IndieStand LogoIndieStand

Privacy Policy

Last updated: December 24, 2025

IndieStand ("we", "our", "us") is a SaaS platform that enables Creators to build stores and sell digital products to Buyers. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1) Who is who (Definitions)

  • Creator: A user of IndieStand who opens a store on our platform and pays for a subscription (processed by Stripe Managed Payments).
  • Buyer: An end customer who purchases a Creator's digital goods through the Creator's IndieStand store (payments via Stripe Connect to the Creator).
  • IndieStand: The platform provider.

2) Data Controller & Contact

IndieStand Berlin, Germany Email: support@indiestand.com

  • For Creator subscription payments, Stripe (via Stripe Managed Payments) acts as the Merchant of Record and independent controller for the payment data it processes.
  • For Buyer checkout & payouts to Creators, Stripe (Stripe Connect) acts as an independent controller for the payment data it processes.
  • IndieStand is the controller for platform operations data. For certain Buyer-related operations performed on behalf of a Creator (e.g., storing Buyer details so the Creator can deliver content), IndieStand acts as the processor to the Creator.

3) What data we collect

A) Creators (our customers)

We collect:

  • Identification & contact: name, email, country
  • Account & store: store name, slug, branding, product metadata
  • Subscription & billing: plan, status, invoices/receipts (payment data handled by Stripe Managed Payments)
  • Operational logs: authentication events, admin actions, support interactions

Source: directly from you; limited technical data from your browser/device.

B) Buyers (end customers of Creators)

We collect (and/or process on behalf of the Creator):

  • Identification & contact: name, email, country
  • Order metadata: product purchased, price, currency, timestamps, fulfillment state
  • Payment processing: handled by Stripe Connect (card/bank details are not stored on IndieStand)

Purpose: to enable Creators to deliver digital content, manage customer relationships, and comply with legal obligations.

C) Analytics (site & product)

  • PostHog (EU residency, no cookies): page views, basic usage events, performance metrics
  • Implemented without cross-site tracking or advertising cookies.

3A) Cookies and similar technologies (strictly necessary only)

IndieStand uses a small number of strictly necessary cookies to operate the service securely and to provide functionality explicitly requested by the user. These cookies do not require consent under the EU ePrivacy Directive and German TTDSG because they are essential for the core functionality of the platform and do not serve advertising, analytics, or tracking purposes.

We do not use:

  • marketing or advertising cookies
  • third-party tracking pixels
  • cross-site identifiers
  • non-essential analytics cookies

Analytics are implemented through PostHog (EU residency) in cookieless mode, meaning no browser identifiers or cookies are stored for analytics purposes.

Essential cookies we use

1. Authentication cookies (Supabase)

These cookies are required to maintain secure login sessions for Creators. They enable identity verification, account access, and authenticated actions within the dashboard.

  • Purpose: login/session management, account security
  • Contains: session tokens (no tracking identifiers)
  • Legal basis: Contract (Art. 6(1)(b)), Legitimate interests (security) (Art. 6(1)(f))

2. Preview-mode cookies for theme customization

When a Creator uses the theme editor or live preview, IndieStand stores temporary "preview" cookies to maintain preview context (e.g., preview state, preview token, selected theme ID) across navigation within the storefront.

  • Purpose: enable theme preview and customization as requested by the Creator
  • Contains: preview flags and theme identifiers (no personal data)
  • Legal basis: Contract (platform functionality), Legitimate interests (provide editing tools)

These cookies exist solely to power the preview behavior and do not track users.

3. Security and fraud-prevention cookies

IndieStand sets security-related cookies only as needed to protect accounts, maintain the integrity of sessions, and prevent misuse.

  • Purpose: platform security and fraud prevention
  • Legal basis: Legitimate interests (Art. 6(1)(f)), and/or legal obligation where applicable

Summary

IndieStand uses only essential cookies required for authentication, security, and theme preview functionality. We do not use advertising, marketing, or non-essential analytics cookies.

4) Why we use your data (Purposes & Legal Bases)

PurposeData SubjectsLegal Basis

Provide and maintain the IndieStand platform

Creators & Buyers

Contract (Art. 6(1)(b)), Legitimate interests (Art. 6(1)(f))

Process Creator subscriptions (via Stripe Managed Payments)

Creators

Contract; Legal obligation (tax)

Process Buyer orders and deliver digital goods (via Stripe Connect payouts to Creators)

Buyers & Creators

Contract; Legal obligation (tax)

Enable Creators to manage Buyer relationships (e.g., access delivery, support)

Buyers

Legitimate interests; Contract; (Creator may rely on consent where marketing is involved)

Send service emails (account, receipts, delivery, security)

Creators & Buyers

Contract; Legal obligation; Legitimate interests

Security, fraud prevention, abuse detection

Creators & Buyers

Legitimate interests; Legal obligation

Analytics and product improvement (no ads, no cookies)

Aggregated / limited dataLegitimate interests

We do not sell personal data or use it for third-party advertising.

5) Service providers (Processors / Independent Controllers)

All services are configured for EU hosting/data residency where available.

