Privacy Policy
Last updated: 14 March 2026
1. What We Collect
We collect the minimum data necessary to provide the IndieBase service:
- Account information — name, email address, and password (hashed), collected via Supabase Auth when you create an account or sign in with OAuth.
- Stripe read-only business metrics — MRR, customer count, churn rate, and other aggregated metrics fetched from your connected Stripe account via the Stripe Connect API in read-only mode.
- Stripe customer and subscription data — when you connect your Stripe account, IndieBase stores snapshots of your Stripe customer records (email, name, currency, delinquency status) and subscription records (status, amounts, billing intervals, trial periods). This data is used to provide analytics insights such as subscription timelines, status breakdowns, and MRR calculations. This data may be correlated with waitlist signup data to provide cross-source conversion analytics when both a waitlist and Stripe account are connected to the same project.
- Waitlist signup emails — email addresses and optional names submitted by visitors to your public waitlist pages.
- Referral tracking cookie — a
waitlist_refcookie used to attribute referral signups to the correct referrer. This is an essential cookie required for referral mechanics to function. - Page-view analytics — anonymous page-view counts for waitlist pages, stored without personal identifiers. No cross-site tracking or fingerprinting is performed.
2. How We Use Your Data
- Service delivery — to operate your dashboard, display your Stripe metrics, manage your waitlists, and send transactional emails.
- Anonymous benchmark aggregation — aggregated, anonymised Stripe metrics may be included in industry benchmarks. No individual account data is ever disclosed. You opt in to benchmark inclusion when you connect Stripe.
- Transactional email — account confirmation, waitlist milestone notifications, and digest emails sent via Resend.
3. Data Sharing
We do not sell, rent, or trade your personal data to any third party. Data is shared only with the sub-processors listed below, strictly to operate the service:
- Supabase — authentication and database, hosted in the EU (Frankfurt, Germany).
- Stripe — payment processing and connect platform; IndieBase accesses your Stripe data in read-only scope only.
- Resend — transactional email delivery.
- Vercel — application hosting and edge network.
- Upstash Redis — Redis caching layer for API rate limiting and session data.
4. Third-Party Services
| Service | Purpose | Data processed |
|---|---|---|
| Supabase | Auth & database | Account credentials, all app data |
| Stripe Connect | Business metrics | Read-only Stripe account metrics |
| Resend | Transactional email | Email address, email content |
| Vercel | Hosting & CDN | Request logs (IP, user-agent) |
| Upstash Redis | Caching | Session tokens, rate limit counters |
5. Data Retention
All data you store in IndieBase is retained for the duration of your account. We do not automatically delete your data based on your subscription plan. Your plan determines which historical data you can access in the dashboard, but underlying data is preserved so that upgrading your plan restores access to your full history.
| Data Type | Retention |
|---|---|
| Account & profile data | Retained while account is active |
| Stripe metrics, customer & subscription snapshots | Retained while account is active |
| Goal tracking snapshots | Retained while account is active |
| Waitlist signups & page views | Retained while account is active |
| Anonymised benchmark data | Retained indefinitely (anonymised, not linked to your account) |
- Your subscription plan determines how much historical data is visible in your dashboard. Data beyond your plan's view window is not deleted — it becomes accessible again if you upgrade.
- When you delete your account (via Settings > Account), all your personal data, projects, waitlists, and subscriber lists are permanently deleted via cascade database constraints.
- If you have connected a Stripe account, the OAuth access token is revoked upon account deletion or manual disconnection from the dashboard.
- You can export all your data at any time via Settings > Account > Export My Data.
6. Cookies
| Cookie | Type | Purpose |
|---|---|---|
| sb-* | Essential | Supabase Auth session cookie |
| waitlist_ref | Essential | Referral tracking for waitlist signups |
| ib_cookie_consent | Essential | Stores your cookie consent choice |
| Analytics | Optional | Product improvement analytics — only if you consent |
You can manage your cookie preferences at any time using the cookie banner displayed on your first visit.
7. Your GDPR Rights
As a user based in the EU or otherwise protected by GDPR, you have the following rights:
- Right of access — request a copy of all personal data we hold about you.
- Right to rectification — correct inaccurate data in your profile settings.
- Right to erasure — delete your account and all associated data via Settings > Account.
- Right to data portability — export all your data as a JSON file via Settings > Account > Export My Data.
- Right to object — object to processing for analytics or benchmarking by contacting us.
Most of these rights can be exercised self-service via Settings > Account. For requests that cannot be handled self-service, contact us at hello@indiebase.be.
8. Contact
For any privacy-related questions or to exercise your rights, contact us at:
This policy is governed by Belgian law and the General Data Protection Regulation (GDPR).