IndieStand LogoIndieStand
Log In

Privacy Policy

Last updated: November 4, 2025

IndieStand (“we”, “our”, “us”) is a SaaS platform that enables Creators to build stores and sell digital products to Buyers.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1) Who is who (Definitions)

  • Creator: A user of IndieStand who opens a store on our platform and pays for a subscription (processed by Dodo Payments).
  • Buyer: An end customer who purchases a Creator's digital goods through the Creator's IndieStand store (payments via Stripe Connect to the Creator).
  • IndieStand: The platform provider.

2) Data Controller & Contact

IndieStand
Berlin, Germany
Email: support@indiestand.com

  • For Creator subscription payments, Dodo Payments acts as an independent controller for the payment data it processes.
  • For Buyer checkout & payouts to Creators, Stripe (Stripe Connect) acts as an independent controller for the payment data it processes.
  • IndieStand is the controller for platform operations data. For certain Buyer-related operations performed on behalf of a Creator (e.g., storing Buyer details so the Creator can deliver content), IndieStand acts as the processor to the Creator.

3) What data we collect

A) Creators (our customers)

We collect:

  • Identification & contact: name, email, country
  • Account & store: store name, slug, branding, product metadata
  • Subscription & billing: plan, status, invoices/receipts (payment data handled by Dodo Payments)
  • Operational logs: authentication events, admin actions, support interactions

Source: directly from you; limited technical data from your browser/device.

B) Buyers (end customers of Creators)

We collect (and/or process on behalf of the Creator):

  • Identification & contact: name, email, country
  • Order metadata: product purchased, price, currency, timestamps, fulfillment state
  • Payment processing: handled by Stripe Connect (card/bank details are not stored on IndieStand)

Purpose: to enable Creators to deliver digital content, manage customer relationships, and comply with legal obligations.

C) Analytics (site & product)

  • PostHog (EU residency, no cookies): page views, basic usage events, performance metrics
  • Implemented without cross-site tracking or advertising cookies.

3A) Cookies and similar technologies (strictly necessary only)

IndieStand uses a small number of strictly necessary cookies to operate the service securely and to provide functionality explicitly requested by the user. These cookies do not require consent under the EU ePrivacy Directive and German TTDSG because they are essential for the core functionality of the platform and do not serve advertising, analytics, or tracking purposes.

We do not use:

  • marketing or advertising cookies
  • third-party tracking pixels
  • cross-site identifiers
  • non-essential analytics cookies

Analytics are implemented through PostHog (EU residency) in cookieless mode, meaning no browser identifiers or cookies are stored for analytics purposes.

Essential cookies we use

1. Authentication cookies (Supabase)

These cookies are required to maintain secure login sessions for Creators. They enable identity verification, account access, and authenticated actions within the dashboard.

  • Purpose: login/session management, account security
  • Contains: session tokens (no tracking identifiers)
  • Legal basis: Contract (Art. 6(1)(b)), Legitimate interests (security) (Art. 6(1)(f))

2. Preview-mode cookies for theme customization

When a Creator uses the theme editor or live preview, IndieStand stores temporary “preview” cookies to maintain preview context (e.g., preview state, preview token, selected theme ID) across navigation within the storefront.

  • Purpose: enable theme preview and customization as requested by the Creator
  • Contains: preview flags and theme identifiers (no personal data)
  • Legal basis: Contract (platform functionality), Legitimate interests (provide editing tools)

These cookies exist solely to power the preview behavior and do not track users.

3. Security and fraud-prevention cookies

IndieStand sets security-related cookies only as needed to protect accounts, maintain the integrity of sessions, and prevent misuse.

  • Purpose: platform security and fraud prevention
  • Legal basis: Legitimate interests (Art. 6(1)(f)), and/or legal obligation where applicable

Summary

IndieStand uses only essential cookies required for authentication, security, and theme preview functionality.
We do not use advertising, marketing, or non-essential analytics cookies.

