IndieDevBoard
IndieDevBoard

Privacy Policy

Last updated: March 16, 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Sai Y

Munich, Germany

Email: info@indiedevboard.com

2. What Data We Collect

When you use IndieDevBoard, we may collect the following data:

  • Account data: Email address, display name, profile photo (provided voluntarily)
  • Project data: Projects, tasks, images, 3D models, notes, moodboards, design documents, presentations, and chat messages you create
  • Payment data: Processed by Stripe Inc. We do not store credit card numbers. We store your Stripe customer ID and subscription status.
  • GitHub data: If you connect your GitHub account, we store your GitHub OAuth access token (encrypted with AES-256-GCM), your GitHub username, and repository link metadata (repo name, owner). We do not store your GitHub code, commits, issues, or other repository content — these are fetched in real time from GitHub's API and displayed only to you.
  • Usage data: Pages visited, features used, and error logs for improving the service
  • Technical data: IP address, browser type, device type (collected automatically by our hosting provider)

3. Legal Basis for Processing (Art. 6 GDPR)

  • Art. 6(1)(b) GDPR: Processing necessary for the performance of our contract with you (providing the service)
  • Art. 6(1)(a) GDPR: Your consent (e.g., optional email notifications)
  • Art. 6(1)(f) GDPR: Our legitimate interest in improving the service and preventing fraud

4. Data Storage & Hosting

Your data is stored using Google Firebase (Google Cloud Platform). Your core account data, project data, and personal information are stored in European Union servers (eur3 region — Belgium/Netherlands) using Google Cloud Firestore. Uploaded files such as images, avatars, and documents may be stored on Google Cloud Storage servers located in the United States. Google Cloud is certified under the EU-US Data Privacy Framework and provides Standard Contractual Clauses (SCCs) for international data transfers, ensuring GDPR-compliant handling of all data regardless of storage location. For more information, see Firebase Privacy & Security documentation.

5. Payment Processing

Payments are processed by Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA. Stripe processes your payment information in accordance with their Privacy Policy. We never have access to your full credit card number.

6. Third-Party Services

We use the following third-party services to provide and improve IndieDevBoard:

  • Google Firebase: Authentication, database, and file storage (see section 4)
  • Stripe Inc.: Payment processing (see section 5)
  • GitHub (Microsoft): Optional integration for issue sync and repository browsing. When you connect GitHub, we store an encrypted OAuth access token to make API requests on your behalf. You can disconnect GitHub at any time in Settings, which deletes the stored token.
  • Resend: Transactional emails (welcome emails, notifications). We share only your email address and display name with Resend for the purpose of sending emails. See their Privacy Policy.

7. Cookies

IndieDevBoard uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Your Rights (Art. 15-21 GDPR)

You have the following rights regarding your personal data:

  • Right of access (Art. 15): You can request information about your stored data
  • Right to rectification (Art. 16): You can correct inaccurate data via your profile settings
  • Right to erasure (Art. 17): You can delete your account and all associated data in your profile settings
  • Right to data portability (Art. 20): You can export your data in JSON format via Settings > Privacy > Export My Data
  • Right to restrict processing (Art. 18): You can request restriction of processing by contacting us
  • Right to object (Art. 21): You can object to processing based on legitimate interests
  • Right to withdraw consent: You can withdraw consent at any time (e.g., privacy preferences in Settings)

9. Data Retention

We retain your data for as long as your account is active. When you delete your account, all personal data and project data is permanently deleted. Payment records may be retained for up to 10 years as required by German tax law (AO §147).

10. Data Security

All data is transmitted via TLS/SSL encryption. Data at rest is encrypted by Google Firebase. Sensitive credentials (such as GitHub OAuth tokens) are encrypted with AES-256-GCM before storage. Access to user data is restricted to authorized personnel and only occurs when necessary to provide customer support, resolve technical issues, or ensure the security and integrity of the service. We implement rate limiting, input sanitization, and other security measures to protect your data.

11. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of significant changes via email or an in-app notification. The current version is always available at this page.

13. Contact

For privacy-related inquiries, please contact us at info@indiedevboard.com.