ServiceRolePurpose
Stripe (Managed Payments)Merchant of Record / Independent controller

Subscription billing for Creators

Stripe Connect

Independent controller

Buyer payments and payouts to Creators

PostHog (EU)

Processor

Cookie-less analytics, EU data residency

ZeptoMail (Zoho) (EU)

Processor

Transactional / notification emails for platform & Creator-initiated delivery emails

SvixProcessor

Webhook infrastructure for Creator-enabled integrations (optional)

Google (Calendar & Meet)

Independent controller

Calendar integration for coaching session bookings (Creator opt-in)

Cloud infrastructure


(e.g., EU hosting, storage, CDN)		Processor

Hosting of application and stored content in the EU

Where IndieStand acts as processor for a Creator (e.g., storing Buyer details for content delivery/support), we process data only under the Creator's instructions.

5A) Third-party integrations

Creators may enable optional integrations to extend the functionality of their stores. When enabled, these integrations process data as described below:

Webhooks (powered by Svix)

Creators can configure webhooks to receive real-time notifications about events in their store (e.g., new orders, refunds). Webhook payloads are processed and delivered by Svix, our webhook infrastructure provider.

  • Data processed: Order information including product details, amounts, customer email, payment status, and timestamps
  • Purpose: Enable Creators to integrate IndieStand with external systems and automate workflows
  • Svix's role: Processor acting on behalf of IndieStand
  • Data residency: Svix infrastructure (see Svix's privacy policy for details)
  • Legal basis: Contract (enabling Creator-requested functionality), Legitimate interests

Creators control which events trigger webhooks and which endpoints receive the data. IndieStand and Svix do not use webhook data for any purpose other than reliable delivery to the Creator's specified endpoints.

Google Calendar Integration

Creators selling coaching sessions can connect their Google Calendar to automatically:

  • Generate calendar invites for booked coaching sessions
  • Create Google Meet (Hangouts) links for video calls
  • Manage availability and prevent double-bookings

Required permissions:

  • List calendars: To display available calendars for the Creator to select
  • Create events: To add coaching session bookings to the Creator's calendar
  • Access calendar data: To check availability and prevent scheduling conflicts

Data processed:

  • Creator's calendar availability
  • Buyer name and email (added as event attendees)
  • Session date, time, and duration
  • Meeting links generated by Google Meet

Google's role: Independent controller for Google Calendar and Meet services

Legal basis: Contract (Creator-requested feature), Legitimate interests

Control: Creators can disconnect Google Calendar integration at any time from their integration settings. Disconnecting will prevent new calendar events from being created but will not delete existing events.

IndieStand accesses Google Calendar data only to perform the specific functions requested by the Creator (creating booking events). We do not access, store, or process calendar data for any other purpose.

6) Sharing of Buyer data with Creators

When a Buyer purchases from a Creator's store, we share the following with that specific Creator to fulfill the order and for legitimate business purposes related to the purchase:

  • Buyer name, email, country
  • Order metadata (product, price, currency, timestamps)
  • Access/delivery status needed to provide the digital goods

Marketing use by the Creator requires a valid legal basis (typically consent) under applicable laws. IndieStand does not grant Creators permission to send unsolicited marketing to Buyers without such a basis. Creators are responsible for their own compliance when contacting Buyers.

7) Emails & communications

  • We use ZeptoMail to send: account emails, security events, receipts, and delivery/fulfillment notifications.
  • Creators may trigger transactional emails to Buyers (e.g., "new version available"). Marketing emails require Buyer consent (where required).
  • You can manage Creator marketing preferences via links provided by the Creator or by contacting them directly. IndieStand can relay opt-out requests to a Creator upon request.

8) Data retention

We keep personal data only as long as necessary for:

  • Contract performance (e.g., access to purchases),
  • Legal obligations (e.g., tax/accounting retention periods),
  • Dispute resolution and fraud prevention.

Upon account closure or valid deletion request, we delete or irreversibly anonymize data unless retention is legally required.

9) Security

We implement appropriate technical and organizational measures, including:

  • Encryption in transit (HTTPS)
  • Access controls and least-privilege principles
  • Audit logs and monitoring
  • Regular backups

No system can be 100% secure, but we work to continuously improve our safeguards.

10) International transfers

Our services and data are hosted in the EU. If exceptional sub-processing requires transfer outside the EEA, we use recognized safeguards (e.g., SCCs) and implement supplementary measures where appropriate.

11) Your rights (GDPR)

You may have the right to:

  • Access your data

  • Rectify inaccurate data

  • Erase your data (subject to legal retention)

  • Restrict or object to processing

  • Port your data in a machine-readable format

  • Creators: contact us at support@indiestand.com.

  • Buyers: for store-specific processing performed on behalf of a Creator, please contact the Creator first. We will assist as processor where applicable. For processing we control (e.g., platform logs), contact IndieStand.

You also have the right to lodge a complaint with your local supervisory authority.

12) Children's data

IndieStand is not intended for children under 16. We do not knowingly collect data from minors.

13) Lawful basis notes specific to you

  • Creators: Your PIIs (name, email, country) are collected to provide the IndieStand service and manage your subscription via Stripe Managed Payments.
  • Buyers: Your PIIs (name, email, country) are processed to enable the Creator to deliver content, provide support, and meet legal obligations. Payment details are handled directly by Stripe.

14) Changes to this policy

We may update this policy from time to time. We will post the latest version here and update the "Last updated" date.

15) Contact

Questions or requests about this policy or your data?

IndieStand Email: support@indiestand.com