data protection supervisory authority. The contact details of each supervisory authority are available on the European Data Protection Board’s website.
Notwithstanding this right, we request that you contact us in the first instance to give us the opportunity to address any concerns that you may have.
CONTACT INFORMATION
If you have any questions about this Privacy Policy, or data protection queries in relation to any of the Group Companies or Services, Dribbble Group’s Data Protection Officer can be reached at [email protected].
VeraSafe has been appointed as the Dribbble Group's representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. If you are in the European Economic Area, VeraSafe can be contacted, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative
or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
VeraSafe has been appointed as the Dribbble Group's representative in the United Kingdom for data protection matters, pursuant to Article 27 of the United Kingdom General Data Protection Regulation. If you are located within the United Kingdom, VeraSafe can be contacted, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative
or via telephone at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom