Privacy Policy
Last updated: 1 March 2026
1. What We Collect
We collect the minimum data necessary to provide the IndieBase service:
- Account information — name, email address, and password (hashed), collected via Supabase Auth when you create an account or sign in with OAuth.
- Stripe read-only business metrics — MRR, customer count, churn rate, and other aggregated metrics fetched from your connected Stripe account via the Stripe Connect API in read-only mode.
- Stripe customer and subscription data — when you connect your Stripe account, IndieBase stores snapshots of your Stripe customer records (email, name, currency, delinquency status) and subscription records (status, amounts, billing intervals, trial periods). This data is used to provide analytics insights such as subscription timelines, status breakdowns, and MRR calculations. This data may be correlated with waitlist signup data to provide cross-source conversion analytics when both a waitlist and Stripe account are connected to the same project.
- Waitlist signup emails — email addresses and optional names submitted by visitors to your public waitlist pages.
- Referral tracking cookie — a
waitlist_refcookie used to attribute referral signups to the correct referrer. This is an essential cookie required for referral mechanics to function. - Page-view analytics — anonymous page-view counts for waitlist pages, stored without personal identifiers. No cross-site tracking or fingerprinting is performed.
2. How We Use Your Data
- Service delivery — to operate your dashboard, display your Stripe metrics, manage your waitlists, and send transactional emails.
- Anonymous benchmark aggregation — aggregated, anonymised Stripe metrics may be included in industry benchmarks. No individual account data is ever disclosed. You opt in to benchmark inclusion when you connect Stripe.
- Transactional email — account confirmation, waitlist milestone notifications, and digest emails sent via Resend.
3. Data Sharing
We do not sell, rent, or trade your personal data to any third party. Data is shared only with the sub-processors listed below, strictly to operate the service:
- Supabase — authentication and database, hosted in the EU (Frankfurt, Germany).
- Stripe — payment processing and connect platform; IndieBase accesses your Stripe data in read-only scope only.
- Resend — transactional email delivery.
- Vercel — application hosting and edge network.
- Upstash — Redis caching layer for API rate limiting and session data.
4. Third-Party Services
| Service | Purpose | Data processed |
|---|---|---|
| Supabase | Auth & database | Account credentials, all app data |
| Stripe Connect | Business metrics | Read-only Stripe account metrics |
| Resend | Transactional email | Email address, email content |
| Vercel | Hosting & CDN | Request logs (IP, user-agent) |
| Upstash Redis | Caching | Session tokens, rate limit counters |
5. Data Retention
Data retention periods vary by subscription plan. The following table summarises how long different categories of data are retained:
| Data Type | Free | Starter | Pro / Lifetime |
|---|---|---|---|
| Account & profile data | Retained while account is active | ||
| Stripe metrics & snapshots | 30 days | 365 days | Unlimited |
| Stripe customer & subscription snapshots | 30 days | 365 days | Unlimited |
| Goal tracking snapshots | 30 days | 365 days | Unlimited |
| Waitlist signups & page views | Retained while account is active | ||
| Anonymised benchmark data | Retained indefinitely | ||
- Data older than your plan's retention period is automatically pruned daily. A 30-day grace period applies after a plan downgrade before pruning begins.
- You will receive a warning banner in your dashboard 7 days before any data is scheduled for pruning.
- When you delete your account (via Settings > Account), all your personal data, projects, waitlists, and subscriber lists are permanently deleted via cascade database constraints.
- If you have connected a Stripe account, the OAuth access token is revoked upon account deletion or manual disconnection from the dashboard.
- You can export all your data at any time via Settings > Account > Export My Data before it is pruned.
6. Cookies
| Cookie | Type | Purpose |
|---|---|---|
| sb-* | Essential | Supabase Auth session cookie |
| waitlist_ref | Essential | Referral tracking for waitlist signups |
| ib_cookie_consent | Essential | Stores your cookie consent choice |
| Analytics | Optional | Product improvement analytics — only if you consent |
You can manage your cookie preferences at any time using the cookie banner displayed on your first visit.
7. Your GDPR Rights
As a user based in the EU or otherwise protected by GDPR, you have the following rights:
- Right of access — request a copy of all personal data we hold about you.
- Right to rectification — correct inaccurate data in your profile settings.
- Right to erasure — delete your account and all associated data via Settings > Account.
- Right to data portability — export all your data as a JSON file via Settings > Account > Export My Data.
- Right to object — object to processing for analytics or benchmarking by contacting us.
Most of these rights can be exercised self-service via Settings > Account. For requests that cannot be handled self-service, contact us at hello@indiebase.co.
8. Contact
For any privacy-related questions or to exercise your rights, contact us at:
This policy is governed by Belgian law and the General Data Protection Regulation (GDPR).