4) Why we use your data (Purposes & Legal Bases)

PurposeData SubjectsLegal Basis

Provide and maintain the IndieStand platform

Creators & Buyers

Contract (Art. 6(1)(b)), Legitimate interests (Art. 6(1)(f))

Process Creator subscriptions (via Dodo Payments)

Creators

Contract; Legal obligation (tax)

Process Buyer orders and deliver digital goods (via Stripe Connect payouts to Creators)

Buyers & Creators

Contract; Legal obligation (tax)

Enable Creators to manage Buyer relationships (e.g., access delivery, support)

Buyers

Legitimate interests; Contract; (Creator may rely on consent where marketing is involved)

Send service emails (account, receipts, delivery, security)

Creators & Buyers

Contract; Legal obligation; Legitimate interests

Security, fraud prevention, abuse detection

Creators & Buyers

Legitimate interests; Legal obligation

Analytics and product improvement (no ads, no cookies)

Aggregated / limited dataLegitimate interests

We do not sell personal data or use it for third-party advertising.

5) Service providers (Processors / Independent Controllers)

All services are configured for EU hosting/data residency where available.

ServiceRolePurpose
Dodo PaymentsIndependent controller

Subscription billing for Creators

Stripe ConnectIndependent controller

Buyer payments and payouts to Creators

PostHog (EU)Processor

Cookie-less analytics, EU data residency

ZeptoMail (Zoho) (EU)Processor

Transactional / notification emails for platform & Creator-initiated delivery emails

Cloud infrastructure


(e.g., EU hosting, storage, CDN)		Processor

Hosting of application and stored content in the EU

Where IndieStand acts as processor for a Creator (e.g., storing Buyer details for content delivery/support), we process data only under the Creator's instructions.

6) Sharing of Buyer data with Creators

When a Buyer purchases from a Creator’s store, we share the following with that specific Creator to fulfill the order and for legitimate business purposes related to the purchase:

  • Buyer name, email, country
  • Order metadata (product, price, currency, timestamps)
  • Access/delivery status needed to provide the digital goods

Marketing use by the Creator requires a valid legal basis (typically consent) under applicable laws. IndieStand does not grant Creators permission to send unsolicited marketing to Buyers without such a basis. Creators are responsible for their own compliance when contacting Buyers.

7) Emails & communications

  • We use ZeptoMail to send: account emails, security events, receipts, and delivery/fulfillment notifications.
  • Creators may trigger transactional emails to Buyers (e.g., “new version available”). Marketing emails require Buyer consent (where required).
  • You can manage Creator marketing preferences via links provided by the Creator or by contacting them directly. IndieStand can relay opt-out requests to a Creator upon request.

8) Data retention

We keep personal data only as long as necessary for:

  • Contract performance (e.g., access to purchases),
  • Legal obligations (e.g., tax/accounting retention periods),
  • Dispute resolution and fraud prevention.

Upon account closure or valid deletion request, we delete or irreversibly anonymize data unless retention is legally required.

9) Security

We implement appropriate technical and organizational measures, including:

  • Encryption in transit (HTTPS)
  • Access controls and least-privilege principles
  • Audit logs and monitoring
  • Regular backups

No system can be 100% secure, but we work to continuously improve our safeguards.

10) International transfers

Our services and data are hosted in the EU. If exceptional sub-processing requires transfer outside the EEA, we use recognized safeguards (e.g., SCCs) and implement supplementary measures where appropriate.

11) Your rights (GDPR)

You may have the right to:

  • Access your data

  • Rectify inaccurate data

  • Erase your data (subject to legal retention)

  • Restrict or object to processing

  • Port your data in a machine-readable format

  • Creators: contact us at support@indiestand.com.

  • Buyers: for store-specific processing performed on behalf of a Creator, please contact the Creator first. We will assist as processor where applicable. For processing we control (e.g., platform logs), contact IndieStand.

You also have the right to lodge a complaint with your local supervisory authority.

12) Children’s data

IndieStand is not intended for children under 16. We do not knowingly collect data from minors.

13) Lawful basis notes specific to you

  • Creators: Your PIIs (name, email, country) are collected to provide the IndieStand service and manage your Dodo Payments subscription.
  • Buyers: Your PIIs (name, email, country) are processed to enable the Creator to deliver content, provide support, and meet legal obligations. Payment details are handled directly by Stripe.

14) Changes to this policy

We may update this policy from time to time. We will post the latest version here and update the “Last updated” date.

15) Contact

Questions or requests about this policy or your data?

IndieStand
Email: support@indiestand.com