Privacy policy

Last updated: May 11, 2026

The short version: StitchFont runs entirely in your browser. We don't operate any server that sees your files, and there is no analytics, tracking, or telemetry on this site.

How file handling works

When you drop a font-pack zip into StitchFont, the file stays on your machine. The conversion runs inside a Python interpreter (Pyodide) that we ship as WebAssembly and that executes in your browser tab. The font folder you download is produced by that interpreter, in your browser, from the bytes you provided. No part of your zip is ever transmitted to us or to any third party.

You can verify this yourself: open your browser's Network panel before uploading a file, then watch as you convert one. You'll see fetches for our own static files (HTML, CSS, JavaScript, the Pyodide bundle) and for the Pyodide CDN — and nothing else.

What we do not collect

• No accounts, names, or email addresses.
• No analytics (no Google Analytics, no Plausible, no Mixpanel, no anything).
• No advertising or tracking cookies.
• No user-fingerprinting via canvas, audio, or fonts.
• No telemetry from the converter — we don't even know how many people use the site.

Cookies and local storage

StitchFont doesn't set cookies. Pyodide caches its WebAssembly bundle in your browser's normal HTTP cache (the same one all websites use); clearing that cache will force a fresh download next time you visit.

Third parties this site loads from

Two CDNs are involved on every visit:

• Google Fonts serves the Newsreader web font used by the headings. Per Google's font-privacy policy, Google may log the request (which includes your IP address). If you'd rather avoid this, a content blocker like uBlock Origin can be set to block fonts.googleapis.com; the site will fall back to your system serif and still work.
• jsDelivr serves the Pyodide runtime (the Python-in-WebAssembly bundle). They publish their own privacy policy.

Outbound links

StitchFont links out to Venmo (for tips), Ink/Stitch, and Inkscape. Each of those is its own site with its own privacy policy; clicking through is your call.

Server logs

This site is served from a small Linode VM behind nginx. Nginx writes access logs (timestamp, IP address, requested URL, response status) by default. We don't look at those logs except when diagnosing a server problem, we don't share them, and they roll over and delete themselves on a short cycle.

Changes

If this policy ever changes, the "Last updated" date at the top will move. We won't expand what we collect without saying so here first.

Contact

Privacy questions: hello@fourthreadscollective.com.